Bug 1629594 - land NSS 50dcc34d470d UPGRADE_NSS_RELEASE, r=jcj

2020-04-13 Kevin Jacobs <kjacobs@mozilla.com> * lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11load.c: Bug 1629105 - Update PKCS11 module debug logger for v3.0 r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D70582 [50dcc34d470d] [tip] 2020-04-07 Robert Relyea <rrelyea@redhat.com> * lib/ckfw/builtins/testlib/Makefile: Bug 1465613 Fix gmake issue create by the patch which adds ability to distrust certificates issued after a certain date for a specified root cert r=jcj I've been trying to run down an issue I've been having, and I think this bug is the source. Whenever I build ('gmake' build), I get the following untracted files: ? lib/ckfw/builtins/testlib/anchor.o ? lib/ckfw/builtins/testlib/bfind.o ? lib/ckfw/builtins/testlib/binst.o ? lib/ckfw/builtins/testlib/bobject.o ? lib/ckfw/builtins/testlib/bsession.o ? lib/ckfw/builtins/testlib/bslot.o ? lib/ckfw/builtins/testlib/btoken.o ? lib/ckfw/builtins/testlib/ckbiver.o ? lib/ckfw/builtins/testlib/constants.o This is because of the way lib/ckfw/builtins/testlib works, it uses the sources from the directory below, and explicitly reference them with ../{source_name}.c. The object file then becomes lib/ckfw/builtins/testlib/{OBJDIR}/../{source_name}.o. The simple fix would be to paper over the issue and just add these to .hgignore, but that would break our ability to build multiple platforms on a single source directory. I'll include a patch that fixes this issue. bob Differential Revision: https://phabricator.services.mozilla.com/D70077 [92058f185316] 2020-04-06 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/ssl_gtest/tls_hkdf_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c, lib/ssl/sslprimitive.c, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13hkdf.c, lib/ssl/tls13replay.c, tests/ssl/ssl.sh: Bug 1561637 TLS 1.3 does not work in FIPS mode r=mt Part 2 of 2 Use the official PKCS #11 HKDF mechanism to implement tls 1.3. 1) The new mechanism is a single derive mechanism, so we no longer need to pick it based on the underlying hmac (Note, we still need to know the underlying hmac, which is passed in as a mechanism parameter). 2) Use the new keygen to generate CKK_HKDF keys rather than doing it by hand with the random number generator (never was really the best way of doing this). 3) modify tls13hkdf.c to use the new mechanisms: 1) Extract: use the new key handle in the mechanism parameters to pass the salt when the salt is a key handle. Extract: use the explicit NULL salt parameter if for the hash len salt of zeros. 2) Expand: Expand is mostly a helper function which takes a mechanism. For regular expand, the mechanism is the normal _Derive, for the Raw version its the _Data function. That creates a data object, which is extractable in FIPS mode. 4) update slot handling in tls13hkdf.c: 1) we need to make sure that the key and the salt key are in the same slot. Provide a PK11wrap function to make that guarrentee (and use that function in PK11_WrapKey, which already has to do the same function). 2) When importing a 'data' key for the zero key case, make sure we import into the salt key's slot. If there is no salt key, use PK11_GetBestSlot() rather than PK11_GetInternal slot. Differential Revision: https://phabricator.services.mozilla.com/D69899 [3d2b1738e064] 2020-04-06 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/curve25519-vectors.h, gtests/common/testvectors/p256ecdh-vectors.h, gtests/common/testvectors/p384ecdh-vectors.h, gtests/common/testvectors/p521ecdh-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h, gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h, gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h, gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h, gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h, gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h, gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h, gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h, gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h, gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h, gtests/common/testvectors/rsa_pss_misc-vectors.h, gtests/common/testvectors/rsa_signature-vectors.h, gtests/common/testvectors/rsa_signature_2048_sha224-vectors.h, gtests/common/testvectors/rsa_signature_2048_sha256-vectors.h, gtests/common/testvectors/rsa_signature_2048_sha512-vectors.h, gtests/common/testvectors/rsa_signature_3072_sha256-vectors.h, gtests/common/testvectors/rsa_signature_3072_sha384-vectors.h, gtests/common/testvectors/rsa_signature_3072_sha512-vectors.h, gtests/common/testvectors/rsa_signature_4096_sha384-vectors.h, gtests/common/testvectors/rsa_signature_4096_sha512-vectors.h, gtests/common/testvectors_base/rsa_signature-vectors_base.txt, gtests/common/testvectors_base/test-structs.h, gtests/common/wycheproof/genTestVectors.py, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc, gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, gtests/pk11_gtest/pk11_rsapss_unittest.cc: Bug 1612260 - Add Wycheproof vectors for RSA PKCS1 and PSS signing, PKCS1 and OEAP decryption. r=bbeurdouche This patch updates the Wycheproof script to build RSA test vectors (covering PKCS1 decryption/verification, as well as PSS and OAEP) and adds the appropriate test drivers. Differential Revision: https://phabricator.services.mozilla.com/D69847 [469fd8633757] 2020-04-01 Kevin Jacobs <kjacobs@mozilla.com> * automation/taskcluster/docker-fuzz32/Dockerfile: Bug 1626751 - Add apt-transport-https & apt-utils to fuzz32 docker image r=jcj We already install these packages on the image_builder image itself. It seems they're now required on the fuzz32 image as well. Differential Revision: https://phabricator.services.mozilla.com/D69274 [c7a8195e3072] 2020-04-01 Giulio Benetti <giulio.benetti@benettiengineering.com> * lib/freebl/Makefile: Bug 1624864 - Don't force ARMv7 for gcm-arm32-neon r=jcj [858209235972] * coreconf/config.gypi, coreconf/config.mk, lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm.c: Bug 1620799 - Introduce NSS_DISABLE_ARM32_NEON r=jcj Only some Arm32 supports neon, so let's introduce NSS_DISABLE_ARM32_NEON to allow disabling Neon acceleration when building for Arm32. Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> [b47b2c35aa64] 2020-04-01 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/expected-report-libsoftokn3.so.txt, automation/abi-check /expected-report-libssl3.so.txt: Fixup ABI checks after libabigail update and Delegated Credentials backport. r=me [7f50f6ca7658] 2020-03-31 hajma <tropikhajma@gmail.com> * coreconf/SunOS5.mk: Bug 1625133 - Fix implicit declaration of function 'getopt' on SunOS r=jcj [744788dd18dc] 2020-03-30 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pub.h, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c: Bug 1561637 TLS 1.3 does not work in FIPS mode Patch 1 of 2. This patch updates softoken and helper functions with the new PKCS #11 v3 HKDF, which handles all the correct key management so that we can work in FIPS mode 1) Salts can be passed in as data, as and explicit NULL (which per spec means a zero filled buffer of length of the underlying HMAC), or through a key handle 2) A Data object can be used as a key (explicitly allowed for this mechanism by the spec). 3) A special mechansism produces a data object rather than a key, the latter which can be exported. Softoken does not do the optional validation on the pInfo to verify that the requested values are supposed to be data rather than keys. Some other tokens may. The old hkdf mechanism has been retained for compatibility (well namely until patch 2 is created, tls is still using it). The hkdf function has been broken off into it's own function rather than inline in the derive function. Note: because the base key and/or the export key could really be a data object, our explicit handling of sensitive and extractable are adjusted to take into account that those flags do not exist in data objects. Differential Revision: https://phabricator.services.mozilla.com/D68940 [e0922aac5267] 2020-03-26 Hans Petter Jansson <hpj@cl.no> * cmd/lowhashtest/lowhashtest.c: Bug 1622555 - Fix lowhashtest argument parsing. r=kjacobs [f3c5ab41c972] 2020-03-26 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/Makefile, lib/freebl/freebl.gyp: Bug 1624377 - Replace freebl flag -msse4 by -msse4.1 -msse4.2 which are supported by older compilers r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D68407 [16ee7cb36fff] 2020-03-26 Robert Relyea <rrelyea@redhat.com> * gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp, lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c, lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c: Bug 1623374 Need to support the new PKCS #11 Message interface for AES GCM and ChaCha Poly r=mt Update ssl to use the new PK11_AEADOp() interface. 1. We restore the use of PK11Context_Create() for AEAD operations. 2. AES GCM and CHACHA/Poly specific functions are no longer needed as PK11_AEADOp() handles all the mechanism specific processing. 3. TLS semantic differences between the two algorithms is handled by their parameters: 1. Nonce length is the length of the nonce counter. If it's zero, then XOR_Counter is used (and the nonce length is the sizeof(sslSequenceNumber)). 2. IV length is the full IV length - nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is returned from the token in the encrypt case. Only in the explict nonce case is it examined. (The code depends on the fact that the count in the token will match sslSequenceNumber). I did have assert code to verify this was happening for testing, but it's removed from this patch it can be added back. 5. All the decrypt instances of XOR_Counter IV creation have been colapsed into tls13_WriteNonce(). 6. Even tough PK11_AEADOp returns and accepts the tag separately (for encrypt and decrypt respectively). The SSL code still returns the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all uses of AEAD outside of the TLS stream can use it instead of their own wrapped version. It can handle streams (CreateContext() tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot tls13_AEAD(context=NULL). In the later case, the keys for the single shot operation should not be resued. 8. libssl_internals.c in the gtests directory has been updated to handle advancing the internal iv counter when we artifically advance the seqNum. Since we don't have access to any token iv counter (including softoken), The code switches to simulated message mode, and updates the simulated state as appropriate. (obviously this is for testing only code as it reaches into normally private data structures). Differential Revision: https://phabricator.services.mozilla.com/D68480 [e7c7f305078e] 2020-03-26 Robert Relyea <rrelyea@redhat.com> * gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp, lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c, lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c: Bug 1623374 Need to support the new PKCS #11 Message interface for AES GCM and ChaCha Poly r=mt Update ssl to use the new PK11_AEADOp() interface. 1. We restore the use of PK11Context_Create() for AEAD operations. 2. AES GCM and CHACHA/Poly specific functions are no longer needed as PK11_AEADOp() handles all the mechanism specific processing. 3. TLS semantic differences between the two algorithms is handled by their parameters: 1. Nonce length is the length of the nonce counter. If it's zero, then XOR_Counter is used (and the nonce length is the sizeof(sslSequenceNumber)). 2. IV length is the full IV length - nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is returned from the token in the encrypt case. Only in the explict nonce case is it examined. (The code depends on the fact that the count in the token will match sslSequenceNumber). I did have assert code to verify this was happening for testing, but it's removed from this patch it can be added back. 5. All the decrypt instances of XOR_Counter IV creation have been colapsed into tls13_WriteNonce(). 6. Even tough PK11_AEADOp returns and accepts the tag separately (for encrypt and decrypt respectively). The SSL code still returns the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all uses of AEAD outside of the TLS stream can use it instead of their own wrapped version. It can handle streams (CreateContext() tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot tls13_AEAD(context=NULL). In the later case, the keys for the single shot operation should not be resued. 8. libssl_internals.c in the gtests directory has been updated to handle advancing the internal iv counter when we artifically advance the seqNum. Since we don't have access to any token iv counter (including softoken), The code switches to simulated message mode, and updates the simulated state as appropriate. (obviously this is for testing only code as it reaches into normally private data structures). Differential Revision: https://phabricator.services.mozilla.com/D68480 [e7c7f305078e] 2020-03-23 Kevin Jacobs <kjacobs@mozilla.com> * lib/softoken/pkcs11.c: Bug 1624402 - Fix compilation error when NO_FORK_CHECK and CHECK_FORK_* are defined r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D67911 [0225889e5292] 2020-03-23 Kevin Jacobs <kjacobs@mozilla.com> * lib/util/pkcs11.h: Bug 1624130 - Require CK_FUNCTION_LIST structs to be packed. r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D67741 [7ab62d3d0445] 2020-03-19 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_aes_gcm_unittest.cc, gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc, lib/freebl/blapi.h, lib/freebl/blapii.h, lib/freebl/blapit.h, lib/freebl/chacha20poly1305.c, lib/freebl/gcm.c, lib/freebl/gcm.h, lib/freebl/intel-gcm-wrap.c, lib/freebl/intel-gcm.h, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/nss/nss.def, lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c, lib/pk11wrap/pk11slot.c, lib/pk11wrap/secmodti.h, lib/softoken/fipstokn.c, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c, lib/softoken/sftkmessage.c, lib/util/pkcs11n.h, lib/util/pkcs11t.h, lib/util/secport.h: Bug 1623374 Need to support the new PKCS #11 Message interface for AES GCM and ChaCha Poly PKCS #11 defines a new interface for handling AEAD type ciphers that allow multiple AEAD operations without repeating the key schedule. It also allows tokens to keep track of the number of operations, and generate IVs (depending on the cipher). This patch: 1. implement those new functions in softoken. With the addition of CKF_MESSAGE_* flags to various mechanism, we need to strip them when using the version 2 API of softoken (since there are no C_Message* function in version 2). For that we need a separate C_GetMechanismInfo function. We use the same trick we used to have a separate version function for the V2 interface. Also now that the new message functions are in their own file, they still need access to the common Session state processing functions. those have gone from static to exported within softoken to accomidate that. Same with sftk_MapDecryptError() (sftk_MapVerifyError() was also made global, though nothing else is yet using it). Only C_MessageEncrptInit(), C_EncryptMessage(), C_MessageEncryptFinal, C_MessageDecryptInit(), C_DecryptMessage(), and C_MessageDecryptFinal are implemented. C_EncryptMessageBegin(), C_EncryptMessageNext(), C_DecryptMessageBegin(), and C_DecryptMessageNext() are all part of the multi-part withing a multi-part operation and are only necessary for things like S/MIME (potentially). If we wanted to implement them, we would need more functions exported from freebl (and initaead, updateaead, finalaead for each mechanism type). 2. make those interfaces call aes_gcm and chacha20_poly1503 (and make adjustments for those ciphers). For AES, I added a new function AES_AEAD, which handles both encrypt and decrypt. Internally, the gcm functions (both the generic gcm and the intel gcm wrapper) had their init functions split into key scheduling and counter mode/tag initialization. The latter is still called from init, but the former is now for each update call. IV generation is handled by a single function in gcm.c, and shared with intel_gcm_wrapper.c Since the AES functions already know about the underlying PKCS #11 mechanism parameters, the new AEAD functions also parse the PKCS #11 GCM parameters. For Chacha/Poly new aead update functions were created called ChaChaPoly1305_Encrypt and ChaChaChaPoly1305_Decrypt. There was no Message specific initialization in the existing chacha_init, so no changes were needed there. The primary difference between _Encrypt/_Decrypt and _Seal/_Open is the fact that the tag is put at the end of the encrypted data buffer in the latter, and in a generic buffer in the former. 3. create new pk11wrap interfaces that also squash the api differences between the various mechanisms for aead (similiar to the way we do it for CBC and ECB crypto today). To accomplish this I added PK11_AEADOp() and PK11_AEADRawOp(). Both functions handle the case where the token only supports the single shot interface, by using the single short interface to simulate the Message interface. The PK11_AEADOp() also smooths out the differences in the parameters and symantics of the various mechanism so the application does not need to worry about the PKCS #11 differences in the mechanism. Both use contexts from the standard PK11_CreateContext(), so key schedules are done once for each key rather than once for each message. MESSAGE/AEAD operations are selected by adding the psuedo attribute flag CKA_NSS_MESSAGE to the requested operation (CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY). 4. write tests for the new interfaces Tests were added to make sure the PK11_AEADRawOp interface works, The single shot interface is used to test output of the message interface we also use two test only functions to force the connection to use the simulation interface, which is also compared to the non-simulate inteface. The AES_GCM also tests various IV generators. Differential Revision: https://phabricator.services.mozilla.com/D67552 [293ac3688ced] 2020-03-18 Kevin Jacobs <kjacobs@mozilla.com> * lib/freebl/mpi/mpcpucache.c: Bug 1623184 - Clear ECX prior to cpuid, fixing query for Extended Features r=bbeurdouche While trying to benchmark the recent HACL* AVX2 code, I noticed that it was not being called on two machines (that both support AVX2), instead using only the AVX version. In order to query for Extended Features (cpuid with EAX=7), we also need to set ECX to 0: https://www.intel.com/content/www/us/en /architecture-and-technology/64-ia-32-architectures-software- developer-vol-2a-manual.html. The current code fails to do this, resulting in flags that show no support. Initially, I wrote a separate `freebl_cpuid_ex` function that accepted a value for ECX as a separate input argument. However, some definitions of `freebl_cpuid` already zero ECX, so making this consistent is the simplest way to get the desired behavior. With this patch, the two test machines (MacOS and Linux x64) correctly use the AVX2 ChaCha20Poly1305 code. Differential Revision: https://phabricator.services.mozilla.com/D67235 [06d41fe87c58] 2020-03-17 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/expected-report-libsoftokn3.so.txt, cmd/pk11mode/pk11mode.c, lib/pk11wrap/pk11load.c, lib/pk11wrap/secmodi.h, lib/pk11wrap/secmodt.h, lib/softoken/fipstokn.c, lib/softoken/manifest.mn, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/sftkmessage.c, lib/softoken/softoken.gyp, lib/softoken/softoken.h, lib/softoken/softokn.def, lib/util/pkcs11.h, lib/util/pkcs11f.h, lib/util/pkcs11n.h, nss/automation/abi-check/new-report-libnss3.so.txt, nss/automation /abi-check/new-report-libsoftokn3.so.txt: Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=ueno r=mt Update to PKCS #11 v3.0 part 2. Create the functions and switch to the C_Interface() function to fetch the PKCS #11 function table. Also PKCS #11 v3.0 uses a new fork safe interface. NSS can already handle the case if the PKCS #11 module happens to be fork safe (when asked by the application to refresh the tokens in the child process, NSS can detect that such a refresh is not necessary and continue. Softoken could also be put in fork_safe mode with an environment variable. With this patch it's the default, and NSS asks for the fork safe API by default. Technically softoken should implement the old non-fork safe interface when PKCS #11 v2.0 is called, but NSS no longer needs it, and doing so would double the number of PKCS #11 interfaces are needed. You can still compile with fork unsafe semantics, and the PKCS #11 V3.0 module will do the right thing and not include the fork safe flag. Firefox does not fork(), so for firefox this is simply code that is no longer compilied. We now use C_GetInterface, which allows us to specify what kind of interface we want (PKCS #11 v3.0, PKCS #11 v2.0, fork safe, etc.). Vendor specific functions can now be accessed through the C_GetInterface. If the C_GetInterface function does not exists, we fall bak to the old C_GetFunctionList. There are 24 new functions in PKCS #11 v3.0: C_GetInterfaceList - return a table of all the supported interfaces C_GetInterface - return a specific interface. You can specify interface name, version and flags separately. You can leave off any of these and you will get what the token thinks is the best match of the interfaces that meet the criteria. We do this in softoken by the order of the interface list. C_SessionCancel - Cancel one or more multipart operation C_LoginUser - Supply a user name to C_Login(). This function has no meaning for softoken, so it just returns CKR_OPERATION_NOT_INITIALIZED under the theory that if we in the future want to support usernames, the NSS db would need special initialization to make that happen. C_Message* and C_*Message* (20 functions in all) are the new AEAD interface (they are written generally so that it can be used for things other than AEAD). In this patch they are unimplemented (see the next patch). This patch adds regular (NSC_) and FIPS (FC_) versions of these functions. Also when creating the PKCS #11 v2.0 interface, we had to create a 2.0 specific version of C_GetInfo so that it can return a 2.40 in the CK_VERSION field rather than 3.00. We do this with #defines since all the function tables are generated automagically with pkcs11f.h. Differential Revision: https://phabricator.services.mozilla.com/D67240 [2364598f8a36] 2020-03-09 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_256.c: Bug 1612493 - Fix Firefox build for Windows 2012 x64. r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D65945 [7e09cdab32d0] 2020-03-02 Kurt Miller <kurt@intricatesoftware.com> * lib/freebl/blinit.c: Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj https://bugzilla.mozilla.org/show_bug.cgi?id=1618400 [2c989888dee7] 2020-03-02 Giulio Benetti <giulio.benetti@benettiengineering.com> * lib/freebl/blinit.c: Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs Some build environment doesn't provide <sys/auxv.h> and this causes build failure, so let's check if that header exists by using __has_include() helper. Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> [bb7c46049f26] 2020-02-28 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/libintvector.h: Bug 1617533 - Update of HACL* after libintvector.h and coding style changes. r=kjacobs *** Bug 1617533 - Clang format *** Bug 1617533 - Update HACL* commit for job in Taskcluster *** Bug 1617533 - Update HACL* Kremlin code Differential Revision: https://phabricator.services.mozilla.com/D63829 [b6677ae9067e] * automation/taskcluster/graph/src/extend.js, coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c, lib/freebl/freebl.gyp, lib/freebl/verified/Hacl_Chacha20Poly1305_256.c, lib/freebl/verified/Hacl_Chacha20Poly1305_256.h, lib/freebl/verified/Hacl_Chacha20_Vec256.c, lib/freebl/verified/Hacl_Chacha20_Vec256.h, lib/freebl/verified/Hacl_Poly1305_256.c, lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c: Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and Chacha20Poly1305. r=kjacobs *** Bug 1612493 - Import AVX2 code from HACL* *** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE *** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and freebl.gyp *** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t support -mavx2 *** Bug 1612493 - Disable tests when the platform doesn't have support for AVX2 Differential Revision: https://phabricator.services.mozilla.com/D64718 [d5deac55f543] 2020-02-18 Robert Relyea <rrelyea@redhat.com> * cmd/bltest/blapitest.c, cmd/fipstest/fipstest.c, cmd/lib/pk11table.c, cmd/pk11gcmtest/pk11gcmtest.c, cmd/shlibsign/shlibsign.c, gtests/pk11_gtest/pk11_aes_gcm_unittest.cc, gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/certdb/crl.c, lib/ckfw/dbm/db.c, lib/dev/devslot.c, lib/dev/devtoken.c, lib/dev/devutil.c, lib/freebl/fipsfreebl.c, lib/freebl/gcm.c, lib/freebl/intel-gcm-wrap.c, lib/pk11wrap/debug_module.c, lib/pk11wrap/dev3hack.c, lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11auth.c, lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11err.c, lib/pk11wrap/pk11load.c, lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11merge.c, lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pbe.c, lib/pk11wrap/pk11pk12.c, lib/pk11wrap/pk11pqg.c, lib/pk11wrap/pk11skey.c, lib/pk11wrap/pk11slot.c, lib/pk11wrap/pk11util.c, lib/pkcs12/p12d.c, lib/pkcs12/p12e.c, lib/softoken/fipstokn.c, lib/softoken/legacydb/lgattr.c, lib/softoken/legacydb/lgcreate.c, lib/softoken/legacydb/lgfind.c, lib/softoken/legacydb/lginit.c, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11u.c, lib/softoken/sdb.c, lib/softoken/sftkdb.c, lib/softoken/sftkpwd.c, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c, lib/ssl/tls13con.c, lib/util/pkcs11.h, lib/util/pkcs11f.h, lib/util/pkcs11n.h, lib/util/pkcs11t.h, lib/util/secoid.c, nss- tool/enc/enctool.cc: Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoye https://phabricator.services.mozilla.com/D63241 This patch implements the first phase: updating the headers. lib/util/pkcs11.h lib/util/pkcs11f.h lib/util/pkcs11t.h Were updated using the released OASIS PKCS #11 v3.0 header files. lib/util/pkcs11n.h was updated to finally deprecate all uses of CK?_NETSCAPE_?. A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the small semantic changes (including the removal of deprecated defines) between the NSS PKCS #11 v2 header file and the new PKCS #11 v3 are reverted in favor of the PKCS #11 v2 definitions. This include the removal of CK?_NETSCAPE_? in favor of CK?_NSS_?. One notable change was caused by an inconsistancy between the spec and the released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an extra field in the header that was not in the spec. OASIS considers the header file to be normative, so PKCS #11 v3.0 resolved the issue in favor of the header file definition. NSS had the spec definition, so now there are 2 defines for this structure: CK_NSS_GCM_PARAMS - the old nss define. Still used internally in freebl. CK_GCM_PARAMS_V3 - the new define. CK_GCM_PARAMS - no longer referenced in NSS itself. It's defined as CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined. Softoken has been updated to accept either CK_NSS_GCM_PARAMS or CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS. One other semantic difference between the 3.0 version of pkcs11f.h and the version here: In the oasis version of the header, you must define CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In our version you must define CK_PKCS11_3 to get the PCKS #11 v3 defines. Most of this patch is to handle changing the deprecated defines that have been removed in PCKS #11 v3 from NSS. Differential Revision: https://phabricator.services.mozilla.com/D63241 [b5d90a7fe217] Differential Revision: https://phabricator.services.mozilla.com/D70773 --HG-- extra : moz-landing-system : lando
2025-03-02 22:37:50 +00:00 · 2020-04-14 17:53:38 +00:00 · 2020-04-14 17:53:38 +00:00 · 7d42f279f2
commit 7d42f279f2
parent 283bbcf851
179 changed files with 166523 additions and 3380 deletions
--- a/old-configure.in
+++ b/old-configure.in
@ -1506,7 +1506,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
    _USE_SYSTEM_NSS=1 )

 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.51.1, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.52, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi

 NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-NSS_3_51_1_RTM
+50dcc34d470d
--- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
@ -0,0 +1,21 @@
+6 Added functions:
+
+  [A] 'function SECStatus PK11_AEADOp(PK11Context*, CK_GENERATOR_FUNCTION, int, unsigned char*, int, const unsigned char*, int, unsigned char*, int*, int, unsigned char*, int, const unsigned char*, int)'    {PK11_AEADOp@@NSS_3.52}
+  [A] 'function SECStatus PK11_AEADRawOp(PK11Context*, void*, int, const unsigned char*, int, unsigned char*, int*, int, const unsigned char*, int)'    {PK11_AEADRawOp@@NSS_3.52}
+  [A] 'function CK_OBJECT_HANDLE PK11_GetObjectHandle(PK11ObjectType, void*, PK11SlotInfo**)'    {PK11_GetObjectHandle@@NSS_3.52}
+  [A] 'function SECStatus PK11_SymKeysToSameSlot(CK_MECHANISM_TYPE, CK_ATTRIBUTE_TYPE, CK_ATTRIBUTE_TYPE, PK11SymKey*, PK11SymKey*, PK11SymKey**, PK11SymKey**)'    {PK11_SymKeysToSameSlot@@NSS_3.52}
+  [A] 'function PRBool _PK11_ContextGetAEADSimulation(PK11Context*)'    {_PK11_ContextGetAEADSimulation@@NSS_3.52}
+  [A] 'function SECStatus _PK11_ContextSetAEADSimulation(PK11Context*)'    {_PK11_ContextSetAEADSimulation@@NSS_3.52}
+
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus PK11_GetModInfo(SECMODModule*, CK_INFO*)' at pk11util.c:613:1 has some indirect sub-type changes:
+    parameter 1 of type 'SECMODModule*' has sub-type changes:
+      in pointed to type 'typedef SECMODModule' at secmodt.h:29:1:
+        underlying type 'struct SECMODModuleStr' at secmodt.h:44:1 changed:
+          type size changed from 1600 to 1664 (in bits)
+          1 data member insertion:
+            'CK_FLAGS SECMODModuleStr::flags', at offset 1600 (in bits) at secmodt.h:76:1
+          no data member change (1 filtered);
+
+
--- a/security/nss/automation/abi-check/expected-report-libsoftokn3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libsoftokn3.so.txt
@ -0,0 +1,10 @@
+
+6 Added functions:
+
+  [A] 'function CK_RV C_GetInterface(CK_UTF8CHAR_PTR, CK_VERSION_PTR, CK_INTERFACE_PTR_PTR, CK_FLAGS)'    {C_GetInterface@@NSS_3.52}
+  [A] 'function CK_RV C_GetInterfaceList(CK_INTERFACE_PTR, CK_ULONG_PTR)'    {C_GetInterfaceList@@NSS_3.52}
+  [A] 'function CK_RV FC_GetInterface(CK_UTF8CHAR_PTR, CK_VERSION_PTR, CK_INTERFACE_PTR_PTR, CK_FLAGS)'    {FC_GetInterface@@NSS_3.52}
+  [A] 'function CK_RV FC_GetInterfaceList(CK_INTERFACE_PTR, CK_ULONG_PTR)'    {FC_GetInterfaceList@@NSS_3.52}
+  [A] 'function CK_RV NSC_GetInterface(CK_UTF8CHAR_PTR, CK_VERSION_PTR, CK_INTERFACE_PTR_PTR, CK_FLAGS)'    {NSC_GetInterface@@NSS_3.52}
+  [A] 'function CK_RV NSC_GetInterfaceList(CK_INTERFACE_PTR, CK_ULONG_PTR)'    {NSC_GetInterfaceList@@NSS_3.52}
+
--- a/security/nss/automation/abi-check/expected-report-libssl3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libssl3.so.txt
@ -1,11 +0,0 @@
-
-1 function with some indirect sub-type change:
-
-  [C]'function SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc*, SSLExtensionType, PRBool*)' at sslreveal.c:72:1 has some indirect sub-type changes:
-    parameter 2 of type 'typedef SSLExtensionType' has sub-type changes:
-      underlying type 'enum __anonymous_enum__' at sslt.h:497:1 changed:
-        type size hasn't changed
-        1 enumerator change:
-          '__anonymous_enum__::ssl_delegated_credentials_xtn' from value '65282' to '34' at sslt.h:497:1
-
-
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@ -1 +1 @@
-NSS_3_50_BRANCH
+NSS_3_51_BRANCH
--- a/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile
@ -10,6 +10,8 @@ LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 RUN dpkg --add-architecture i386
 RUN apt-get update \
 && apt-get install -y --no-install-recommends \
+    apt-transport-https \
+    apt-utils \
    build-essential \
    ca-certificates \
    curl \
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@ -101,7 +101,7 @@ queue.filter(task => {
  // Don't run all additional hardware tests on ARM.
  if (task.group == "Cipher" && task.platform == "aarch64" && task.env &&
      (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_HW_AES == "1"
-       || task.env.NSS_DISABLE_AVX == "1")) {
+       || task.env.NSS_DISABLE_AVX == "1" || task.env.NSS_DISABLE_AVX2 == "1")) {
    return false;
  }

@ -1014,6 +1014,10 @@ function scheduleTests(task_build, task_cert, test_base) {
    name: "Cipher tests", symbol: "NoAVX", tests: "cipher",
    env: {NSS_DISABLE_AVX: "1"}, group: "Cipher"
  }));
+  queue.scheduleTask(merge(cert_base_long, {
+    name: "Cipher tests", symbol: "NoAVX2", tests: "cipher",
+    env: {NSS_DISABLE_AVX2: "1"}, group: "Cipher"
+  }));
  queue.scheduleTask(merge(cert_base_long, {
    name: "Cipher tests", symbol: "NoSSSE3|NEON", tests: "cipher",
    env: {
--- a/security/nss/automation/taskcluster/scripts/run_hacl.sh
+++ b/security/nss/automation/taskcluster/scripts/run_hacl.sh
@ -13,7 +13,7 @@ set -e -x -v
 # HACL CI.
 # When bug 1593647 is resolved, extract the code on CI again.
 git clone -q "https://github.com/project-everest/hacl-star" ~/hacl-star
-git -C ~/hacl-star checkout -q 186a985597d57e3b587ceb0ef6deb0b5de706ae2
+git -C ~/hacl-star checkout -q 079854e0072041d60859b6d8af2743bc6a37dc05

 # Format the C snapshot.
 cd ~/hacl-star/dist/mozilla
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@ -1481,7 +1481,7 @@ bltest_aes_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
    unsigned char *params;
    int len;
    CK_AES_CTR_PARAMS ctrParams;
-    CK_GCM_PARAMS gcmParams;
+    CK_NSS_GCM_PARAMS gcmParams;

    params = aesp->iv.buf.data;
    switch (cipherInfo->mode) {
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@ -1027,7 +1027,7 @@ aes_gcm(char *reqfn, int encrypt)
    unsigned int tagbits;
    unsigned int taglen = 0;
    unsigned int ivlen;
-    CK_GCM_PARAMS params;
+    CK_NSS_GCM_PARAMS params;
    SECStatus rv;

    aesreq = fopen(reqfn, "r");
--- a/security/nss/cmd/lib/pk11table.c
+++ b/security/nss/cmd/lib/pk11table.c
@ -102,7 +102,7 @@ const Constant _consts[] = {
    mkEntry(CKF_WRAP, MechanismFlags),
    mkEntry(CKF_UNWRAP, MechanismFlags),
    mkEntry(CKF_DERIVE, MechanismFlags),
-    mkEntry(CKF_EC_FP, MechanismFlags),
+    mkEntry(CKF_EC_F_P, MechanismFlags),
    mkEntry(CKF_EC_F_2M, MechanismFlags),
    mkEntry(CKF_EC_ECPARAMETERS, MechanismFlags),
    mkEntry(CKF_EC_NAMEDCURVE, MechanismFlags),
@ -128,7 +128,6 @@ const Constant _consts[] = {
    mkEntry(CKO_SECRET_KEY, Object),
    mkEntry(CKO_HW_FEATURE, Object),
    mkEntry(CKO_DOMAIN_PARAMETERS, Object),
-    mkEntry(CKO_KG_PARAMETERS, Object),
    mkEntry(CKO_NSS_CRL, Object),
    mkEntry(CKO_NSS_SMIME, Object),
    mkEntry(CKO_NSS_TRUST, Object),
@ -255,8 +254,8 @@ const Constant _consts[] = {
    mkEntry2(CKA_TRUST_TIME_STAMPING, Attribute, Trust),
    mkEntry2(CKA_CERT_SHA1_HASH, Attribute, None),
    mkEntry2(CKA_CERT_MD5_HASH, Attribute, None),
-    mkEntry2(CKA_NETSCAPE_DB, Attribute, None),
-    mkEntry2(CKA_NETSCAPE_TRUST, Attribute, Trust),
+    mkEntry2(CKA_NSS_DB, Attribute, None),
+    mkEntry2(CKA_NSS_TRUST, Attribute, Trust),

    mkEntry(CKM_RSA_PKCS, Mechanism),
    mkEntry(CKM_RSA_9796, Mechanism),
@ -473,16 +472,16 @@ const Constant _consts[] = {
    mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism),
    mkEntry(CKM_NSS_AES_KEY_WRAP, Mechanism),
    mkEntry(CKM_NSS_AES_KEY_WRAP_PAD, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_DES_CBC, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_DES_CBC, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_TRIPLE_DES_CBC, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_40_BIT_RC2_CBC, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_128_BIT_RC2_CBC, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_40_BIT_RC4, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_128_BIT_RC4, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_FAULTY_3DES_CBC, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_HMAC_KEY_GEN, Mechanism),
+    mkEntry(CKM_NSS_PBE_MD5_HMAC_KEY_GEN, Mechanism),
+    mkEntry(CKM_NSS_PBE_MD2_HMAC_KEY_GEN, Mechanism),
    mkEntry(CKM_TLS_PRF_GENERAL, Mechanism),
    mkEntry(CKM_NSS_TLS_PRF_GENERAL_SHA256, Mechanism),

@ -520,7 +519,6 @@ const Constant _consts[] = {
    mkEntry(CKR_KEY_FUNCTION_NOT_PERMITTED, Result),
    mkEntry(CKR_KEY_NOT_WRAPPABLE, Result),
    mkEntry(CKR_KEY_UNEXTRACTABLE, Result),
-    mkEntry(CKR_KEY_PARAMS_INVALID, Result),
    mkEntry(CKR_MECHANISM_INVALID, Result),
    mkEntry(CKR_MECHANISM_PARAM_INVALID, Result),
    mkEntry(CKR_OBJECT_HANDLE_INVALID, Result),
--- a/security/nss/cmd/lowhashtest/lowhashtest.c
+++ b/security/nss/cmd/lowhashtest/lowhashtest.c
@ -415,7 +415,7 @@ main(int argc, char **argv)
        return 1;
    }

-    if (argc || !argv[1] || strlen(argv[1]) == 0) {
+    if (argc < 2 || !argv[1] || strlen(argv[1]) == 0) {
        rv += testMD5(initCtx);
        rv += testSHA1(initCtx);
        rv += testSHA224(initCtx);
@ -428,7 +428,7 @@ main(int argc, char **argv)
        rv += testSHA1(initCtx);
    } else if (strcmp(argv[1], "SHA224") == 0) {
        rv += testSHA224(initCtx);
-    } else if (strcmp(argv[1], "SHA226") == 0) {
+    } else if (strcmp(argv[1], "SHA256") == 0) {
        rv += testSHA256(initCtx);
    } else if (strcmp(argv[1], "SHA384") == 0) {
        rv += testSHA384(initCtx);
--- a/security/nss/cmd/pk11gcmtest/pk11gcmtest.c
+++ b/security/nss/cmd/pk11gcmtest/pk11gcmtest.c
@ -45,7 +45,7 @@ aes_encrypt_buf(
    SECItem key_item;
    PK11SlotInfo *slot = NULL;
    PK11SymKey *symKey = NULL;
-    CK_GCM_PARAMS gcm_params;
+    CK_NSS_GCM_PARAMS gcm_params;
    SECItem param;

    /* Import key into NSS. */
@ -102,7 +102,7 @@ aes_decrypt_buf(
    SECItem key_item;
    PK11SlotInfo *slot = NULL;
    PK11SymKey *symKey = NULL;
-    CK_GCM_PARAMS gcm_params;
+    CK_NSS_GCM_PARAMS gcm_params;
    SECItem param;

    if (inputlen + tagsize > sizeof(concatenated)) {
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@ -16,7 +16,7 @@
 #include <string.h>
 #include <stdarg.h>

-#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
+#if defined(XP_UNIX) && defined(DO_FORK_CHECK)
 #include <unistd.h>
 #include <sys/wait.h>
 #else
--- a/security/nss/cmd/shlibsign/shlibsign.c
+++ b/security/nss/cmd/shlibsign/shlibsign.c
@ -483,8 +483,8 @@ static const tuple_str errStrings[] = {
    { CKR_MUTEX_NOT_LOCKED, "CKR_MUTEX_NOT_LOCKED                " },
    { CKR_FUNCTION_REJECTED, "CKR_FUNCTION_REJECTED               " },
    { CKR_VENDOR_DEFINED, "CKR_VENDOR_DEFINED                  " },
-    { 0xCE534351, "CKR_NETSCAPE_CERTDB_FAILED          " },
-    { 0xCE534352, "CKR_NETSCAPE_KEYDB_FAILED           " }
+    { 0xCE534351, "CKR_NSS_CERTDB_FAILED          " },
+    { 0xCE534352, "CKR_NSS_KEYDB_FAILED           " }

 };

--- a/security/nss/coreconf/SunOS5.mk
+++ b/security/nss/coreconf/SunOS5.mk
@ -35,6 +35,7 @@ DEFAULT_COMPILER = cc
 ifdef NS_USE_GCC
 	CC         = gcc
 	OS_CFLAGS += -Wall -Wno-format -Werror-implicit-function-declaration -Wno-switch
+	OS_CFLAGS += -D__EXTENSIONS__
 	CCC        = g++
 	CCC       += -Wall -Wno-format
 	ASFLAGS	  += -x assembler-with-cpp
--- a/security/nss/coreconf/arch.mk
+++ b/security/nss/coreconf/arch.mk
@ -139,6 +139,35 @@ ifeq ($(OS_ARCH),OS_2)
    OS_RELEASE := $(shell uname -v)
 endif

+#######################################################################
+# Master "Core Components" macros for Hardware features               #
+#######################################################################
+
+ifndef NSS_DISABLE_AVX2
+    ifneq ($(CPU_ARCH),x86_64)
+        # Disable AVX2 entirely on non-Intel platforms
+        NSS_DISABLE_AVX2 = 1
+        $(warning CPU_ARCH is not x86_64, disabling -mavx2)
+    else
+        ifdef CC_IS_CLANG
+            # Clang reports its version as an older gcc, but it's OK
+            NSS_DISABLE_AVX2 = 0
+        else
+            ifneq (,$(filter 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
+                NSS_DISABLE_AVX2 = 0
+            endif
+            ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
+                NSS_DISABLE_AVX2 = 0
+            endif
+        endif
+        ifndef NSS_DISABLE_AVX2
+            $(warning Unable to find gcc 4.8 or greater, disabling -Werror)
+            NSS_DISABLE_AVX2 = 1
+        endif
+    endif
+    export NSS_DISABLE_AVX2
+endif #ndef NSS_DISABLE_AVX2
+
 #######################################################################
 # Master "Core Components" macros for getting the OS target           #
 #######################################################################
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@ -103,6 +103,7 @@
    'disable_libpkix%': 1,
    'disable_werror%': 0,
    'disable_altivec%': 0,
+    'disable_arm32_neon%': 0,
    'mozilla_client%': 0,
    'comm_client%': 0,
    'moz_fold_libs%': 0,
--- a/security/nss/coreconf/config.mk
+++ b/security/nss/coreconf/config.mk
@ -162,6 +162,10 @@ ifdef NSS_DISABLE_DBM
 DEFINES += -DNSS_DISABLE_DBM
 endif

+ifdef NSS_DISABLE_AVX2
+DEFINES += -DNSS_DISABLE_AVX2
+endif
+
 ifdef NSS_DISABLE_CHACHAPOLY
 DEFINES += -DNSS_DISABLE_CHACHAPOLY
 endif
@ -196,6 +200,11 @@ DEFINES += -DPKIX_OBJECT_LEAK_TEST
 endif
 endif

+# Avoid building with Neon acceleration on Arm32
+ifdef NSS_DISABLE_ARM32_NEON
+DEFINES += -DNSS_DISABLE_ARM32_NEON
+endif
+
 # Avoid building with PowerPC's Altivec acceleration
 ifdef NSS_DISABLE_ALTIVEC
 DEFINES += -DNSS_DISABLE_ALTIVEC
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,4 +10,3 @@
 */

 #error "Do not include this header file."
-
--- a/security/nss/gtests/common/testvectors/curve25519-vectors.h
+++ b/security/nss/gtests/common/testvectors/curve25519-vectors.h
@ -74,7 +74,7 @@ const EcdhTestVectorStr kCurve25519Vectors[] = {
     false,
     false}};

-const EcdhTestVectorStr kCurve25519WycheproofVectors[] = {
+const EcdhTestVector kCurve25519WycheproofVectors[] = {

    // Comment: normal case
    {1,
--- a/security/nss/gtests/common/testvectors/p256ecdh-vectors.h
+++ b/security/nss/gtests/common/testvectors/p256ecdh-vectors.h
@ -12,7 +12,7 @@

 #include "testvectors_base/test-structs.h"

-const EcdhTestVectorStr kP256EcdhWycheproofVectors[] = {
+const EcdhTestVector kP256EcdhWycheproofVectors[] = {

    // Comment: normal case
    // tcID: 1
--- a/security/nss/gtests/common/testvectors/p384ecdh-vectors.h
+++ b/security/nss/gtests/common/testvectors/p384ecdh-vectors.h
@ -12,7 +12,7 @@

 #include "testvectors_base/test-structs.h"

-const EcdhTestVectorStr kP384EcdhWycheproofVectors[] = {
+const EcdhTestVector kP384EcdhWycheproofVectors[] = {

    // Comment: normal case
    // tcID: 1
--- a/security/nss/gtests/common/testvectors/p521ecdh-vectors.h
+++ b/security/nss/gtests/common/testvectors/p521ecdh-vectors.h
@ -12,7 +12,7 @@

 #include "testvectors_base/test-structs.h"

-const EcdhTestVectorStr kP521EcdhWycheproofVectors[] = {
+const EcdhTestVector kP521EcdhWycheproofVectors[] = {

    // Comment: normal case
    // tcID: 1
--- a/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_pss_misc-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_pss_misc-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_signature-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_signature-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_signature_2048_sha224-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_signature_2048_sha224-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_signature_2048_sha256-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_signature_2048_sha256-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_signature_2048_sha512-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_signature_2048_sha512-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_signature_3072_sha256-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_signature_3072_sha256-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_signature_3072_sha384-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_signature_3072_sha384-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_signature_3072_sha512-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_signature_3072_sha512-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_signature_4096_sha384-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_signature_4096_sha384-vectors.h
--- a/security/nss/gtests/common/testvectors/rsa_signature_4096_sha512-vectors.h
+++ b/security/nss/gtests/common/testvectors/rsa_signature_4096_sha512-vectors.h
--- a/security/nss/gtests/common/testvectors_base/rsa_signature-vectors_base.txt
+++ b/security/nss/gtests/common/testvectors_base/rsa_signature-vectors_base.txt
@ -0,0 +1,52 @@
+// kSpki is an RSA public key in an X.509 SubjectPublicKeyInfo.
+  const uint8_t kSpki[] = {
+      0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+      0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
+      0x89, 0x02, 0x81, 0x81, 0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9,
+      0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb,
+      0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0,
+      0xa6, 0x85, 0x15, 0x34, 0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef,
+      0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa,
+      0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76,
+      0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25,
+      0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79,
+      0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49,
+      0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd,
+      0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61,
+      0x07, 0x02, 0x03, 0x01, 0x00, 0x01,
+  };
+  // kHash is the SHA-256 hash of {1,2,3,4}.
+  const uint8_t kHash[] = {
+      0x9f, 0x64, 0xa7, 0x47, 0xe1, 0xb9, 0x7f, 0x13, 0x1f, 0xab, 0xb6,
+      0xb4, 0x47, 0x29, 0x6c, 0x9b, 0x6f, 0x02, 0x01, 0xe7, 0x9f, 0xb3,
+      0xc5, 0x35, 0x6e, 0x6c, 0x77, 0xe8, 0x9b, 0x6a, 0x80, 0x6a,
+  };
+  // kSignature is the signature of kHash with RSASSA-PKCS1-v1_5.
+  const uint8_t kSignature[] = {
+      0xa5, 0xf0, 0x8a, 0x47, 0x5d, 0x3c, 0xb3, 0xcc, 0xa9, 0x79, 0xaf, 0x4d,
+      0x8c, 0xae, 0x4c, 0x14, 0xef, 0xc2, 0x0b, 0x34, 0x36, 0xde, 0xf4, 0x3e,
+      0x3d, 0xbb, 0x4a, 0x60, 0x5c, 0xc8, 0x91, 0x28, 0xda, 0xfb, 0x7e, 0x04,
+      0x96, 0x7e, 0x63, 0x13, 0x90, 0xce, 0xb9, 0xb4, 0x62, 0x7a, 0xfd, 0x09,
+      0x3d, 0xc7, 0x67, 0x78, 0x54, 0x04, 0xeb, 0x52, 0x62, 0x6e, 0x24, 0x67,
+      0xb4, 0x40, 0xfc, 0x57, 0x62, 0xc6, 0xf1, 0x67, 0xc1, 0x97, 0x8f, 0x6a,
+      0xa8, 0xae, 0x44, 0x46, 0x5e, 0xab, 0x67, 0x17, 0x53, 0x19, 0x3a, 0xda,
+      0x5a, 0xc8, 0x16, 0x3e, 0x86, 0xd5, 0xc5, 0x71, 0x2f, 0xfc, 0x23, 0x48,
+      0xd9, 0x0b, 0x13, 0xdd, 0x7b, 0x5a, 0x25, 0x79, 0xef, 0xa5, 0x7b, 0x04,
+      0xed, 0x44, 0xf6, 0x18, 0x55, 0xe4, 0x0a, 0xe9, 0x57, 0x79, 0x5d, 0xd7,
+      0x55, 0xa7, 0xab, 0x45, 0x02, 0x97, 0x60, 0x42,
+  };
+  // kSignature is an invalid signature of kHash with RSASSA-PKCS1-v1_5 with the
+  // NULL parameter omitted.
+  const uint8_t kSignatureInvalid[] = {
+      0x71, 0x6c, 0x24, 0x4e, 0xc9, 0x9b, 0x19, 0xc7, 0x49, 0x29, 0xb8, 0xd4,
+      0xfb, 0x26, 0x23, 0xc0, 0x96, 0x18, 0xcd, 0x1e, 0x60, 0xe8, 0x88, 0x94,
+      0x8c, 0x59, 0xfb, 0x58, 0x5c, 0x61, 0x58, 0x7a, 0xae, 0xcc, 0xeb, 0xee,
+      0x1e, 0x85, 0x7d, 0x83, 0xa9, 0xdc, 0x6f, 0x4c, 0x34, 0x5c, 0xcb, 0xd9,
+      0xde, 0x58, 0x76, 0xdf, 0x1f, 0x5e, 0xd4, 0x57, 0x5b, 0xeb, 0xaf, 0x4f,
+      0x7a, 0xa7, 0x6b, 0x21, 0xf1, 0x0a, 0x96, 0x78, 0xc7, 0xa8, 0x02, 0x7a,
+      0xc2, 0x06, 0xd3, 0x18, 0x79, 0x72, 0x6b, 0xfe, 0x2d, 0xec, 0xd8, 0x8e,
+      0x98, 0x86, 0x89, 0xf4, 0x67, 0x14, 0x2b, 0xac, 0x6d, 0xd7, 0x04, 0xd8,
+      0xab, 0x05, 0xe6, 0x51, 0xf6, 0xee, 0x58, 0x63, 0xef, 0x6a, 0x3e, 0x89,
+      0x99, 0x2a, 0x1c, 0x10, 0xc2, 0xd0, 0x41, 0x9e, 0x1e, 0x9a, 0x9a, 0x57,
+      0x32, 0x0f, 0x49, 0xb4, 0x57, 0x37, 0xa4, 0x26,
+  };
--- a/security/nss/gtests/common/testvectors_base/test-structs.h
+++ b/security/nss/gtests/common/testvectors_base/test-structs.h
@ -12,6 +12,8 @@

 #include <string>
 #include <vector>
+#include "secoidt.h"
+#include "pkcs11t.h"

 typedef struct AesCbcTestVectorStr {
  uint32_t id;
@ -64,4 +66,43 @@ typedef struct EcdhTestVectorStr {
  bool valid;
 } EcdhTestVector;

+typedef struct RsaSignatureTestVectorStr {
+  SECOidTag hash_oid;
+  uint32_t id;
+  std::vector<uint8_t> sig;
+  std::vector<uint8_t> public_key;
+  std::vector<uint8_t> msg;
+  bool valid;
+} RsaSignatureTestVector;
+
+typedef struct RsaDecryptTestVectorStr {
+  uint32_t id;
+  std::vector<uint8_t> msg;
+  std::vector<uint8_t> ct;
+  std::vector<uint8_t> priv_key;
+  bool valid;
+} RsaDecryptTestVector;
+
+typedef struct RsaOaepTestVectorStr {
+  SECOidTag hash_oid;
+  CK_RSA_PKCS_MGF_TYPE mgf_hash;
+  uint32_t id;
+  std::vector<uint8_t> msg;
+  std::vector<uint8_t> ct;
+  std::vector<uint8_t> label;
+  std::vector<uint8_t> priv_key;
+  bool valid;
+} RsaOaepTestVector;
+
+typedef struct RsaPssTestVectorStr {
+  SECOidTag hash_oid;
+  CK_RSA_PKCS_MGF_TYPE mgf_hash;
+  uint32_t id;
+  unsigned long sLen;
+  std::vector<uint8_t> sig;
+  std::vector<uint8_t> public_key;
+  std::vector<uint8_t> msg;
+  bool valid;
+} RsaPssTestVector;
+
 #endif  // test_structs_h__
--- a/security/nss/gtests/common/wycheproof/genTestVectors.py
+++ b/security/nss/gtests/common/wycheproof/genTestVectors.py
@ -158,6 +158,117 @@ class ECDH():

        return result

+class RSA_PKCS1_SIGNATURE():
+    pub_keys = {}
+
+    def format_testcase(self, testcase, key, keysize, hash_oid, out_defs):
+        # To avoid hundreds of copies of the same key, define it once and reuse.
+        key_name = "pub_key_"
+        if key in self.pub_keys:
+            key_name = self.pub_keys[key]
+        else:
+            key_name += str(len(self.pub_keys))
+            self.pub_keys[key] = key_name
+            out_defs.append('static const std::vector<uint8_t> ' + key_name + string_to_hex_array(key) + ';\n\n')
+
+        result = '\n// Comment: {}'.format(testcase['comment'])
+        result += '\n// tcID: {}\n'.format(testcase['tcId'])
+        result += '{{{}, {}, \n'.format(hash_oid, testcase['tcId'])
+        result += '{},\n'.format(string_to_hex_array(testcase['sig']))
+        result += '{},\n'.format(key_name)
+        result += '{},\n'.format(string_to_hex_array(testcase['msg']))
+
+        valid = testcase['result'] == 'valid'
+        if not valid and testcase['result'] == 'acceptable':
+            valid = keysize >= 1024 and ('SmallModulus' in testcase['flags'] or
+                                         'SmallPublicKey' in testcase['flags'])
+        result += '{}}},\n'.format(str(valid).lower())
+
+        return result
+
+
+class RSA_PKCS1_DECRYPT():
+    priv_keys = {}
+
+    def format_testcase(self, testcase, priv_key, key_size, out_defs):
+        key_name = "priv_key_"
+        if priv_key in self.priv_keys:
+            key_name = self.priv_keys[priv_key]
+        else:
+            key_name += str(len(self.priv_keys))
+            self.priv_keys[priv_key] = key_name
+            out_defs.append('static const std::vector<uint8_t> ' + key_name + string_to_hex_array(priv_key) + ';\n\n')
+
+        result = '\n// Comment: {}'.format(testcase['comment'])
+        result += '\n// tcID: {}'.format(testcase['tcId'])
+        result += '\n{{{},\n'.format(testcase['tcId'])
+        result += '{},\n'.format(string_to_hex_array(testcase['msg']))
+        result += '{},\n'.format(string_to_hex_array(testcase['ct']))
+        result += '{},\n'.format(key_name)
+        valid = testcase['result'] == 'valid'
+        result += '{}}},\n'.format(str(valid).lower())
+
+        return result
+
+class RSA_PSS():
+    pub_keys = {}
+
+    def format_testcase(self, testcase, key, hash_oid, mgf_hash, sLen, out_defs):
+        key_name = "pub_key_"
+        if key in self.pub_keys:
+            key_name = self.pub_keys[key]
+        else:
+            key_name += str(len(self.pub_keys))
+            self.pub_keys[key] = key_name
+            out_defs.append('static const std::vector<uint8_t> ' + key_name + string_to_hex_array(key) + ';\n\n')
+
+        result = '\n// Comment: {}'.format(testcase['comment'])
+        result += '\n// tcID: {}\n'.format(testcase['tcId'])
+        result += '{{{}, {}, {}, {},\n'.format(hash_oid, mgf_hash, testcase['tcId'], sLen)
+        result += '{},\n'.format(string_to_hex_array(testcase['sig']))
+        result += '{},\n'.format(key_name)
+        result += '{},\n'.format(string_to_hex_array(testcase['msg']))
+
+        valid = testcase['result'] == 'valid'
+        if not valid and testcase['result'] == 'acceptable':
+            valid = ('WeakHash' in testcase['flags'])
+        result += '{}}},\n'.format(str(valid).lower())
+
+        return result
+
+class RSA_OAEP():
+    priv_keys = {}
+
+    def format_testcase(self, testcase, key, hash_oid, mgf_hash, out_defs):
+        key_name = "priv_key_"
+        if key in self.priv_keys:
+            key_name = self.priv_keys[key]
+        else:
+            key_name += str(len(self.priv_keys))
+            self.priv_keys[key] = key_name
+            out_defs.append('static const std::vector<uint8_t> ' + key_name + string_to_hex_array(key) + ';\n\n')
+
+        result = '\n// Comment: {}'.format(testcase['comment'])
+        result += '\n// tcID: {}\n'.format(testcase['tcId'])
+        result += '{{{}, {}, {},\n'.format(hash_oid, mgf_hash, testcase['tcId'])
+        result += '{},\n'.format(string_to_hex_array(testcase['msg']))
+        result += '{},\n'.format(string_to_hex_array(testcase['ct']))
+        result += '{},\n'.format(string_to_hex_array(testcase['label']))
+        result += '{},\n'.format(key_name)
+
+        valid = testcase['result'] == 'valid'
+        result += '{}}},\n'.format(str(valid).lower())
+
+        return result
+
+def getSha(sha):
+    s = sha.split("-")
+    return "SEC_OID_SHA" + s[1]
+
+def getMgfSha(sha):
+    s = sha.split("-")
+    return "CKG_MGF1_SHA" + s[1]
+
 def generate_vectors_file(params):
    """
    Generate and store a .h-file with test vectors for one test.
@ -183,16 +294,16 @@ def generate_vectors_file(params):

    for include in standard_params['includes']:
        header += "#include " + include + "\n"
-    
+
    header += "\n"

    if 'includes' in params:
        for include in params['includes']:
            header += "#include " + include + "\n"
-
        header += "\n"

-    vectors_file = header + base_vectors + params['array_init']
+    shared_defs = []
+    vectors_file = base_vectors + params['array_init']

    for group in cases['testGroups']:
        for test in group['tests']:
@ -200,6 +311,15 @@ def generate_vectors_file(params):
                if 'curve' in group['key'] and group['key']['curve'] not in ['secp256r1', 'secp384r1', 'secp521r1']:
                    continue
                vectors_file += params['formatter'].format_testcase(test, group['keyDer'], getSha(group['sha']), group['key']['keySize'])
+            elif 'type' in group and group['type'] == 'RsassaPssVerify':
+                sLen = group['sLen'] if 'sLen' in group else 0
+                vectors_file += params['formatter'].format_testcase(test, group['keyDer'], getSha(group['sha']), getMgfSha(group['mgfSha']), sLen, shared_defs)
+            elif 'type' in group and group['type'] == 'RsaesOaepDecrypt':
+                vectors_file += params['formatter'].format_testcase(test, group['privateKeyPkcs8'], getSha(group['sha']), getMgfSha(group['mgfSha']), shared_defs)
+            elif 'keyDer' in group:
+                vectors_file += params['formatter'].format_testcase(test, group['keyDer'], group['keysize'], getSha(group['sha']), shared_defs)
+            elif 'privateKeyPkcs8' in group:
+                vectors_file += params['formatter'].format_testcase(test, group['privateKeyPkcs8'], group['keysize'], shared_defs)
            elif 'curve' in group:
                if group['curve'] == 'secp256r1':
                    curve = ec.SECP256R1()
@ -219,6 +339,9 @@ def generate_vectors_file(params):
    vectors_file += "#endif // " + params['section'] + '\n'

    with open(os.path.join(script_dir, params['target']), 'w') as target:
+        target.write(header)
+        for definition in shared_defs:
+            target.write(definition)
        target.write(vectors_file)


@ -299,7 +422,7 @@ curve25519_params = {
    'source_file': 'x25519_test.json',
    'base': '../testvectors_base/curve25519-vectors_base.h',
    'target': '../testvectors/curve25519-vectors.h',
-    'array_init': 'const EcdhTestVectorStr kCurve25519WycheproofVectors[] = {\n',
+    'array_init': 'const EcdhTestVector kCurve25519WycheproofVectors[] = {\n',
    'formatter' : Curve25519(),
    'crop_size_end': -2,
    'section': 'curve25519_vectors_h__',
@ -312,7 +435,7 @@ p256ecdh_params = {
    'source_dir': 'source_vectors/',
    'source_file': 'ecdh_secp256r1_test.json',
    'target': '../testvectors/p256ecdh-vectors.h',
-    'array_init': 'const EcdhTestVectorStr kP256EcdhWycheproofVectors[] = {\n',
+    'array_init': 'const EcdhTestVector kP256EcdhWycheproofVectors[] = {\n',
    'formatter' : ECDH(),
    'crop_size_end': -2,
    'section': 'p256ecdh_vectors_h__',
@ -323,7 +446,7 @@ p384ecdh_params = {
    'source_dir': 'source_vectors/',
    'source_file': 'ecdh_secp384r1_test.json',
    'target': '../testvectors/p384ecdh-vectors.h',
-    'array_init': 'const EcdhTestVectorStr kP384EcdhWycheproofVectors[] = {\n',
+    'array_init': 'const EcdhTestVector kP384EcdhWycheproofVectors[] = {\n',
    'formatter' : ECDH(),
    'crop_size_end': -2,
    'section': 'p384ecdh_vectors_h__',
@ -334,13 +457,315 @@ p521ecdh_params = {
    'source_dir': 'source_vectors/',
    'source_file': 'ecdh_secp521r1_test.json',
    'target': '../testvectors/p521ecdh-vectors.h',
-    'array_init': 'const EcdhTestVectorStr kP521EcdhWycheproofVectors[] = {\n',
+    'array_init': 'const EcdhTestVector kP521EcdhWycheproofVectors[] = {\n',
    'formatter' : ECDH(),
    'crop_size_end': -2,
    'section': 'p521ecdh_vectors_h__',
    'comment' : ''
 }

+rsa_signature_2048_sha224_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_signature_2048_sha224_test.json',
+    'target': '../testvectors/rsa_signature_2048_sha224-vectors.h',
+    'array_init': 'const RsaSignatureTestVector kRsaSignature2048Sha224WycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_SIGNATURE(),
+    'crop_size_end': -2,
+    'section': 'rsa_signature_2048_sha224_vectors_h__',
+    'comment' : ''
+}
+
+rsa_signature_2048_sha256_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_signature_2048_sha256_test.json',
+    'target': '../testvectors/rsa_signature_2048_sha256-vectors.h',
+    'array_init': 'const RsaSignatureTestVector kRsaSignature2048Sha256WycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_SIGNATURE(),
+    'crop_size_end': -2,
+    'section': 'rsa_signature_2048_sha256_vectors_h__',
+    'comment' : ''
+}
+
+rsa_signature_2048_sha512_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_signature_2048_sha512_test.json',
+    'target': '../testvectors/rsa_signature_2048_sha512-vectors.h',
+    'array_init': 'const RsaSignatureTestVector kRsaSignature2048Sha512WycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_SIGNATURE(),
+    'crop_size_end': -2,
+    'section': 'rsa_signature_2048_sha512_vectors_h__',
+    'comment' : ''
+}
+
+rsa_signature_3072_sha256_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_signature_3072_sha256_test.json',
+    'target': '../testvectors/rsa_signature_3072_sha256-vectors.h',
+    'array_init': 'const RsaSignatureTestVector kRsaSignature3072Sha256WycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_SIGNATURE(),
+    'crop_size_end': -2,
+    'section': 'rsa_signature_3072_sha256_vectors_h__',
+    'comment' : ''
+}
+
+rsa_signature_3072_sha256_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_signature_3072_sha256_test.json',
+    'target': '../testvectors/rsa_signature_3072_sha256-vectors.h',
+    'array_init': 'const RsaSignatureTestVector kRsaSignature3072Sha256WycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_SIGNATURE(),
+    'crop_size_end': -2,
+    'section': 'rsa_signature_3072_sha256_vectors_h__',
+    'comment' : ''
+}
+
+rsa_signature_3072_sha384_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_signature_3072_sha384_test.json',
+    'target': '../testvectors/rsa_signature_3072_sha384-vectors.h',
+    'array_init': 'const RsaSignatureTestVector kRsaSignature3072Sha384WycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_SIGNATURE(),
+    'crop_size_end': -2,
+    'section': 'rsa_signature_3072_sha384_vectors_h__',
+    'comment' : ''
+}
+
+rsa_signature_3072_sha512_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_signature_3072_sha512_test.json',
+    'target': '../testvectors/rsa_signature_3072_sha512-vectors.h',
+    'array_init': 'const RsaSignatureTestVector kRsaSignature3072Sha512WycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_SIGNATURE(),
+    'crop_size_end': -2,
+    'section': 'rsa_signature_3072_sha512_vectors_h__',
+    'comment' : ''
+}
+
+rsa_signature_4096_sha384_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_signature_4096_sha384_test.json',
+    'target': '../testvectors/rsa_signature_4096_sha384-vectors.h',
+    'array_init': 'const RsaSignatureTestVector kRsaSignature4096Sha384WycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_SIGNATURE(),
+    'crop_size_end': -2,
+    'section': 'rsa_signature_4096_sha384_vectors_h__',
+    'comment' : ''
+}
+
+rsa_signature_4096_sha512_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_signature_4096_sha512_test.json',
+    'target': '../testvectors/rsa_signature_4096_sha512-vectors.h',
+    'array_init': 'const RsaSignatureTestVector kRsaSignature4096Sha512WycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_SIGNATURE(),
+    'crop_size_end': -2,
+    'section': 'rsa_signature_4096_sha512_vectors_h__',
+    'comment' : ''
+}
+
+rsa_signature_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_signature_test.json',
+    'base': '../testvectors_base/rsa_signature-vectors_base.txt',
+    'target': '../testvectors/rsa_signature-vectors.h',
+    'array_init': 'const RsaSignatureTestVector kRsaSignatureWycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_SIGNATURE(),
+    'crop_size_end': -2,
+    'section': 'rsa_signature_vectors_h__',
+    'comment' : ''
+}
+
+rsa_pkcs1_dec_2048_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_pkcs1_2048_test.json',
+    'target': '../testvectors/rsa_pkcs1_2048_test-vectors.h',
+    'array_init': 'const RsaDecryptTestVector kRsa2048DecryptWycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_DECRYPT(),
+    'crop_size_end': -2,
+    'section': 'rsa_pkcs1_2048_vectors_h__',
+    'comment' : ''
+}
+
+rsa_pkcs1_dec_3072_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_pkcs1_3072_test.json',
+    'target': '../testvectors/rsa_pkcs1_3072_test-vectors.h',
+    'array_init': 'const RsaDecryptTestVector kRsa3072DecryptWycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_DECRYPT(),
+    'crop_size_end': -2,
+    'section': 'rsa_pkcs1_3072_vectors_h__',
+    'comment' : ''
+}
+
+rsa_pkcs1_dec_4096_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_pkcs1_4096_test.json',
+    'target': '../testvectors/rsa_pkcs1_4096_test-vectors.h',
+    'array_init': 'const RsaDecryptTestVector kRsa4096DecryptWycheproofVectors[] = {\n',
+    'formatter' : RSA_PKCS1_DECRYPT(),
+    'crop_size_end': -2,
+    'section': 'rsa_pkcs1_4096_vectors_h__',
+    'comment' : ''
+}
+
+rsa_pss_2048_sha256_mgf1_32_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_pss_2048_sha256_mgf1_32_test.json',
+    'target': '../testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h',
+    # One key is used in both files. Just pull in the header that defines it.
+    'array_init': '''#include "testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h"\n\n
+                      const RsaPssTestVector kRsaPss2048Sha25632WycheproofVectors[] = {\n''',
+    'formatter' : RSA_PSS(),
+    'crop_size_end': -2,
+    'section': 'rsa_pss_2048_sha256_32_vectors_h__',
+    'comment' : ''
+}
+
+rsa_pss_2048_sha256_mgf1_0_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_pss_2048_sha256_mgf1_0_test.json',
+    'target': '../testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h',
+    'array_init': 'const RsaPssTestVector kRsaPss2048Sha2560WycheproofVectors[] = {\n',
+    'formatter' : RSA_PSS(),
+    'crop_size_end': -2,
+    'section': 'rsa_pss_2048_sha256_0_vectors_h__',
+    'comment' : ''
+}
+
+rsa_pss_2048_sha1_mgf1_20_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_pss_2048_sha1_mgf1_20_test.json',
+    'target': '../testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h',
+    'array_init': 'const RsaPssTestVector kRsaPss2048Sha120WycheproofVectors[] = {\n',
+    'formatter' : RSA_PSS(),
+    'crop_size_end': -2,
+    'section': 'rsa_pss_2048_sha1_20_vectors_h__',
+    'comment' : ''
+}
+
+rsa_pss_3072_sha256_mgf1_32_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_pss_3072_sha256_mgf1_32_test.json',
+    'target': '../testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h',
+    'array_init': 'const RsaPssTestVector kRsaPss3072Sha25632WycheproofVectors[] = {\n',
+    'formatter' : RSA_PSS(),
+    'crop_size_end': -2,
+    'section': 'rsa_pss_3072_sha256_32_vectors_h__',
+    'comment' : ''
+}
+
+rsa_pss_4096_sha256_mgf1_32_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_pss_4096_sha256_mgf1_32_test.json',
+    'target': '../testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h',
+    'array_init': 'const RsaPssTestVector kRsaPss4096Sha25632WycheproofVectors[] = {\n',
+    'formatter' : RSA_PSS(),
+    'crop_size_end': -2,
+    'section': 'rsa_pss_4096_sha256_32_vectors_h__',
+    'comment' : ''
+}
+
+rsa_pss_4096_sha512_mgf1_32_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_pss_4096_sha512_mgf1_32_test.json',
+    'target': '../testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h',
+    'array_init': 'const RsaPssTestVector kRsaPss4096Sha51232WycheproofVectors[] = {\n',
+    'formatter' : RSA_PSS(),
+    'crop_size_end': -2,
+    'section': 'rsa_pss_4096_sha512_32_vectors_h__',
+    'comment' : ''
+}
+
+rsa_pss_misc_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_pss_misc_test.json',
+    'target': '../testvectors/rsa_pss_misc-vectors.h',
+    'array_init': 'const RsaPssTestVector kRsaPssMiscWycheproofVectors[] = {\n',
+    'formatter' : RSA_PSS(),
+    'crop_size_end': -2,
+    'section': 'rsa_pss_misc_vectors_h__',
+    'comment' : ''
+}
+
+rsa_oaep_2048_sha1_mgf1sha1_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_oaep_2048_sha1_mgf1sha1_test.json',
+    'target': '../testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h',
+    'array_init': 'const RsaOaepTestVector kRsaOaep2048Sha1WycheproofVectors[] = {\n',
+    'formatter' : RSA_OAEP(),
+    'crop_size_end': -2,
+    'section': 'rsa_oaep_2048_sha1_mgf1sha1_vectors_h__',
+    'comment' : ''
+}
+
+rsa_oaep_2048_sha256_mgf1sha1_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_oaep_2048_sha256_mgf1sha1_test.json',
+    'target': '../testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h',
+    'array_init': 'const RsaOaepTestVector kRsaOaep2048Sha256Mgf1Sha1WycheproofVectors[] = {\n',
+    'formatter' : RSA_OAEP(),
+    'crop_size_end': -2,
+    'section': 'rsa_oaep_2048_sha256_mgf1sha1_vectors_h__',
+    'comment' : ''
+}
+
+rsa_oaep_2048_sha256_mgf1sha256_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_oaep_2048_sha256_mgf1sha256_test.json',
+    'target': '../testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h',
+    'array_init': 'const RsaOaepTestVector kRsaOaep2048Sha256Mgf1Sha256WycheproofVectors[] = {\n',
+    'formatter' : RSA_OAEP(),
+    'crop_size_end': -2,
+    'section': 'rsa_oaep_2048_sha256_mgf1sha256_vectors_h__',
+    'comment' : ''
+}
+
+rsa_oaep_2048_sha384_mgf1sha1_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_oaep_2048_sha384_mgf1sha1_test.json',
+    'target': '../testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h',
+    'array_init': 'const RsaOaepTestVector kRsaOaep2048Sha384Mgf1Sha1WycheproofVectors[] = {\n',
+    'formatter' : RSA_OAEP(),
+    'crop_size_end': -2,
+    'section': 'rsa_oaep_2048_sha384_mgf1sha1_vectors_h__',
+    'comment' : ''
+}
+
+rsa_oaep_2048_sha384_mgf1sha384_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_oaep_2048_sha384_mgf1sha384_test.json',
+    'target': '../testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h',
+    'array_init': 'const RsaOaepTestVector kRsaOaep2048Sha384Mgf1Sha384WycheproofVectors[] = {\n',
+    'formatter' : RSA_OAEP(),
+    'crop_size_end': -2,
+    'section': 'rsa_oaep_2048_sha384_mgf1sha384_vectors_h__',
+    'comment' : ''
+}
+
+rsa_oaep_2048_sha512_mgf1sha1_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_oaep_2048_sha512_mgf1sha1_test.json',
+    'target': '../testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h',
+    'array_init': 'const RsaOaepTestVector kRsaOaep2048Sha512Mgf1Sha1WycheproofVectors[] = {\n',
+    'formatter' : RSA_OAEP(),
+    'crop_size_end': -2,
+    'section': 'rsa_oaep_2048_sha512_mgf1sha1_vectors_h__',
+    'comment' : ''
+}
+
+rsa_oaep_2048_sha512_mgf1sha512_params = {
+    'source_dir': 'source_vectors/',
+    'source_file': 'rsa_oaep_2048_sha512_mgf1sha512_test.json',
+    'target': '../testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h',
+    'array_init': 'const RsaOaepTestVector kRsaOaep2048Sha512Mgf1Sha512WycheproofVectors[] = {\n',
+    'formatter' : RSA_OAEP(),
+    'crop_size_end': -2,
+    'section': 'rsa_oaep_2048_sha512_mgf1sha512_vectors_h__',
+    'comment' : ''
+}
+
+
+
 def update_tests(tests):

    remote = "https://raw.githubusercontent.com/google/wycheproof/master/testvectors/"
@ -357,7 +782,33 @@ def generate_test_vectors():
                 curve25519_params,
                 p256ecdh_params,
                 p384ecdh_params,
-                 p521ecdh_params]
+                 p521ecdh_params,
+                 rsa_oaep_2048_sha1_mgf1sha1_params,
+                 rsa_oaep_2048_sha256_mgf1sha1_params,
+                 rsa_oaep_2048_sha256_mgf1sha256_params,
+                 rsa_oaep_2048_sha384_mgf1sha1_params,
+                 rsa_oaep_2048_sha384_mgf1sha384_params,
+                 rsa_oaep_2048_sha512_mgf1sha1_params,
+                 rsa_oaep_2048_sha512_mgf1sha512_params,
+                 rsa_pkcs1_dec_2048_params,
+                 rsa_pkcs1_dec_3072_params,
+                 rsa_pkcs1_dec_4096_params,
+                 rsa_pss_2048_sha1_mgf1_20_params,
+                 rsa_pss_2048_sha256_mgf1_0_params,
+                 rsa_pss_2048_sha256_mgf1_32_params,
+                 rsa_pss_3072_sha256_mgf1_32_params,
+                 rsa_pss_4096_sha256_mgf1_32_params,
+                 rsa_pss_4096_sha512_mgf1_32_params,
+                 rsa_pss_misc_params,
+                 rsa_signature_2048_sha224_params,
+                 rsa_signature_2048_sha256_params,
+                 rsa_signature_2048_sha512_params,
+                 rsa_signature_3072_sha256_params,
+                 rsa_signature_3072_sha384_params,
+                 rsa_signature_3072_sha512_params,
+                 rsa_signature_4096_sha384_params,
+                 rsa_signature_4096_sha512_params,
+                 rsa_signature_params]
    update_tests(all_tests)
    for test in all_tests:
        generate_vectors_file(test)
--- a/security/nss/gtests/pk11_gtest/manifest.mn
+++ b/security/nss/gtests/pk11_gtest/manifest.mn
@ -30,6 +30,7 @@ CPPSRCS = \
      pk11_prf_unittest.cc \
      pk11_prng_unittest.cc \
      pk11_rsaencrypt_unittest.cc \
+      pk11_rsaoaep_unittest.cc \
      pk11_rsapkcs1_unittest.cc \
      pk11_rsapss_unittest.cc \
      pk11_seed_cbc_unittest.cc \
--- a/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
@ -7,6 +7,7 @@
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
+#include "pk11priv.h"
 #include "secerr.h"
 #include "sechash.h"

@ -35,7 +36,7 @@ class Pkcs11AesGcmTest : public ::testing::TestWithParam<AesGcmKatValue> {
    }

    // Prepare AEAD params.
-    CK_GCM_PARAMS gcm_params;
+    CK_NSS_GCM_PARAMS gcm_params;
    gcm_params.pIv = iv.data();
    gcm_params.ulIvLen = iv.size();
    gcm_params.pAAD = aad.data();
@ -124,7 +125,7 @@ class Pkcs11AesGcmTest : public ::testing::TestWithParam<AesGcmKatValue> {
    std::vector<uint8_t> aad(0);

    // Prepare AEAD params.
-    CK_GCM_PARAMS gcm_params;
+    CK_NSS_GCM_PARAMS gcm_params;
    gcm_params.pIv = iv.data();
    gcm_params.ulIvLen = iv.size();
    gcm_params.pAAD = aad.data();
@ -140,6 +141,211 @@ class Pkcs11AesGcmTest : public ::testing::TestWithParam<AesGcmKatValue> {
                        &output_len, output.size(), data.data(), data.size());
  }

+  SECStatus MessageInterfaceTest(int iterations, int ivFixedBits,
+                                 CK_GENERATOR_FUNCTION ivGen,
+                                 PRBool separateTag) {
+    // Generate a random key.
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    EXPECT_NE(nullptr, slot);
+    ScopedPK11SymKey sym_key(
+        PK11_KeyGen(slot.get(), mech, nullptr, 16, nullptr));
+    EXPECT_NE(nullptr, sym_key);
+
+    const int kTagSize = 16;
+    int cipher_simulated_size;
+    int output_len_message = 0;
+    int output_len_simulated = 0;
+    unsigned int output_len_v24 = 0;
+
+    std::vector<uint8_t> plainIn(17);
+    std::vector<uint8_t> plainOut_message(17);
+    std::vector<uint8_t> plainOut_simulated(17);
+    std::vector<uint8_t> plainOut_v24(17);
+    std::vector<uint8_t> iv(16);
+    std::vector<uint8_t> iv_init(16);
+    std::vector<uint8_t> iv_simulated(16);
+    std::vector<uint8_t> cipher_message(33);
+    std::vector<uint8_t> cipher_simulated(33);
+    std::vector<uint8_t> cipher_v24(33);
+    std::vector<uint8_t> aad(16);
+    std::vector<uint8_t> tag_message(16);
+    std::vector<uint8_t> tag_simulated(16);
+
+    // Prepare AEAD v2.40 params.
+    CK_GCM_PARAMS_V3 gcm_params;
+    gcm_params.pIv = iv.data();
+    gcm_params.ulIvLen = iv.size();
+    gcm_params.ulIvBits = iv.size() * 8;
+    gcm_params.pAAD = aad.data();
+    gcm_params.ulAADLen = aad.size();
+    gcm_params.ulTagBits = kTagSize * 8;
+
+    // Prepare AEAD MESSAGE params.
+    CK_GCM_MESSAGE_PARAMS gcm_message_params;
+    gcm_message_params.pIv = iv.data();
+    gcm_message_params.ulIvLen = iv.size();
+    gcm_message_params.ulTagBits = kTagSize * 8;
+    gcm_message_params.ulIvFixedBits = ivFixedBits;
+    gcm_message_params.ivGenerator = ivGen;
+    if (separateTag) {
+      gcm_message_params.pTag = tag_message.data();
+    } else {
+      gcm_message_params.pTag = cipher_message.data() + plainIn.size();
+    }
+
+    // Prepare AEAD MESSAGE params for simulated case
+    CK_GCM_MESSAGE_PARAMS gcm_simulated_params;
+    gcm_simulated_params = gcm_message_params;
+    if (separateTag) {
+      // The simulated case, we have to allocate temp bufs for separate
+      // tags, make sure that works in both the encrypt and the decrypt
+      // cases.
+      gcm_simulated_params.pTag = tag_simulated.data();
+      cipher_simulated_size = cipher_simulated.size() - kTagSize;
+    } else {
+      gcm_simulated_params.pTag = cipher_simulated.data() + plainIn.size();
+      cipher_simulated_size = cipher_simulated.size();
+    }
+    /* when we are using CKG_GENERATE_RANDOM, don't independently generate
+     * the IV in the simulated case. Since the IV's would be random, none of
+     * the generated results would be the same. Just use the IV we generated
+     * in message interface */
+    if (ivGen == CKG_GENERATE_RANDOM) {
+      gcm_simulated_params.ivGenerator = CKG_NO_GENERATE;
+    } else {
+      gcm_simulated_params.pIv = iv_simulated.data();
+    }
+
+    SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&gcm_params),
+                      sizeof(gcm_params)};
+    SECItem empty = {siBuffer, NULL, 0};
+
+    // initialize our plain text, IV and aad.
+    EXPECT_EQ(PK11_GenerateRandom(plainIn.data(), plainIn.size()), SECSuccess);
+    EXPECT_EQ(PK11_GenerateRandom(aad.data(), aad.size()), SECSuccess);
+    EXPECT_EQ(PK11_GenerateRandom(iv_init.data(), iv_init.size()), SECSuccess);
+    iv_simulated = iv_init;  // vector assignment actually copies data
+    iv = iv_init;
+
+    // Initialize message encrypt context
+    ScopedPK11Context encrypt_message_context(PK11_CreateContextBySymKey(
+        mech, CKA_NSS_MESSAGE | CKA_ENCRYPT, sym_key.get(), &empty));
+    EXPECT_NE(nullptr, encrypt_message_context);
+    if (!encrypt_message_context) {
+      return SECFailure;
+    }
+    EXPECT_FALSE(_PK11_ContextGetAEADSimulation(encrypt_message_context.get()));
+
+    // Initialize simulated encrypt context
+    ScopedPK11Context encrypt_simulated_context(PK11_CreateContextBySymKey(
+        mech, CKA_NSS_MESSAGE | CKA_ENCRYPT, sym_key.get(), &empty));
+    EXPECT_NE(nullptr, encrypt_simulated_context);
+    if (!encrypt_simulated_context) {
+      return SECFailure;
+    }
+    EXPECT_EQ(SECSuccess,
+              _PK11_ContextSetAEADSimulation(encrypt_simulated_context.get()));
+
+    // Initialize message decrypt context
+    ScopedPK11Context decrypt_message_context(PK11_CreateContextBySymKey(
+        mech, CKA_NSS_MESSAGE | CKA_DECRYPT, sym_key.get(), &empty));
+    EXPECT_NE(nullptr, decrypt_message_context);
+    if (!decrypt_message_context) {
+      return SECFailure;
+    }
+    EXPECT_FALSE(_PK11_ContextGetAEADSimulation(decrypt_message_context.get()));
+
+    // Initialize simulated decrypt context
+    ScopedPK11Context decrypt_simulated_context(PK11_CreateContextBySymKey(
+        mech, CKA_NSS_MESSAGE | CKA_DECRYPT, sym_key.get(), &empty));
+    EXPECT_NE(nullptr, decrypt_simulated_context);
+    if (!decrypt_simulated_context) {
+      return SECFailure;
+    }
+    EXPECT_EQ(SECSuccess,
+              _PK11_ContextSetAEADSimulation(decrypt_simulated_context.get()));
+
+    // Now walk down our iterations. Each method of calculating the operation
+    // should agree at each step.
+    for (int i = 0; i < iterations; i++) {
+      SECStatus rv;
+      /* recopy the initial vector each time */
+      iv_simulated = iv_init;
+      iv = iv_init;
+
+      // First encrypt. We don't test the error code here, because
+      // we may be testing error conditions with this function (namely
+      // do we fail if we try to generate to many Random IV's).
+      rv =
+          PK11_AEADRawOp(encrypt_message_context.get(), &gcm_message_params,
+                         sizeof(gcm_message_params), aad.data(), aad.size(),
+                         cipher_message.data(), &output_len_message,
+                         cipher_message.size(), plainIn.data(), plainIn.size());
+      if (rv != SECSuccess) {
+        return rv;
+      }
+      rv =
+          PK11_AEADRawOp(encrypt_simulated_context.get(), &gcm_simulated_params,
+                         sizeof(gcm_simulated_params), aad.data(), aad.size(),
+                         cipher_simulated.data(), &output_len_simulated,
+                         cipher_simulated_size, plainIn.data(), plainIn.size());
+      if (rv != SECSuccess) {
+        return rv;
+      }
+      // make sure simulated and message is the same
+      EXPECT_EQ(output_len_message, output_len_simulated);
+      EXPECT_EQ(0, memcmp(cipher_message.data(), cipher_simulated.data(),
+                          output_len_message));
+      EXPECT_EQ(0, memcmp(gcm_message_params.pTag, gcm_simulated_params.pTag,
+                          kTagSize));
+      EXPECT_EQ(0, memcmp(iv.data(), gcm_simulated_params.pIv, iv.size()));
+      // make sure v2.40 is the same. it inherits the generated iv from
+      // encrypt_message_context.
+      EXPECT_EQ(SECSuccess,
+                PK11_Encrypt(sym_key.get(), mech, &params, cipher_v24.data(),
+                             &output_len_v24, cipher_v24.size(), plainIn.data(),
+                             plainIn.size()));
+      EXPECT_EQ(output_len_message, (int)output_len_v24 - kTagSize);
+      EXPECT_EQ(0, memcmp(cipher_message.data(), cipher_v24.data(),
+                          output_len_message));
+      EXPECT_EQ(0, memcmp(gcm_message_params.pTag,
+                          cipher_v24.data() + output_len_message, kTagSize));
+      // now make sure we can decrypt
+      EXPECT_EQ(SECSuccess,
+                PK11_AEADRawOp(decrypt_message_context.get(),
+                               &gcm_message_params, sizeof(gcm_message_params),
+                               aad.data(), aad.size(), plainOut_message.data(),
+                               &output_len_message, plainOut_message.size(),
+                               cipher_message.data(), output_len_message));
+      EXPECT_EQ(output_len_message, (int)plainIn.size());
+      EXPECT_EQ(
+          0, memcmp(plainOut_message.data(), plainIn.data(), plainIn.size()));
+      EXPECT_EQ(
+          SECSuccess,
+          PK11_AEADRawOp(decrypt_simulated_context.get(), &gcm_simulated_params,
+                         sizeof(gcm_simulated_params), aad.data(), aad.size(),
+                         plainOut_simulated.data(), &output_len_simulated,
+                         plainOut_simulated.size(), cipher_message.data(),
+                         output_len_simulated));
+      EXPECT_EQ(output_len_simulated, (int)plainIn.size());
+      EXPECT_EQ(
+          0, memcmp(plainOut_simulated.data(), plainIn.data(), plainIn.size()));
+      if (separateTag) {
+        // in the separateTag case, we need to copy the tag back to the
+        // end of the cipher_message.data() before using the v2.4 interface
+        memcpy(cipher_message.data() + output_len_message,
+               gcm_message_params.pTag, kTagSize);
+      }
+      EXPECT_EQ(SECSuccess,
+                PK11_Decrypt(sym_key.get(), mech, &params, plainOut_v24.data(),
+                             &output_len_v24, plainOut_v24.size(),
+                             cipher_message.data(), output_len_v24));
+      EXPECT_EQ(output_len_v24, plainIn.size());
+      EXPECT_EQ(0, memcmp(plainOut_v24.data(), plainIn.data(), plainIn.size()));
+    }
+    return SECSuccess;
+  }
+
  const CK_MECHANISM_TYPE mech = CKM_AES_GCM;
 };

@ -166,4 +372,57 @@ TEST_F(Pkcs11AesGcmTest, TwelveByteZeroIV) {
  EXPECT_EQ(SECSuccess, EncryptWithIV(iv));
 }

+// basic message interface it's the most common configuration
+TEST_F(Pkcs11AesGcmTest, MessageInterfaceBasic) {
+  EXPECT_EQ(SECSuccess,
+            MessageInterfaceTest(16, 0, CKG_GENERATE_COUNTER, PR_FALSE));
+}
+
+// basic interface, but return the tags in a separate buffer. This triggers
+// different behaviour in the simulated case, which has to buffer the
+// intermediate values in a separate buffer.
+TEST_F(Pkcs11AesGcmTest, MessageInterfaceSeparateTags) {
+  EXPECT_EQ(SECSuccess,
+            MessageInterfaceTest(16, 0, CKG_GENERATE_COUNTER, PR_TRUE));
+}
+
+// test the case where we are only allowing a portion of the iv to be generated
+TEST_F(Pkcs11AesGcmTest, MessageInterfaceIVMask) {
+  EXPECT_EQ(SECSuccess,
+            MessageInterfaceTest(16, 124, CKG_GENERATE_COUNTER, PR_FALSE));
+}
+
+// test the case where we using the tls1.3 iv generation
+TEST_F(Pkcs11AesGcmTest, MessageInterfaceXorCounter) {
+  EXPECT_EQ(SECSuccess,
+            MessageInterfaceTest(16, 0, CKG_GENERATE_COUNTER_XOR, PR_FALSE));
+}
+
+// test the case where we overflow the counter (requires restricted iv)
+// 128-124 = 4 bits;
+TEST_F(Pkcs11AesGcmTest, MessageInterfaceCounterOverflow) {
+  EXPECT_EQ(SECFailure,
+            MessageInterfaceTest(17, 124, CKG_GENERATE_COUNTER, PR_FALSE));
+}
+
+// overflow the tla1.2 iv case
+TEST_F(Pkcs11AesGcmTest, MessageInterfaceXorCounterOverflow) {
+  EXPECT_EQ(SECFailure,
+            MessageInterfaceTest(17, 124, CKG_GENERATE_COUNTER_XOR, PR_FALSE));
+}
+
+// test random generation of the IV (uses an aligned restricted iv)
+TEST_F(Pkcs11AesGcmTest, MessageInterfaceRandomIV) {
+  EXPECT_EQ(SECSuccess,
+            MessageInterfaceTest(16, 56, CKG_GENERATE_RANDOM, PR_FALSE));
+}
+
+// test the case where we try to generate too many random IVs for the size of
+// our our restricted IV (notice for counters, we can generate 16 IV with
+// 4 bits, but for random we need at least 72 bits to generate 16 IVs).
+// 128-56 = 72 bits
+TEST_F(Pkcs11AesGcmTest, MessageInterfaceRandomOverflow) {
+  EXPECT_EQ(SECFailure,
+            MessageInterfaceTest(17, 56, CKG_GENERATE_RANDOM, PR_FALSE));
+}
 }  // namespace nss_test
--- a/security/nss/gtests/pk11_gtest/pk11_cbc_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_cbc_unittest.cc
@ -256,8 +256,8 @@ TEST_F(Pkcs11CbcPadTest, FailEncryptShortParam) {
  unsigned int encrypted_len = 0;
  size_t input_len = AES_BLOCK_SIZE;

-  // CK_GCM_PARAMS is the largest param struct used across AES modes
-  uint8_t param_buf[sizeof(CK_GCM_PARAMS)];
+  // CK_NSS_GCM_PARAMS is the largest param struct used across AES modes
+  uint8_t param_buf[sizeof(CK_NSS_GCM_PARAMS)];
  SECItem param = {siBuffer, param_buf, sizeof(param_buf)};
  SECItem key_item = {siBuffer, const_cast<uint8_t*>(kKeyData), 16};

@ -281,18 +281,18 @@ TEST_F(Pkcs11CbcPadTest, FailEncryptShortParam) {
                    sizeof(encrypted), kInput, input_len);
  EXPECT_EQ(SECSuccess, rv);

-  // GCM should have a CK_GCM_PARAMS
-  param.len = sizeof(CK_GCM_PARAMS) - 1;
+  // GCM should have a CK_NSS_GCM_PARAMS
+  param.len = sizeof(CK_NSS_GCM_PARAMS) - 1;
  rv = PK11_Encrypt(key.get(), CKM_AES_GCM, &param, encrypted, &encrypted_len,
                    sizeof(encrypted), kInput, input_len);
  EXPECT_EQ(SECFailure, rv);

  param.len++;
-  reinterpret_cast<CK_GCM_PARAMS*>(param.data)->pIv = param_buf;
-  reinterpret_cast<CK_GCM_PARAMS*>(param.data)->ulIvLen = 12;
-  reinterpret_cast<CK_GCM_PARAMS*>(param.data)->pAAD = nullptr;
-  reinterpret_cast<CK_GCM_PARAMS*>(param.data)->ulAADLen = 0;
-  reinterpret_cast<CK_GCM_PARAMS*>(param.data)->ulTagBits = 128;
+  reinterpret_cast<CK_NSS_GCM_PARAMS*>(param.data)->pIv = param_buf;
+  reinterpret_cast<CK_NSS_GCM_PARAMS*>(param.data)->ulIvLen = 12;
+  reinterpret_cast<CK_NSS_GCM_PARAMS*>(param.data)->pAAD = nullptr;
+  reinterpret_cast<CK_NSS_GCM_PARAMS*>(param.data)->ulAADLen = 0;
+  reinterpret_cast<CK_NSS_GCM_PARAMS*>(param.data)->ulTagBits = 128;
  rv = PK11_Encrypt(key.get(), CKM_AES_GCM, &param, encrypted, &encrypted_len,
                    sizeof(encrypted), kInput, input_len);
  EXPECT_EQ(SECSuccess, rv);
--- a/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
@ -7,6 +7,7 @@
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
+#include "pk11priv.h"
 #include "sechash.h"
 #include "secerr.h"

@ -186,6 +187,168 @@ class Pkcs11ChaCha20Poly1305Test
                   testvector.ciphertext.data(), testvector.ciphertext.size());
  }

+  void MessageInterfaceTest(CK_MECHANISM_TYPE mech, int iterations,
+                            PRBool separateTag) {
+    // Generate a random key.
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    ASSERT_NE(nullptr, slot);
+    ScopedPK11SymKey sym_key(
+        PK11_KeyGen(slot.get(), mech, nullptr, 32, nullptr));
+    ASSERT_NE(nullptr, sym_key);
+
+    int tagSize = 16;
+    int cipher_simulated_size;
+    int output_len_message = 0;
+    int output_len_simulated = 0;
+    unsigned int output_len_v24 = 0;
+
+    std::vector<uint8_t> plainIn(17);
+    std::vector<uint8_t> plainOut_message(17);
+    std::vector<uint8_t> plainOut_simulated(17);
+    std::vector<uint8_t> plainOut_v24(17);
+    std::vector<uint8_t> nonce(12);
+    std::vector<uint8_t> cipher_message(33);
+    std::vector<uint8_t> cipher_simulated(33);
+    std::vector<uint8_t> cipher_v24(33);
+    std::vector<uint8_t> aad(16);
+    std::vector<uint8_t> tag_message(16);
+    std::vector<uint8_t> tag_simulated(16);
+
+    // Prepare AEAD v2.40 params.
+    CK_SALSA20_CHACHA20_POLY1305_PARAMS chacha_params;
+    chacha_params.pNonce = nonce.data();
+    chacha_params.ulNonceLen = nonce.size();
+    chacha_params.pAAD = aad.data();
+    chacha_params.ulAADLen = aad.size();
+
+    // Prepare AEAD MESSAGE params.
+    CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS chacha_message_params;
+    chacha_message_params.pNonce = nonce.data();
+    chacha_message_params.ulNonceLen = nonce.size();
+    if (separateTag) {
+      chacha_message_params.pTag = tag_message.data();
+    } else {
+      chacha_message_params.pTag = cipher_message.data() + plainIn.size();
+    }
+
+    // Prepare AEAD MESSAGE params for simulated case
+    CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS chacha_simulated_params;
+    chacha_simulated_params = chacha_message_params;
+    if (separateTag) {
+      // The simulated case, we have to allocate temp bufs for separate
+      // tags, make sure that works in both the encrypt and the decrypt
+      // cases.
+      chacha_simulated_params.pTag = tag_simulated.data();
+      cipher_simulated_size = cipher_simulated.size() - tagSize;
+    } else {
+      chacha_simulated_params.pTag = cipher_simulated.data() + plainIn.size();
+      cipher_simulated_size = cipher_simulated.size();
+    }
+    SECItem params = {siBuffer,
+                      reinterpret_cast<unsigned char*>(&chacha_params),
+                      sizeof(chacha_params)};
+    SECItem empty = {siBuffer, NULL, 0};
+
+    // initialize our plain text, IV and aad.
+    ASSERT_EQ(PK11_GenerateRandom(plainIn.data(), plainIn.size()), SECSuccess);
+    ASSERT_EQ(PK11_GenerateRandom(aad.data(), aad.size()), SECSuccess);
+
+    // Initialize message encrypt context
+    ScopedPK11Context encrypt_message_context(PK11_CreateContextBySymKey(
+        mech, CKA_NSS_MESSAGE | CKA_ENCRYPT, sym_key.get(), &empty));
+    ASSERT_NE(nullptr, encrypt_message_context);
+    ASSERT_FALSE(_PK11_ContextGetAEADSimulation(encrypt_message_context.get()));
+
+    // Initialize simulated encrypt context
+    ScopedPK11Context encrypt_simulated_context(PK11_CreateContextBySymKey(
+        mech, CKA_NSS_MESSAGE | CKA_ENCRYPT, sym_key.get(), &empty));
+    ASSERT_NE(nullptr, encrypt_simulated_context);
+    ASSERT_EQ(SECSuccess,
+              _PK11_ContextSetAEADSimulation(encrypt_simulated_context.get()));
+
+    // Initialize message decrypt context
+    ScopedPK11Context decrypt_message_context(PK11_CreateContextBySymKey(
+        mech, CKA_NSS_MESSAGE | CKA_DECRYPT, sym_key.get(), &empty));
+    ASSERT_NE(nullptr, decrypt_message_context);
+    ASSERT_FALSE(_PK11_ContextGetAEADSimulation(decrypt_message_context.get()));
+
+    // Initialize simulated decrypt context
+    ScopedPK11Context decrypt_simulated_context(PK11_CreateContextBySymKey(
+        mech, CKA_NSS_MESSAGE | CKA_DECRYPT, sym_key.get(), &empty));
+    ASSERT_NE(nullptr, decrypt_simulated_context);
+    EXPECT_EQ(SECSuccess,
+              _PK11_ContextSetAEADSimulation(decrypt_simulated_context.get()));
+
+    // Now walk down our iterations. Each method of calculating the operation
+    // should agree at each step.
+    for (int i = 0; i < iterations; i++) {
+      // get a unique nonce for each iteration
+      EXPECT_EQ(PK11_GenerateRandom(nonce.data(), nonce.size()), SECSuccess);
+      EXPECT_EQ(SECSuccess,
+                PK11_AEADRawOp(
+                    encrypt_message_context.get(), &chacha_message_params,
+                    sizeof(chacha_message_params), aad.data(), aad.size(),
+                    cipher_message.data(), &output_len_message,
+                    cipher_message.size(), plainIn.data(), plainIn.size()));
+      EXPECT_EQ(SECSuccess,
+                PK11_AEADRawOp(
+                    encrypt_simulated_context.get(), &chacha_simulated_params,
+                    sizeof(chacha_simulated_params), aad.data(), aad.size(),
+                    cipher_simulated.data(), &output_len_simulated,
+                    cipher_simulated_size, plainIn.data(), plainIn.size()));
+      // make sure simulated and message is the same
+      EXPECT_EQ(output_len_message, output_len_simulated);
+      EXPECT_EQ(0, memcmp(cipher_message.data(), cipher_simulated.data(),
+                          output_len_message));
+      EXPECT_EQ(0, memcmp(chacha_message_params.pTag,
+                          chacha_simulated_params.pTag, tagSize));
+      // make sure v2.40 is the same.
+      EXPECT_EQ(SECSuccess,
+                PK11_Encrypt(sym_key.get(), mech, &params, cipher_v24.data(),
+                             &output_len_v24, cipher_v24.size(), plainIn.data(),
+                             plainIn.size()));
+      EXPECT_EQ(output_len_message, (int)output_len_v24 - tagSize);
+      EXPECT_EQ(0, memcmp(cipher_message.data(), cipher_v24.data(),
+                          output_len_message));
+      EXPECT_EQ(0, memcmp(chacha_message_params.pTag,
+                          cipher_v24.data() + output_len_message, tagSize));
+      // now make sure we can decrypt
+      EXPECT_EQ(
+          SECSuccess,
+          PK11_AEADRawOp(decrypt_message_context.get(), &chacha_message_params,
+                         sizeof(chacha_message_params), aad.data(), aad.size(),
+                         plainOut_message.data(), &output_len_message,
+                         plainOut_message.size(), cipher_message.data(),
+                         output_len_message));
+      EXPECT_EQ(output_len_message, (int)plainIn.size());
+      EXPECT_EQ(
+          0, memcmp(plainOut_message.data(), plainIn.data(), plainIn.size()));
+      EXPECT_EQ(SECSuccess,
+                PK11_AEADRawOp(decrypt_simulated_context.get(),
+                               &chacha_simulated_params,
+                               sizeof(chacha_simulated_params), aad.data(),
+                               aad.size(), plainOut_simulated.data(),
+                               &output_len_simulated, plainOut_simulated.size(),
+                               cipher_message.data(), output_len_simulated));
+      EXPECT_EQ(output_len_simulated, (int)plainIn.size());
+      EXPECT_EQ(
+          0, memcmp(plainOut_simulated.data(), plainIn.data(), plainIn.size()));
+      if (separateTag) {
+        // in the separateTag case, we need to copy the tag back to the
+        // end of the cipher_message.data() before using the v2.4 interface
+        memcpy(cipher_message.data() + output_len_message,
+               chacha_message_params.pTag, tagSize);
+      }
+      EXPECT_EQ(SECSuccess,
+                PK11_Decrypt(sym_key.get(), mech, &params, plainOut_v24.data(),
+                             &output_len_v24, plainOut_v24.size(),
+                             cipher_message.data(), output_len_v24));
+      EXPECT_EQ(output_len_v24, plainIn.size());
+      EXPECT_EQ(0, memcmp(plainOut_v24.data(), plainIn.data(), plainIn.size()));
+    }
+    return;
+  }
+
 protected:
 };

@ -305,4 +468,17 @@ INSTANTIATE_TEST_CASE_P(NSSTestVector, Pkcs11ChaCha20Poly1305Test,
 INSTANTIATE_TEST_CASE_P(WycheproofTestVector, Pkcs11ChaCha20Poly1305Test,
                        ::testing::ValuesIn(kChaCha20WycheproofVectors));

+// basic message interface it's the most common configuration
+TEST_F(Pkcs11ChaCha20Poly1305Test, ChaCha201305MessageInterfaceBasic) {
+  MessageInterfaceTest(CKM_CHACHA20_POLY1305, 16, PR_FALSE);
+}
+
+// basic interface, but return the tags in a separate buffer. This triggers
+// different behaviour in the simulated case, which has to buffer the
+// intermediate values in a separate buffer.
+TEST_F(Pkcs11ChaCha20Poly1305Test,
+       ChaCha20Poly1305MessageInterfaceSeparateTags) {
+  MessageInterfaceTest(CKM_CHACHA20_POLY1305, 16, PR_TRUE);
+}
+
 }  // namespace nss_test
--- a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
+++ b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
@ -35,6 +35,7 @@
        'pk11_prf_unittest.cc',
        'pk11_prng_unittest.cc',
        'pk11_rsaencrypt_unittest.cc',
+        'pk11_rsaoaep_unittest.cc',
        'pk11_rsapkcs1_unittest.cc',
        'pk11_rsapss_unittest.cc',
        'pk11_seed_cbc_unittest.cc',
--- a/security/nss/gtests/pk11_gtest/pk11_hkdf_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_hkdf_unittest.cc
@ -17,35 +17,141 @@

 namespace nss_test {

+/* different mechanisms for the tests */
+typedef int HkdfTestType;
+const int kNSSHkdfLegacy = 0;
+const int kPkcs11HkdfDerive = 1;
+const int kPkcs11HkdfDeriveDataKey = 2;
+const int kPkcs11HkdfSaltDerive = 3;
+const int kPkcs11HkdfData = 4;
+const int kPKCS11NumTypes = 5;
+
 class Pkcs11HkdfTest : public ::testing::TestWithParam<hkdf_vector> {
 protected:
-  ScopedPK11SymKey ImportKey(CK_MECHANISM_TYPE mech, SECItem *ikm_item) {
+  CK_MECHANISM_TYPE Pk11HkdfToHash(CK_MECHANISM_TYPE nssHkdfMech) {
+    switch (nssHkdfMech) {
+      case CKM_NSS_HKDF_SHA1:
+        return CKM_SHA_1;
+      case CKM_NSS_HKDF_SHA256:
+        return CKM_SHA256;
+      case CKM_NSS_HKDF_SHA384:
+        return CKM_SHA384;
+      case CKM_NSS_HKDF_SHA512:
+        return CKM_SHA512;
+      default:
+        break;
+    }
+
+    return CKM_INVALID_MECHANISM;
+  }
+
+  ScopedPK11SymKey ImportKey(CK_KEY_TYPE keyType, SECItem *ikm_item) {
    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    CK_MECHANISM_TYPE mech = CKM_HKDF_KEY_GEN;
    if (!slot) {
      ADD_FAILURE() << "Can't get slot";
      return nullptr;
    }
-    ScopedPK11SymKey ikm(
-        PK11_ImportSymKey(slot.get(), CKM_GENERIC_SECRET_KEY_GEN,
-                          PK11_OriginUnwrap, CKA_SIGN, ikm_item, nullptr));
+    switch (keyType) {
+      case CKK_GENERIC_SECRET:
+        mech = CKM_GENERIC_SECRET_KEY_GEN;
+        break;
+      case CKK_HKDF:
+        mech = CKM_HKDF_KEY_GEN;
+        break;
+    }
+
+    ScopedPK11SymKey ikm(PK11_ImportSymKey(slot.get(), mech, PK11_OriginUnwrap,
+                                           CKA_SIGN, ikm_item, nullptr));

    return ikm;
  }

-  void RunTest(hkdf_vector vec) {
+  void RunTest(hkdf_vector vec, HkdfTestType type, CK_KEY_TYPE keyType) {
    SECItem ikm_item = {siBuffer, vec.ikm.data(),
                        static_cast<unsigned int>(vec.ikm.size())};
-
-    CK_NSS_HKDFParams hkdf_params = {
+    SECItem salt_item = {siBuffer, vec.salt.data(),
+                         static_cast<unsigned int>(vec.salt.size())};
+    CK_MECHANISM_TYPE derive_mech = vec.mech;
+    CK_NSS_HKDFParams nss_hkdf_params = {
        true, vec.salt.data(), static_cast<unsigned int>(vec.salt.size()),
        true, vec.info.data(), static_cast<unsigned int>(vec.info.size())};
-    SECItem params_item = {siBuffer, (unsigned char *)&hkdf_params,
-                           sizeof(hkdf_params)};
+    CK_HKDF_PARAMS hkdf_params = {true,
+                                  true,
+                                  vec.mech,
+                                  CKF_HKDF_SALT_DATA,
+                                  vec.salt.data(),
+                                  static_cast<unsigned int>(vec.salt.size()),
+                                  CK_INVALID_HANDLE,
+                                  vec.info.data(),
+                                  static_cast<unsigned int>(vec.info.size())};
+    SECItem params_item = {siBuffer, (unsigned char *)&nss_hkdf_params,
+                           sizeof(nss_hkdf_params)};

-    ScopedPK11SymKey ikm = ImportKey(vec.mech, &ikm_item);
+    ScopedPK11SymKey ikm = ImportKey(keyType, &ikm_item);
+    ScopedPK11SymKey salt_key = NULL;
    ASSERT_NE(nullptr, ikm.get());
+
+    switch (type) {
+      case kNSSHkdfLegacy:
+        printf("kNSSHkdfLegacy\n");
+        break; /* already set up */
+      case kPkcs11HkdfDeriveDataKey: {
+        ScopedPK11SlotInfo slot(PK11_GetSlotFromKey(ikm.get()));
+        CK_OBJECT_CLASS ckoData = CKO_DATA;
+        CK_OBJECT_HANDLE handle;
+        CK_ATTRIBUTE pk11template[2] = {
+            {CKA_CLASS, (CK_BYTE_PTR)&ckoData, sizeof(ckoData)},
+            {CKA_VALUE, vec.ikm.data(), static_cast<CK_ULONG>(vec.ikm.size())}};
+
+        ScopedPK11GenericObject dataKey(PK11_CreateGenericObject(
+            slot.get(), pk11template, PR_ARRAY_SIZE(pk11template), PR_FALSE));
+        ASSERT_NE(nullptr, dataKey.get());
+        handle = PK11_GetObjectHandle(PK11_TypeGeneric, dataKey.get(), NULL);
+        ASSERT_NE((CK_ULONG)CK_INVALID_HANDLE, (CK_ULONG)handle);
+        /* replaces old key with our new data key */
+        ikm = ScopedPK11SymKey(
+            PK11_SymKeyFromHandle(slot.get(), NULL, PK11_OriginUnwrap,
+                                  CKM_HKDF_DERIVE, handle, PR_TRUE, NULL));
+        ASSERT_NE(nullptr, ikm.get());
+        /* generic object is freed, ikm owns the handle */
+      }
+      /* fall through */
+      case kPkcs11HkdfSaltDerive:
+      case kPkcs11HkdfDerive:
+        if (hkdf_params.ulSaltLen == 0) {
+          hkdf_params.ulSaltType = CKF_HKDF_SALT_NULL;
+          printf("kPkcs11HkdfNullSaltDerive\n");
+        } else if (type == kPkcs11HkdfSaltDerive) {
+          salt_key = ImportKey(keyType, &salt_item);
+          hkdf_params.ulSaltType = CKF_HKDF_SALT_KEY;
+          hkdf_params.ulSaltLen = 0;
+          hkdf_params.pSalt = NULL;
+          hkdf_params.hSaltKey = PK11_GetSymKeyHandle(salt_key.get());
+          printf("kPkcs11HkdfSaltDerive\n");
+        } else {
+          printf("kPkcs11HkdfDerive%s\n",
+                 (type == kPkcs11HkdfDeriveDataKey) ? "DataKey" : "");
+        }
+        hkdf_params.prfHashMechanism = Pk11HkdfToHash(vec.mech);
+        params_item.data = (unsigned char *)&hkdf_params;
+        params_item.len = sizeof(hkdf_params);
+        derive_mech = CKM_HKDF_DERIVE;
+        break;
+      case kPkcs11HkdfData:
+        printf("kPkcs11HkdfData\n");
+        if (hkdf_params.ulSaltLen == 0) {
+          hkdf_params.ulSaltType = CKF_HKDF_SALT_NULL;
+        }
+        hkdf_params.prfHashMechanism = Pk11HkdfToHash(vec.mech);
+        params_item.data = (unsigned char *)&hkdf_params;
+        params_item.len = sizeof(hkdf_params);
+        derive_mech = CKM_HKDF_DATA;
+        break;
+    }
+    ASSERT_NE(derive_mech, CKM_INVALID_MECHANISM);
    ScopedPK11SymKey okm = ScopedPK11SymKey(
-        PK11_Derive(ikm.get(), vec.mech, &params_item,
+        PK11_Derive(ikm.get(), derive_mech, &params_item,
                    CKM_GENERIC_SECRET_KEY_GEN, CKA_DERIVE, vec.l));
    if (vec.res.expect_rv == SECSuccess) {
      ASSERT_NE(nullptr, okm.get());
@ -60,6 +166,17 @@ class Pkcs11HkdfTest : public ::testing::TestWithParam<hkdf_vector> {
      ASSERT_EQ(nullptr, okm.get());
    }
  }
+  void RunTest(hkdf_vector vec) {
+    HkdfTestType test_type;
+
+    for (test_type = kNSSHkdfLegacy; test_type < kPKCS11NumTypes; test_type++) {
+      RunTest(vec, test_type, CKK_GENERIC_SECRET);
+      if (test_type == kPkcs11HkdfDeriveDataKey) {
+        continue;
+      }
+      RunTest(vec, test_type, CKK_HKDF);
+    }
+  }
 };

 TEST_P(Pkcs11HkdfTest, TestVectors) { RunTest(GetParam()); }
--- a/security/nss/gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc
@ -14,8 +14,58 @@
 #include "nss_scoped_ptrs.h"
 #include "pk11pub.h"

+#include "testvectors/rsa_pkcs1_2048_test-vectors.h"
+#include "testvectors/rsa_pkcs1_3072_test-vectors.h"
+#include "testvectors/rsa_pkcs1_4096_test-vectors.h"
+
 namespace nss_test {

+class RsaDecryptWycheproofTest
+    : public ::testing::TestWithParam<RsaDecryptTestVector> {
+ protected:
+  void TestDecrypt(const RsaDecryptTestVector vec) {
+    SECItem pkcs8_item = {siBuffer, toUcharPtr(vec.priv_key.data()),
+                          static_cast<unsigned int>(vec.priv_key.size())};
+
+    ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+    EXPECT_NE(nullptr, slot);
+
+    SECKEYPrivateKey* key = nullptr;
+    SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
+        slot.get(), &pkcs8_item, nullptr, nullptr, false, false, KU_ALL, &key,
+        nullptr);
+    ASSERT_EQ(SECSuccess, rv);
+    ASSERT_NE(nullptr, key);
+    ScopedSECKEYPrivateKey priv_key(key);
+
+    // Decrypt
+    std::vector<uint8_t> decrypted(PR_MAX(1, vec.ct.size()));
+    unsigned int decrypted_len = 0;
+    rv = PK11_PrivDecryptPKCS1(priv_key.get(), decrypted.data(), &decrypted_len,
+                               decrypted.size(), vec.ct.data(), vec.ct.size());
+
+    // RSA_DecryptBlock returns SECFailure with an empty message.
+    if (vec.valid && vec.msg.size()) {
+      EXPECT_EQ(SECSuccess, rv);
+      decrypted.resize(decrypted_len);
+      EXPECT_EQ(vec.msg, decrypted);
+    } else {
+      EXPECT_EQ(SECFailure, rv);
+    }
+  };
+};
+
+TEST_P(RsaDecryptWycheproofTest, Pkcs1Decrypt) { TestDecrypt(GetParam()); }
+
+INSTANTIATE_TEST_CASE_P(WycheproofRsa2048DecryptTest, RsaDecryptWycheproofTest,
+                        ::testing::ValuesIn(kRsa2048DecryptWycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(WycheproofRsa3072DecryptTest, RsaDecryptWycheproofTest,
+                        ::testing::ValuesIn(kRsa3072DecryptWycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(WycheproofRsa4096DecryptTest, RsaDecryptWycheproofTest,
+                        ::testing::ValuesIn(kRsa4096DecryptWycheproofVectors));
+
 TEST(RsaEncryptTest, MessageLengths) {
  const uint8_t spki[] = {
      0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
@ -74,4 +124,4 @@ TEST(RsaEncryptTest, MessageLengths) {
                       &ctxt_len, UINT_MAX, msg.data(), UINT_MAX, nullptr);
  ASSERT_EQ(SECFailure, rv);
 }
-}
+}  // namespace nss_test
--- a/security/nss/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc
@ -0,0 +1,119 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdint.h>
+
+#include "cpputil.h"
+#include "cryptohi.h"
+#include "gtest/gtest.h"
+#include "limits.h"
+#include "nss.h"
+#include "nss_scoped_ptrs.h"
+#include "pk11pub.h"
+
+#include "testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h"
+#include "testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h"
+#include "testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h"
+#include "testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h"
+#include "testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h"
+#include "testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h"
+#include "testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h"
+
+namespace nss_test {
+
+class RsaOaepWycheproofTest
+    : public ::testing::TestWithParam<RsaOaepTestVectorStr> {
+ protected:
+  void TestDecrypt(const RsaOaepTestVectorStr vec) {
+    SECItem pkcs8_item = {siBuffer, toUcharPtr(vec.priv_key.data()),
+                          static_cast<unsigned int>(vec.priv_key.size())};
+
+    ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+    EXPECT_NE(nullptr, slot);
+
+    SECKEYPrivateKey* key = nullptr;
+    SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
+        slot.get(), &pkcs8_item, nullptr, nullptr, false, false, KU_ALL, &key,
+        nullptr);
+    ASSERT_EQ(SECSuccess, rv);
+    ASSERT_NE(nullptr, key);
+    ScopedSECKEYPrivateKey priv_key(key);
+
+    // Set up the OAEP parameters.
+    CK_RSA_PKCS_OAEP_PARAMS oaepParams;
+    oaepParams.source = CKZ_DATA_SPECIFIED;
+    oaepParams.pSourceData = const_cast<unsigned char*>(vec.label.data());
+    oaepParams.ulSourceDataLen = vec.label.size();
+    oaepParams.mgf = vec.mgf_hash;
+    oaepParams.hashAlg = HashOidToHashMech(vec.hash_oid);
+    SECItem params_item = {siBuffer,
+                           toUcharPtr(reinterpret_cast<uint8_t*>(&oaepParams)),
+                           static_cast<unsigned int>(sizeof(oaepParams))};
+    // Decrypt.
+    std::vector<uint8_t> decrypted(PR_MAX(1, vec.ct.size()));
+    unsigned int decrypted_len = 0;
+    rv = PK11_PrivDecrypt(priv_key.get(), CKM_RSA_PKCS_OAEP, &params_item,
+                          decrypted.data(), &decrypted_len, decrypted.size(),
+                          vec.ct.data(), vec.ct.size());
+
+    if (vec.valid) {
+      EXPECT_EQ(SECSuccess, rv);
+      decrypted.resize(decrypted_len);
+      EXPECT_EQ(vec.msg, decrypted);
+    } else {
+      EXPECT_EQ(SECFailure, rv);
+    }
+  };
+
+ private:
+  inline CK_MECHANISM_TYPE HashOidToHashMech(SECOidTag hash_oid) {
+    switch (hash_oid) {
+      case SEC_OID_SHA1:
+        return CKM_SHA_1;
+      case SEC_OID_SHA224:
+        return CKM_SHA224;
+      case SEC_OID_SHA256:
+        return CKM_SHA256;
+      case SEC_OID_SHA384:
+        return CKM_SHA384;
+      case SEC_OID_SHA512:
+        return CKM_SHA512;
+      default:
+        ADD_FAILURE();
+    }
+    return CKM_INVALID_MECHANISM;
+  }
+};
+
+TEST_P(RsaOaepWycheproofTest, OaepDecrypt) { TestDecrypt(GetParam()); }
+
+INSTANTIATE_TEST_CASE_P(WycheproofRsa2048Sha1OaepTest, RsaOaepWycheproofTest,
+                        ::testing::ValuesIn(kRsaOaep2048Sha1WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    WycheproofOaep2048Sha256Sha1Test, RsaOaepWycheproofTest,
+    ::testing::ValuesIn(kRsaOaep2048Sha256Mgf1Sha1WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    WycheproofOaep2048Sha256Sha256Test, RsaOaepWycheproofTest,
+    ::testing::ValuesIn(kRsaOaep2048Sha256Mgf1Sha256WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    WycheproofOaep2048Sha384Sha1Test, RsaOaepWycheproofTest,
+    ::testing::ValuesIn(kRsaOaep2048Sha384Mgf1Sha1WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    WycheproofOaep2048Sha384Sha384Test, RsaOaepWycheproofTest,
+    ::testing::ValuesIn(kRsaOaep2048Sha384Mgf1Sha384WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    WycheproofOaep2048Sha512Sha1Test, RsaOaepWycheproofTest,
+    ::testing::ValuesIn(kRsaOaep2048Sha512Mgf1Sha1WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    WycheproofOaep2048Sha512Sha512Test, RsaOaepWycheproofTest,
+    ::testing::ValuesIn(kRsaOaep2048Sha512Mgf1Sha512WycheproofVectors));
+}  // namespace nss_test
--- a/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
@ -5,98 +5,88 @@
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

 #include <stdint.h>
+#include <memory>
 #include "cryptohi.h"
-#include "nss.h"
-#include "pk11pub.h"
-
-#include "gtest/gtest.h"
-#include "nss_scoped_ptrs.h"
 #include "cpputil.h"
+#include "databuffer.h"
+#include "gtest/gtest.h"
+#include "nss.h"
+#include "nss_scoped_ptrs.h"
+#include "pk11pub.h"
+#include "sechash.h"
+
+#include "testvectors/rsa_signature_2048_sha224-vectors.h"
+#include "testvectors/rsa_signature_2048_sha256-vectors.h"
+#include "testvectors/rsa_signature_2048_sha512-vectors.h"
+#include "testvectors/rsa_signature_3072_sha256-vectors.h"
+#include "testvectors/rsa_signature_3072_sha384-vectors.h"
+#include "testvectors/rsa_signature_3072_sha512-vectors.h"
+#include "testvectors/rsa_signature_4096_sha384-vectors.h"
+#include "testvectors/rsa_signature_4096_sha512-vectors.h"
+#include "testvectors/rsa_signature-vectors.h"

 namespace nss_test {

-// Test that the RSASSA-PKCS1-v1_5 implementation enforces the missing NULL
-// parameter.
-TEST(RsaPkcs1Test, RequireNullParameter) {
-  // kSpki is an RSA public key in an X.509 SubjectPublicKeyInfo.
-  const uint8_t kSpki[] = {
-      0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-      0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
-      0x89, 0x02, 0x81, 0x81, 0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9,
-      0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb,
-      0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0,
-      0xa6, 0x85, 0x15, 0x34, 0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef,
-      0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa,
-      0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76,
-      0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25,
-      0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79,
-      0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49,
-      0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd,
-      0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61,
-      0x07, 0x02, 0x03, 0x01, 0x00, 0x01,
-  };
-  // kHash is the SHA-256 hash of {1,2,3,4}.
-  const uint8_t kHash[] = {
-      0x9f, 0x64, 0xa7, 0x47, 0xe1, 0xb9, 0x7f, 0x13, 0x1f, 0xab, 0xb6,
-      0xb4, 0x47, 0x29, 0x6c, 0x9b, 0x6f, 0x02, 0x01, 0xe7, 0x9f, 0xb3,
-      0xc5, 0x35, 0x6e, 0x6c, 0x77, 0xe8, 0x9b, 0x6a, 0x80, 0x6a,
-  };
-  // kSignature is the signature of kHash with RSASSA-PKCS1-v1_5.
-  const uint8_t kSignature[] = {
-      0xa5, 0xf0, 0x8a, 0x47, 0x5d, 0x3c, 0xb3, 0xcc, 0xa9, 0x79, 0xaf, 0x4d,
-      0x8c, 0xae, 0x4c, 0x14, 0xef, 0xc2, 0x0b, 0x34, 0x36, 0xde, 0xf4, 0x3e,
-      0x3d, 0xbb, 0x4a, 0x60, 0x5c, 0xc8, 0x91, 0x28, 0xda, 0xfb, 0x7e, 0x04,
-      0x96, 0x7e, 0x63, 0x13, 0x90, 0xce, 0xb9, 0xb4, 0x62, 0x7a, 0xfd, 0x09,
-      0x3d, 0xc7, 0x67, 0x78, 0x54, 0x04, 0xeb, 0x52, 0x62, 0x6e, 0x24, 0x67,
-      0xb4, 0x40, 0xfc, 0x57, 0x62, 0xc6, 0xf1, 0x67, 0xc1, 0x97, 0x8f, 0x6a,
-      0xa8, 0xae, 0x44, 0x46, 0x5e, 0xab, 0x67, 0x17, 0x53, 0x19, 0x3a, 0xda,
-      0x5a, 0xc8, 0x16, 0x3e, 0x86, 0xd5, 0xc5, 0x71, 0x2f, 0xfc, 0x23, 0x48,
-      0xd9, 0x0b, 0x13, 0xdd, 0x7b, 0x5a, 0x25, 0x79, 0xef, 0xa5, 0x7b, 0x04,
-      0xed, 0x44, 0xf6, 0x18, 0x55, 0xe4, 0x0a, 0xe9, 0x57, 0x79, 0x5d, 0xd7,
-      0x55, 0xa7, 0xab, 0x45, 0x02, 0x97, 0x60, 0x42,
-  };
-  // kSignature is an invalid signature of kHash with RSASSA-PKCS1-v1_5 with the
-  // NULL parameter omitted.
-  const uint8_t kSignatureInvalid[] = {
-      0x71, 0x6c, 0x24, 0x4e, 0xc9, 0x9b, 0x19, 0xc7, 0x49, 0x29, 0xb8, 0xd4,
-      0xfb, 0x26, 0x23, 0xc0, 0x96, 0x18, 0xcd, 0x1e, 0x60, 0xe8, 0x88, 0x94,
-      0x8c, 0x59, 0xfb, 0x58, 0x5c, 0x61, 0x58, 0x7a, 0xae, 0xcc, 0xeb, 0xee,
-      0x1e, 0x85, 0x7d, 0x83, 0xa9, 0xdc, 0x6f, 0x4c, 0x34, 0x5c, 0xcb, 0xd9,
-      0xde, 0x58, 0x76, 0xdf, 0x1f, 0x5e, 0xd4, 0x57, 0x5b, 0xeb, 0xaf, 0x4f,
-      0x7a, 0xa7, 0x6b, 0x21, 0xf1, 0x0a, 0x96, 0x78, 0xc7, 0xa8, 0x02, 0x7a,
-      0xc2, 0x06, 0xd3, 0x18, 0x79, 0x72, 0x6b, 0xfe, 0x2d, 0xec, 0xd8, 0x8e,
-      0x98, 0x86, 0x89, 0xf4, 0x67, 0x14, 0x2b, 0xac, 0x6d, 0xd7, 0x04, 0xd8,
-      0xab, 0x05, 0xe6, 0x51, 0xf6, 0xee, 0x58, 0x63, 0xef, 0x6a, 0x3e, 0x89,
-      0x99, 0x2a, 0x1c, 0x10, 0xc2, 0xd0, 0x41, 0x9e, 0x1e, 0x9a, 0x9a, 0x57,
-      0x32, 0x0f, 0x49, 0xb4, 0x57, 0x37, 0xa4, 0x26,
-  };
+class Pkcs11RsaPkcs1WycheproofTest
+    : public ::testing::TestWithParam<RsaSignatureTestVector> {
+ protected:
+  void Derive(const RsaSignatureTestVector vec) {
+    SECItem spki_item = {siBuffer, toUcharPtr(vec.public_key.data()),
+                         static_cast<unsigned int>(vec.public_key.size())};

+    ScopedCERTSubjectPublicKeyInfo cert_spki(
+        SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
+    ASSERT_TRUE(cert_spki);
+
+    ScopedSECKEYPublicKey pub_key(SECKEY_ExtractPublicKey(cert_spki.get()));
+    ASSERT_TRUE(pub_key);
+
+    DataBuffer hash;
+    hash.Allocate(static_cast<size_t>(HASH_ResultLenByOidTag(vec.hash_oid)));
+    SECStatus rv = PK11_HashBuf(vec.hash_oid, toUcharPtr(hash.data()),
+                                toUcharPtr(vec.msg.data()), vec.msg.size());
+    ASSERT_EQ(rv, SECSuccess);
+
+    // Verify.
+    SECItem hash_item = {siBuffer, toUcharPtr(hash.data()),
+                         static_cast<unsigned int>(hash.len())};
+    SECItem sig_item = {siBuffer, toUcharPtr(vec.sig.data()),
+                        static_cast<unsigned int>(vec.sig.size())};
+
+    rv = VFY_VerifyDigestDirect(&hash_item, pub_key.get(), &sig_item,
+                                SEC_OID_PKCS1_RSA_ENCRYPTION, vec.hash_oid,
+                                nullptr);
+    EXPECT_EQ(rv, vec.valid ? SECSuccess : SECFailure);
+  };
+};
+
+TEST(RsaPkcs1Test, RequireNullParameter) {
  // The test vectors may be verified with:
  //
  // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig.bin | der2ascii
  // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig2.bin | der2ascii

  // Import public key.
-  SECItem spkiItem = {siBuffer, toUcharPtr(kSpki), sizeof(kSpki)};
-  ScopedCERTSubjectPublicKeyInfo certSpki(
-      SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
-  ASSERT_TRUE(certSpki);
-  ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
-  ASSERT_TRUE(pubKey);
+  SECItem spki_item = {siBuffer, toUcharPtr(kSpki), sizeof(kSpki)};
+  ScopedCERTSubjectPublicKeyInfo cert_spki(
+      SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
+  ASSERT_TRUE(cert_spki);
+  ScopedSECKEYPublicKey pub_key(SECKEY_ExtractPublicKey(cert_spki.get()));
+  ASSERT_TRUE(pub_key);

  SECItem hash = {siBuffer, toUcharPtr(kHash), sizeof(kHash)};

  // kSignature is a valid signature.
-  SECItem sigItem = {siBuffer, toUcharPtr(kSignature), sizeof(kSignature)};
-  SECStatus rv = VFY_VerifyDigestDirect(&hash, pubKey.get(), &sigItem,
+  SECItem sig_item = {siBuffer, toUcharPtr(kSignature), sizeof(kSignature)};
+  SECStatus rv = VFY_VerifyDigestDirect(&hash, pub_key.get(), &sig_item,
                                        SEC_OID_PKCS1_RSA_ENCRYPTION,
                                        SEC_OID_SHA256, nullptr);
  EXPECT_EQ(SECSuccess, rv);

  // kSignatureInvalid is not.
-  sigItem = {siBuffer, toUcharPtr(kSignatureInvalid),
-             sizeof(kSignatureInvalid)};
-  rv = VFY_VerifyDigestDirect(&hash, pubKey.get(), &sigItem,
+  sig_item = {siBuffer, toUcharPtr(kSignatureInvalid),
+              sizeof(kSignatureInvalid)};
+  rv = VFY_VerifyDigestDirect(&hash, pub_key.get(), &sig_item,
                              SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA256,
                              nullptr);
 #ifdef NSS_PKCS1_AllowMissingParameters
@ -106,4 +96,42 @@ TEST(RsaPkcs1Test, RequireNullParameter) {
 #endif
 }

+TEST_P(Pkcs11RsaPkcs1WycheproofTest, Verify) { Derive(GetParam()); }
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof2048RsaSignatureSha224Test, Pkcs11RsaPkcs1WycheproofTest,
+    ::testing::ValuesIn(kRsaSignature2048Sha224WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof2048RsaSignatureSha256Test, Pkcs11RsaPkcs1WycheproofTest,
+    ::testing::ValuesIn(kRsaSignature2048Sha256WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof2048RsaSignatureSha512Test, Pkcs11RsaPkcs1WycheproofTest,
+    ::testing::ValuesIn(kRsaSignature2048Sha512WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof3072RsaSignatureSha256Test, Pkcs11RsaPkcs1WycheproofTest,
+    ::testing::ValuesIn(kRsaSignature3072Sha256WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof3072RsaSignatureSha384Test, Pkcs11RsaPkcs1WycheproofTest,
+    ::testing::ValuesIn(kRsaSignature3072Sha384WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof3072RsaSignatureSha512Test, Pkcs11RsaPkcs1WycheproofTest,
+    ::testing::ValuesIn(kRsaSignature3072Sha512WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof4096RsaSignatureSha384Test, Pkcs11RsaPkcs1WycheproofTest,
+    ::testing::ValuesIn(kRsaSignature4096Sha384WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof4096RsaSignatureSha512Test, Pkcs11RsaPkcs1WycheproofTest,
+    ::testing::ValuesIn(kRsaSignature4096Sha512WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(WycheproofRsaSignatureTest,
+                        Pkcs11RsaPkcs1WycheproofTest,
+                        ::testing::ValuesIn(kRsaSignatureWycheproofVectors));
+
 }  // namespace nss_test
--- a/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc
@ -9,49 +9,117 @@
 #include "pk11pub.h"
 #include "sechash.h"

+#include "cpputil.h"
+#include "databuffer.h"
+
 #include "gtest/gtest.h"
 #include "nss_scoped_ptrs.h"

 #include "pk11_signature_test.h"
 #include "pk11_rsapss_vectors.h"

+#include "testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h"
+#include "testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h"
+#include "testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h"
+#include "testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h"
+#include "testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h"
+#include "testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h"
+#include "testvectors/rsa_pss_misc-vectors.h"
+
 namespace nss_test {

+class Pkcs11RsaPssTestWycheproof
+    : public ::testing::TestWithParam<RsaPssTestVector> {
+ protected:
+  void TestPss(const RsaPssTestVector& vec) {
+    SECItem spki_item = {siBuffer, toUcharPtr(vec.public_key.data()),
+                         static_cast<unsigned int>(vec.public_key.size())};
+
+    ScopedCERTSubjectPublicKeyInfo cert_spki(
+        SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
+    ASSERT_TRUE(cert_spki);
+
+    ScopedSECKEYPublicKey pub_key(SECKEY_ExtractPublicKey(cert_spki.get()));
+    ASSERT_TRUE(pub_key);
+
+    DataBuffer hash;
+    hash.Allocate(static_cast<size_t>(HASH_ResultLenByOidTag(vec.hash_oid)));
+    SECStatus rv = PK11_HashBuf(vec.hash_oid, toUcharPtr(hash.data()),
+                                toUcharPtr(vec.msg.data()), vec.msg.size());
+    ASSERT_EQ(rv, SECSuccess);
+
+    // Verify.
+    SECItem hash_item = {siBuffer, toUcharPtr(hash.data()),
+                         static_cast<unsigned int>(hash.len())};
+    SECItem sig_item = {siBuffer, toUcharPtr(vec.sig.data()),
+                        static_cast<unsigned int>(vec.sig.size())};
+    CK_MECHANISM_TYPE hash_mech = 0;
+    switch (vec.hash_oid) {
+      case SEC_OID_SHA1:
+        hash_mech = CKM_SHA_1;
+        break;
+      case SEC_OID_SHA224:
+        hash_mech = CKM_SHA224;
+        break;
+      case SEC_OID_SHA256:
+        hash_mech = CKM_SHA256;
+        break;
+      case SEC_OID_SHA384:
+        hash_mech = CKM_SHA384;
+        break;
+      case SEC_OID_SHA512:
+        hash_mech = CKM_SHA512;
+        break;
+      default:
+        ASSERT_TRUE(hash_mech);
+        return;
+    }
+
+    CK_RSA_PKCS_PSS_PARAMS pss_params = {hash_mech, vec.mgf_hash, vec.sLen};
+    SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&pss_params),
+                      sizeof(pss_params)};
+
+    rv = PK11_VerifyWithMechanism(pub_key.get(), CKM_RSA_PKCS_PSS, &params,
+                                  &sig_item, &hash_item, nullptr);
+    EXPECT_EQ(vec.valid ? SECSuccess : SECFailure, rv);
+  };
+};
+
 class Pkcs11RsaPssTest : public Pk11SignatureTest {
 public:
  Pkcs11RsaPssTest() : Pk11SignatureTest(CKM_RSA_PKCS_PSS, SEC_OID_SHA1) {
-    rsaPssParams_.hashAlg = CKM_SHA_1;
-    rsaPssParams_.mgf = CKG_MGF1_SHA1;
-    rsaPssParams_.sLen = HASH_ResultLenByOidTag(SEC_OID_SHA1);
+    pss_params_.hashAlg = CKM_SHA_1;
+    pss_params_.mgf = CKG_MGF1_SHA1;
+    pss_params_.sLen = HASH_ResultLenByOidTag(SEC_OID_SHA1);

    params_.type = siBuffer;
-    params_.data = reinterpret_cast<unsigned char*>(&rsaPssParams_);
-    params_.len = sizeof(rsaPssParams_);
+    params_.data = reinterpret_cast<unsigned char*>(&pss_params_);
+    params_.len = sizeof(pss_params_);
  }

 protected:
  const SECItem* parameters() const { return &params_; }

 private:
-  CK_RSA_PKCS_PSS_PARAMS rsaPssParams_;
+  CK_RSA_PKCS_PSS_PARAMS pss_params_;
  SECItem params_;
 };

 TEST_F(Pkcs11RsaPssTest, GenerateAndSignAndVerify) {
  // Sign data with a 1024-bit RSA key, using PSS/SHA-256.
  SECOidTag hashOid = SEC_OID_SHA256;
-  CK_MECHANISM_TYPE hashMech = CKM_SHA256;
+  CK_MECHANISM_TYPE hash_mech = CKM_SHA256;
  CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA256;
  PK11RSAGenParams rsaGenParams = {1024, 0x10001};

  // Generate RSA key pair.
  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
-  SECKEYPublicKey* pubKeyRaw = nullptr;
+  SECKEYPublicKey* pub_keyRaw = nullptr;
  ScopedSECKEYPrivateKey privKey(
      PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaGenParams,
-                           &pubKeyRaw, false, false, nullptr));
-  ASSERT_TRUE(!!privKey && pubKeyRaw);
-  ScopedSECKEYPublicKey pubKey(pubKeyRaw);
+                           &pub_keyRaw, false, false, nullptr));
+  ASSERT_TRUE(!!privKey && pub_keyRaw);
+  ScopedSECKEYPublicKey pub_key(pub_keyRaw);

  // Generate random data to sign.
  uint8_t dataBuf[50];
@ -66,30 +134,30 @@ TEST_F(Pkcs11RsaPssTest, GenerateAndSignAndVerify) {
                 static_cast<unsigned int>(sigBuf.size())};

  // Set up PSS parameters.
-  CK_RSA_PKCS_PSS_PARAMS rsaPssParams = {hashMech, mgf, hLen};
-  SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&rsaPssParams),
-                    sizeof(rsaPssParams)};
+  CK_RSA_PKCS_PSS_PARAMS pss_params = {hash_mech, mgf, hLen};
+  SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&pss_params),
+                    sizeof(pss_params)};

  // Sign.
  rv = PK11_SignWithMechanism(privKey.get(), mechanism(), &params, &sig, &data);
  EXPECT_EQ(rv, SECSuccess);

  // Verify.
-  rv = PK11_VerifyWithMechanism(pubKey.get(), mechanism(), &params, &sig, &data,
-                                nullptr);
+  rv = PK11_VerifyWithMechanism(pub_key.get(), mechanism(), &params, &sig,
+                                &data, nullptr);
  EXPECT_EQ(rv, SECSuccess);

  // Verification with modified data must fail.
  data.data[0] ^= 0xff;
-  rv = PK11_VerifyWithMechanism(pubKey.get(), mechanism(), &params, &sig, &data,
-                                nullptr);
+  rv = PK11_VerifyWithMechanism(pub_key.get(), mechanism(), &params, &sig,
+                                &data, nullptr);
  EXPECT_EQ(rv, SECFailure);

  // Verification with original data but the wrong signature must fail.
  data.data[0] ^= 0xff;  // Revert previous changes.
  sig.data[0] ^= 0xff;
-  rv = PK11_VerifyWithMechanism(pubKey.get(), mechanism(), &params, &sig, &data,
-                                nullptr);
+  rv = PK11_VerifyWithMechanism(pub_key.get(), mechanism(), &params, &sig,
+                                &data, nullptr);
  EXPECT_EQ(rv, SECFailure);
 }

@ -100,12 +168,12 @@ TEST_F(Pkcs11RsaPssTest, NoLeakWithInvalidExponent) {

  // Generate RSA key pair.
  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
-  SECKEYPublicKey* pubKey = nullptr;
+  SECKEYPublicKey* pub_key = nullptr;
  SECKEYPrivateKey* privKey =
      PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaGenParams,
-                           &pubKey, false, false, nullptr);
+                           &pub_key, false, false, nullptr);
  EXPECT_FALSE(privKey);
-  EXPECT_FALSE(pubKey);
+  EXPECT_FALSE(pub_key);
 }
 class Pkcs11RsaPssVectorTest
    : public Pkcs11RsaPssTest,
@ -159,4 +227,33 @@ static const Pkcs11SignatureTestParams kRsaPssVectors[] = {
 INSTANTIATE_TEST_CASE_P(RsaPssSignVerify, Pkcs11RsaPssVectorTest,
                        ::testing::ValuesIn(kRsaPssVectors));

+TEST_P(Pkcs11RsaPssTestWycheproof, Verify) { TestPss(GetParam()); }
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof2048RsaPssSha120Test, Pkcs11RsaPssTestWycheproof,
+    ::testing::ValuesIn(kRsaPss2048Sha120WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof2048RsaPssSha25632Test, Pkcs11RsaPssTestWycheproof,
+    ::testing::ValuesIn(kRsaPss2048Sha25632WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof2048RsaPssSha2560Test, Pkcs11RsaPssTestWycheproof,
+    ::testing::ValuesIn(kRsaPss2048Sha2560WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof3072RsaPssSha25632Test, Pkcs11RsaPssTestWycheproof,
+    ::testing::ValuesIn(kRsaPss3072Sha25632WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof4096RsaPssSha25632Test, Pkcs11RsaPssTestWycheproof,
+    ::testing::ValuesIn(kRsaPss4096Sha25632WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(
+    Wycheproof4096RsaPssSha51232Test, Pkcs11RsaPssTestWycheproof,
+    ::testing::ValuesIn(kRsaPss4096Sha51232WycheproofVectors));
+
+INSTANTIATE_TEST_CASE_P(WycheproofRsaPssMiscTest, Pkcs11RsaPssTestWycheproof,
+                        ::testing::ValuesIn(kRsaPssMiscWycheproofVectors));
+
 }  // namespace nss_test
--- a/security/nss/gtests/ssl_gtest/libssl_internals.c
+++ b/security/nss/gtests/ssl_gtest/libssl_internals.c
@ -9,8 +9,11 @@

 #include "nss.h"
 #include "pk11pub.h"
+#include "pk11priv.h"
 #include "seccomon.h"
 #include "selfencrypt.h"
+#include "secmodti.h"
+#include "sslproto.h"

 SECStatus SSLInt_SetDCAdvertisedSigSchemes(PRFileDesc *fd,
                                           const SSLSignatureScheme *schemes,
@ -331,6 +334,9 @@ SECStatus SSLInt_AdvanceReadSeqNum(PRFileDesc *fd, PRUint64 to) {

 SECStatus SSLInt_AdvanceWriteSeqNum(PRFileDesc *fd, PRUint64 to) {
  sslSocket *ss;
+  ssl3CipherSpec *spec;
+  PK11Context *pk11ctxt;
+  const ssl3BulkCipherDef *cipher_def;

  ss = ssl_FindSocket(fd);
  if (!ss) {
@ -341,7 +347,43 @@ SECStatus SSLInt_AdvanceWriteSeqNum(PRFileDesc *fd, PRUint64 to) {
    return SECFailure;
  }
  ssl_GetSpecWriteLock(ss);
-  ss->ssl3.cwSpec->nextSeqNum = to;
+  spec = ss->ssl3.cwSpec;
+  cipher_def = spec->cipherDef;
+  spec->nextSeqNum = to;
+  if (cipher_def->type != type_aead) {
+    ssl_ReleaseSpecWriteLock(ss);
+    return SECSuccess;
+  }
+  /* If we are using aead, we need to advance the counter in the
+   * internal IV generator as well.
+   * This could be in the token or software. */
+  pk11ctxt = spec->cipherContext;
+  /* If counter is in the token, we need to switch it to software,
+   * since we don't have access to the internal state of the token. We do
+   * that by turning on the simulated message interface, then setting up the
+   * software IV generator */
+  if (pk11ctxt->ivCounter == 0) {
+    _PK11_ContextSetAEADSimulation(pk11ctxt);
+    pk11ctxt->ivLen = cipher_def->iv_size + cipher_def->explicit_nonce_size;
+    pk11ctxt->ivMaxCount = PR_UINT64(0xffffffffffffffff);
+    if ((cipher_def->explicit_nonce_size == 0) ||
+        (spec->version >= SSL_LIBRARY_VERSION_TLS_1_3)) {
+      pk11ctxt->ivFixedBits =
+          (pk11ctxt->ivLen - sizeof(sslSequenceNumber)) * BPB;
+      pk11ctxt->ivGen = CKG_GENERATE_COUNTER_XOR;
+    } else {
+      pk11ctxt->ivFixedBits = cipher_def->iv_size * BPB;
+      pk11ctxt->ivGen = CKG_GENERATE_COUNTER;
+    }
+    /* DTLS included the epoch in the fixed portion of the IV */
+    if (IS_DTLS(ss)) {
+      pk11ctxt->ivFixedBits += 2 * BPB;
+    }
+  }
+  /* now we can update the internal counter (either we are already using
+   * the software IV generator, or we just switched to it above */
+  pk11ctxt->ivCounter = to;
+
  ssl_ReleaseSpecWriteLock(ss);
  return SECSuccess;
 }
--- a/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
@ -68,18 +68,6 @@ size_t GetHashLength(SSLHashType hash) {
  return 0;
 }

-CK_MECHANISM_TYPE GetHkdfMech(SSLHashType hash) {
-  switch (hash) {
-    case ssl_hash_sha256:
-      return CKM_NSS_HKDF_SHA256;
-    case ssl_hash_sha384:
-      return CKM_NSS_HKDF_SHA384;
-    default:
-      ADD_FAILURE() << "Unknown hash: " << hash;
-  }
-  return CKM_INVALID_MECHANISM;
-}
-
 PRUint16 GetSomeCipherSuiteForHash(SSLHashType hash) {
  switch (hash) {
    case ssl_hash_sha256:
@ -173,7 +161,7 @@ class TlsHkdfTest : public ::testing::Test,
    ScopedPK11SymKey prkk(prk);

    DumpKey("Output", prkk);
-    VerifyKey(prkk, GetHkdfMech(base_hash), expected);
+    VerifyKey(prkk, CKM_HKDF_DERIVE, expected);

    // Now test the public wrapper.
    PRUint16 cs = GetSomeCipherSuiteForHash(base_hash);
@ -181,7 +169,7 @@ class TlsHkdfTest : public ::testing::Test,
                         ikmk2.get(), &prk);
    ASSERT_EQ(SECSuccess, rv);
    ASSERT_NE(nullptr, prk);
-    VerifyKey(ScopedPK11SymKey(prk), GetHkdfMech(base_hash), expected);
+    VerifyKey(ScopedPK11SymKey(prk), CKM_HKDF_DERIVE, expected);
  }

  void HkdfExpandLabel(ScopedPK11SymKey* prk, SSLHashType base_hash,
@ -207,7 +195,7 @@ class TlsHkdfTest : public ::testing::Test,
                             &secret);
    EXPECT_EQ(SECSuccess, rv);
    ASSERT_NE(nullptr, prk);
-    VerifyKey(ScopedPK11SymKey(secret), GetHkdfMech(base_hash), expected);
+    VerifyKey(ScopedPK11SymKey(secret), CKM_HKDF_DERIVE, expected);

    // Verify that a key can be created with a different key type and size.
    rv = SSL_HkdfExpandLabelWithMech(
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@ -1405,7 +1405,7 @@ TokenCRLStillExists(CERTSignedCrl* crl)
        if (SECITEM_CompareItem(oldSubject, &subject) != SECEqual) {
            xstatus = PR_FALSE;
        }
-        if (CKO_NETSCAPE_CRL != crl_class) {
+        if (CKO_NSS_CRL != crl_class) {
            xstatus = PR_FALSE;
        }
    } else {
--- a/security/nss/lib/ckfw/builtins/testlib/Makefile
+++ b/security/nss/lib/ckfw/builtins/testlib/Makefile
@ -38,6 +38,11 @@ EXTRA_SHARED_LIBS +=  \
 	$(NULL)
 endif # OS_TARGET

+SIMPLE_OBJS   = $(notdir $(CSRCS:.c=$(OBJ_SUFFIX)))
+OBJS          = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(SIMPLE_OBJS))
+vpath %c $(dir $(CSRCS)) # $(OBJDIR)
+
+
 include $(CORE_DEPTH)/coreconf/rules.mk

 CFLAGS += -I$(CORE_DEPTH)/lib/ckfw/builtins
@ -50,3 +55,4 @@ endif
 $(OBJDIR)/certdata-testlib.c: $(NSS_CERTDATA-TESTLIB_TXT)
 	@$(MAKE_OBJDIR)
 	$(PERL) ../certdata.perl $(NSS_CERTDATA-TESTLIB_TXT) $@
+
--- a/security/nss/lib/ckfw/dbm/db.c
+++ b/security/nss/lib/ckfw/dbm/db.c
@ -392,19 +392,19 @@ nss_dbm_db_swap_type(
            return type_byte;
        case CKA_MODIFIABLE:
            return type_byte;
-        case CKA_NETSCAPE_URL:
+        case CKA_NSS_URL:
            return type_opaque;
-        case CKA_NETSCAPE_EMAIL:
+        case CKA_NSS_EMAIL:
            return type_opaque;
-        case CKA_NETSCAPE_SMIME_INFO:
+        case CKA_NSS_SMIME_INFO:
            return type_opaque;
-        case CKA_NETSCAPE_SMIME_TIMESTAMP:
+        case CKA_NSS_SMIME_TIMESTAMP:
            return type_opaque;
-        case CKA_NETSCAPE_PKCS8_SALT:
+        case CKA_NSS_PKCS8_SALT:
            return type_opaque;
-        case CKA_NETSCAPE_PASSWORD_CHECK:
+        case CKA_NSS_PASSWORD_CHECK:
            return type_opaque;
-        case CKA_NETSCAPE_EXPIRES:
+        case CKA_NSS_EXPIRES:
            return type_opaque;
        case CKA_TRUST_DIGITAL_SIGNATURE:
            return type_long;
@ -436,9 +436,9 @@ nss_dbm_db_swap_type(
            return type_long;
        case CKA_TRUST_TIME_STAMPING:
            return type_long;
-        case CKA_NETSCAPE_DB:
+        case CKA_NSS_DB:
            return type_opaque;
-        case CKA_NETSCAPE_TRUST:
+        case CKA_NSS_TRUST:
            return type_opaque;
        default:
            return type_opaque;
--- a/security/nss/lib/dev/devslot.c
+++ b/security/nss/lib/dev/devslot.c
@ -189,11 +189,11 @@ nssSlot_IsTokenPresent(
        if (session) {
            nssSession_EnterMonitor(session);
            /* token is not present */
-            if (session->handle != CK_INVALID_SESSION) {
+            if (session->handle != CK_INVALID_HANDLE) {
                /* session is valid, close and invalidate it */
                CKAPI(epv)
                    ->C_CloseSession(session->handle);
-                session->handle = CK_INVALID_SESSION;
+                session->handle = CK_INVALID_HANDLE;
            }
            nssSession_ExitMonitor(session);
        }
@ -215,17 +215,17 @@ nssSlot_IsTokenPresent(
    if (session) {
        PRBool tokenRemoved;
        nssSession_EnterMonitor(session);
-        if (session->handle != CK_INVALID_SESSION) {
+        if (session->handle != CK_INVALID_HANDLE) {
            CK_SESSION_INFO sessionInfo;
            ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo);
            if (ckrv != CKR_OK) {
                /* session is screwy, close and invalidate it */
                CKAPI(epv)
                    ->C_CloseSession(session->handle);
-                session->handle = CK_INVALID_SESSION;
+                session->handle = CK_INVALID_HANDLE;
            }
        }
-        tokenRemoved = (session->handle == CK_INVALID_SESSION);
+        tokenRemoved = (session->handle == CK_INVALID_HANDLE);
        nssSession_ExitMonitor(session);
        /* token not removed, finished */
        if (!tokenRemoved) {
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@ -260,7 +260,7 @@ find_objects(
    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;

    /* Don't ask the module to use an invalid session handle. */
-    if (!session || session->handle == CK_INVALID_SESSION) {
+    if (!session || session->handle == CK_INVALID_HANDLE) {
        ckrv = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }
@ -1124,7 +1124,7 @@ nssToken_FindTrustForCertificate(
    nssCryptokiObject *object = NULL, **objects;

    /* Don't ask the module to use an invalid session handle. */
-    if (!session || session->handle == CK_INVALID_SESSION) {
+    if (!session || session->handle == CK_INVALID_HANDLE) {
        PORT_SetError(SEC_ERROR_NO_TOKEN);
        return object;
    }
@ -1206,7 +1206,7 @@ nssToken_FindCRLsBySubject(
    nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;

    /* Don't ask the module to use an invalid session handle. */
-    if (!session || session->handle == CK_INVALID_SESSION) {
+    if (!session || session->handle == CK_INVALID_HANDLE) {
        PORT_SetError(SEC_ERROR_NO_TOKEN);
        return objects;
    }
@ -1262,7 +1262,7 @@ nssToken_Digest(
    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;

    /* Don't ask the module to use an invalid session handle. */
-    if (!session || session->handle == CK_INVALID_SESSION) {
+    if (!session || session->handle == CK_INVALID_HANDLE) {
        PORT_SetError(SEC_ERROR_NO_TOKEN);
        return rvItem;
    }
@ -1328,7 +1328,7 @@ nssToken_BeginDigest(
    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;

    /* Don't ask the module to use an invalid session handle. */
-    if (!session || session->handle == CK_INVALID_SESSION) {
+    if (!session || session->handle == CK_INVALID_HANDLE) {
        PORT_SetError(SEC_ERROR_NO_TOKEN);
        return PR_FAILURE;
    }
@ -1350,7 +1350,7 @@ nssToken_ContinueDigest(
    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;

    /* Don't ask the module to use an invalid session handle. */
-    if (!session || session->handle == CK_INVALID_SESSION) {
+    if (!session || session->handle == CK_INVALID_HANDLE) {
        PORT_SetError(SEC_ERROR_NO_TOKEN);
        return PR_FAILURE;
    }
@ -1378,7 +1378,7 @@ nssToken_FinishDigest(
    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;

    /* Don't ask the module to use an invalid session handle. */
-    if (!session || session->handle == CK_INVALID_SESSION) {
+    if (!session || session->handle == CK_INVALID_HANDLE) {
        PORT_SetError(SEC_ERROR_NO_TOKEN);
        return NULL;
    }
@ -1457,7 +1457,7 @@ nssToken_TraverseCertificates(
    nssSession *session = (sessionOpt) ? sessionOpt : token->defaultSession;

    /* Don't ask the module to use an invalid session handle. */
-    if (!session || session->handle == CK_INVALID_SESSION) {
+    if (!session || session->handle == CK_INVALID_HANDLE) {
        PORT_SetError(SEC_ERROR_NO_TOKEN);
        return PR_FAILURE;
    }
--- a/security/nss/lib/dev/devutil.c
+++ b/security/nss/lib/dev/devutil.c
@ -284,10 +284,10 @@ nssTokenObjectCache_HaveObjectClass(
        case CKO_CERTIFICATE:
            haveIt = cache->doObjectType[cachedCerts];
            break;
-        case CKO_NETSCAPE_TRUST:
+        case CKO_NSS_TRUST:
            haveIt = cache->doObjectType[cachedTrust];
            break;
-        case CKO_NETSCAPE_CRL:
+        case CKO_NSS_CRL:
            haveIt = cache->doObjectType[cachedCRLs];
            break;
        default:
@ -472,7 +472,7 @@ create_cert(
        CKA_ISSUER,
        CKA_SERIAL_NUMBER,
        CKA_SUBJECT,
-        CKA_NETSCAPE_EMAIL
+        CKA_NSS_EMAIL
    };
    static const PRUint32 numCertAttr = sizeof(certAttr) / sizeof(certAttr[0]);
    return create_object(object, certAttr, numCertAttr, status);
@ -511,8 +511,8 @@ create_crl(
        CKA_LABEL,
        CKA_VALUE,
        CKA_SUBJECT,
-        CKA_NETSCAPE_KRL,
-        CKA_NETSCAPE_URL
+        CKA_NSS_KRL,
+        CKA_NSS_URL
    };
    static const PRUint32 numCRLAttr = sizeof(crlAttr) / sizeof(crlAttr[0]);
    return create_object(object, crlAttr, numCRLAttr, status);
@ -716,10 +716,10 @@ nssTokenObjectCache_FindObjectsByTemplate(
        case CKO_CERTIFICATE:
            objectType = cachedCerts;
            break;
-        case CKO_NETSCAPE_TRUST:
+        case CKO_NSS_TRUST:
            objectType = cachedTrust;
            break;
-        case CKO_NETSCAPE_CRL:
+        case CKO_NSS_CRL:
            objectType = cachedCRLs;
            break;
        default:
@ -784,10 +784,10 @@ nssTokenObjectCache_GetObjectAttributes(
        case CKO_CERTIFICATE:
            objectType = cachedCerts;
            break;
-        case CKO_NETSCAPE_TRUST:
+        case CKO_NSS_TRUST:
            objectType = cachedTrust;
            break;
-        case CKO_NETSCAPE_CRL:
+        case CKO_NSS_CRL:
            objectType = cachedCRLs;
            break;
        default:
@ -877,10 +877,10 @@ nssTokenObjectCache_ImportObject(
        case CKO_CERTIFICATE:
            objectType = cachedCerts;
            break;
-        case CKO_NETSCAPE_TRUST:
+        case CKO_NSS_TRUST:
            objectType = cachedTrust;
            break;
-        case CKO_NETSCAPE_CRL:
+        case CKO_NSS_CRL:
            objectType = cachedCRLs;
            break;
        default:
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@ -85,11 +85,11 @@ endif
 # FREEBL_PRELINK_COMMAND
 #
 # This is an optional environment variable which can override the default
-# prelink command. It could be used on systems that did something similiar to 
-# prelink but used a different command and syntax. The only requirement is the 
-# program must take the library as the last argument, the program must output 
-# the original library to standard out, and the program does not need to take 
-# any quoted or imbedded spaces in its arguments (except the path to the 
+# prelink command. It could be used on systems that did something similiar to
+# prelink but used a different command and syntax. The only requirement is the
+# program must take the library as the last argument, the program must output
+# the original library to standard out, and the program does not need to take
+# any quoted or imbedded spaces in its arguments (except the path to the
 # library itself, which can have imbedded spaces or special characters).
 #
 ifdef FREEBL_USE_PRELINK
@ -124,7 +124,9 @@ ifeq ($(CPU_ARCH),aarch64)
    EXTRA_SRCS += aes-armv8.c gcm-aarch64.c
 endif
 ifeq ($(CPU_ARCH),arm)
+ifndef NSS_DISABLE_ARM32_NEON
    EXTRA_SRCS += gcm-arm32-neon.c
+endif
    ifdef CC_IS_CLANG
        DEFINES += -DUSE_HW_AES
        EXTRA_SRCS += aes-armv8.c
@ -148,7 +150,7 @@ endif

 ifeq (OS2,$(OS_TARGET))
    ASFILES  = mpi_x86_os2.s
-    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
    DEFINES += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
    DEFINES += -DMP_IS_LITTLE_ENDIAN
@ -169,7 +171,7 @@ ifdef NS_USE_GCC
 else
 # MSVC
    MPI_SRCS += mpi_x86_asm.c
-    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
    ifdef BUILD_OPT
 	OPTIMIZER += -Ox  # maximum optimization for freebl
@ -220,7 +222,7 @@ ifeq ($(USE_N32),1)
    ifeq ($(NS_USE_GCC),1)
 	ASFLAGS = -Wp,-P -Wp,-traditional -O -mips3
    else
-	ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 
+	ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3
    endif
    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
    DEFINES += -DMP_USE_UINT_DIGIT
@ -253,12 +255,12 @@ ifeq ($(CPU_ARCH),x86_64)
 endif
 ifeq ($(CPU_ARCH),x86)
    ASFILES  = mpi_x86.s
-    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT
    DEFINES += -DMP_IS_LITTLE_ENDIAN
 endif
 ifeq ($(CPU_ARCH),arm)
-    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
    DEFINES += -DMP_USE_UINT_DIGIT
    DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
    MPI_SRCS += mpi_arm.c
@ -283,7 +285,7 @@ ifneq ($(OS_TEST), ia64)
 # PA-RISC
 ASFILES += ret_cr16.s
 ifndef USE_64
-    FREEBL_BUILD_SINGLE_SHLIB = 
+    FREEBL_BUILD_SINGLE_SHLIB =
    HAVE_ABI32_INT32 = 1
    HAVE_ABI32_FPU = 1
 endif
@ -294,15 +296,15 @@ ifdef USE_ABI32_INT32
    DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
 else
 ifdef USE_64
-# this builds for DA2.0W (HP PA 2.0 Wide), the LP64 ABI, using 64-bit digits 
-    MPI_SRCS += mpi_hp.c 
-    ASFILES  += hpma512.s hppa20.s 
+# this builds for DA2.0W (HP PA 2.0 Wide), the LP64 ABI, using 64-bit digits
+    MPI_SRCS += mpi_hp.c
+    ASFILES  += hpma512.s hppa20.s
    DEFINES  += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
 else
-# this builds for DA2.0 (HP PA 2.0 Narrow) ABI32_FPU model 
+# this builds for DA2.0 (HP PA 2.0 Narrow) ABI32_FPU model
 # (the 32-bit ABI with 64-bit registers) using 64-bit digits
-    MPI_SRCS += mpi_hp.c 
-    ASFILES  += hpma512.s hppa20.s 
+    MPI_SRCS += mpi_hp.c
+    ASFILES  += hpma512.s hppa20.s
    DEFINES  += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
 ifndef NS_USE_GCC
    ARCHFLAG = -Aa +e +DA2.0 +DS2.0
@ -337,7 +339,7 @@ else
 endif # NS_USE_GCC

 # Sun's WorkShop defines v8, v8plus and v9 architectures.
-# gcc on Solaris defines v8 and v9 "cpus".  
+# gcc on Solaris defines v8 and v9 "cpus".
 # gcc's v9 is equivalent to Workshop's v8plus.
 # gcc's -m64 is equivalent to Workshop's v9
 # We always use Sun's assembler, which uses Sun's naming convention.
@ -387,7 +389,7 @@ ifeq ($(CPU_ARCH),sparc)
 	    FPU_TARGET_OPTIMIZER = -xchip=ultra2
 	endif
 	ifdef USE_ABI32_INT64
-	    # this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
+	    # this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers,
 	    # 32-bit ABI, it uses 64-bit words, integer arithmetic,
 	    # no FPU (non-VIS cpus).
 	    # These flags were suggested by the compiler group for building
@ -400,7 +402,7 @@ ifeq ($(CPU_ARCH),sparc)
 	    SOLARIS_AS_FLAGS = -xarch=v8plus -K PIC
 	endif
 	ifdef USE_ABI32_FPU
-	    # this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
+	    # this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers,
 	    # 32-bit ABI, it uses FPU code, and 32-bit word size.
 	    # these flags were determined by running cc -### -fast and copying
 	    # the generated flag settings
@ -442,12 +444,12 @@ ifeq ($(CPU_ARCH),sparc)

    ### set flags for both GCC and Sun cc
    ifdef USE_ABI32_INT64
-	# this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
+	# this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers,
 	# 32-bit ABI, it uses 64-bit words, integer arithmetic, no FPU
 	# best times are with no MP_ flags specified
    endif
    ifdef USE_ABI32_FPU
-	# this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
+	# this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers,
 	# 32-bit ABI, it uses FPU code, and 32-bit word size
 	MPI_SRCS += mpi_sparc.c
 	ASFILES  = mpv_sparcv8.s montmulfv8.s
@ -503,7 +505,7 @@ else
    else
 	# Solaris x86
 	DEFINES += -DMP_USE_UINT_DIGIT
-	DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+	DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
 	DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
 	ASFILES  = mpi_i86pc.s
 	ifndef NS_USE_GCC
@ -526,8 +528,12 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
            HAVE_INT128_SUPPORT = 1
            DEFINES += -DHAVE_INT128_SUPPORT
        endif
+        ifneq (,$(filter 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
+            NSS_DISABLE_AVX2 = 1
+        endif
        ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
            HAVE_INT128_SUPPORT = 1
+            NSS_DISABLE_AVX2 = 0
            DEFINES += -DHAVE_INT128_SUPPORT
        endif
    endif
@ -540,7 +546,11 @@ endif

 ifndef NSS_DISABLE_CHACHAPOLY
    ifeq ($(CPU_ARCH),x86_64)
-        EXTRA_SRCS += Hacl_Poly1305_128.c Hacl_Chacha20_Vec128.c Hacl_Chacha20Poly1305_128.c
+        ifndef NSS_DISABLE_AVX2
+            EXTRA_SRCS += Hacl_Poly1305_256.c Hacl_Chacha20_Vec256.c Hacl_Chacha20Poly1305_256.c
+        else
+            EXTRA_SRCS += Hacl_Poly1305_128.c Hacl_Chacha20_Vec128.c Hacl_Chacha20Poly1305_128.c
+        endif # NSS_DISABLE_AVX2
    endif # x86_64

    VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c
@ -630,7 +640,7 @@ ifdef FREEBL_BUILD_SINGLE_SHLIB

 ################### Single shared lib stuff #########################
 SINGLE_SHLIB_DIR = $(OBJDIR)/$(OS_TARGET)_SINGLE_SHLIB
-ALL_TRASH += $(SINGLE_SHLIB_DIR) 
+ALL_TRASH += $(SINGLE_SHLIB_DIR)

 $(SINGLE_SHLIB_DIR):
 	-mkdir -p $(SINGLE_SHLIB_DIR)
@ -644,7 +654,7 @@ endif

 ifdef NEED_STUB_BUILD
 SINGLE_SHLIB_DIR = $(OBJDIR)/$(OS_TARGET)_SINGLE_SHLIB
-ALL_TRASH += $(SINGLE_SHLIB_DIR) 
+ALL_TRASH += $(SINGLE_SHLIB_DIR)
 $(SINGLE_SHLIB_DIR):
 	-mkdir $(SINGLE_SHLIB_DIR)

@ -658,7 +668,7 @@ endif
 ######################## ABI32_FPU stuff #########################
 ifdef HAVE_ABI32_FPU
 ABI32_FPU_DIR = $(OBJDIR)/$(OS_TARGET)_ABI32_FPU
-ALL_TRASH += $(ABI32_FPU_DIR) 
+ALL_TRASH += $(ABI32_FPU_DIR)

 $(ABI32_FPU_DIR):
 	-mkdir $(ABI32_FPU_DIR)
@ -671,7 +681,7 @@ endif
 ######################## ABI32_INT32 stuff #########################
 ifdef HAVE_ABI32_INT32
 ABI32_INT32_DIR = $(OBJDIR)/$(OS_TARGET)_ABI32_INT32
-ALL_TRASH += $(ABI32_INT32_DIR) 
+ALL_TRASH += $(ABI32_INT32_DIR)

 $(ABI32_INT32_DIR):
 	-mkdir $(ABI32_INT32_DIR)
@ -684,7 +694,7 @@ endif
 ######################## ABI32_INT64 stuff #########################
 ifdef HAVE_ABI32_INT64
 ABI32_INT64_DIR = $(OBJDIR)/$(OS_TARGET)_ABI32_INT64
-ALL_TRASH += $(ABI32_INT64_DIR) 
+ALL_TRASH += $(ABI32_INT64_DIR)

 $(ABI32_INT64_DIR):
 	-mkdir $(ABI32_INT64_DIR)
@ -701,7 +711,7 @@ endif
 ######################## ABI64_FPU stuff #########################
 ifdef HAVE_ABI64_FPU
 ABI64_FPU_DIR = $(OBJDIR)/$(OS_TARGET)_ABI64_FPU
-ALL_TRASH += $(ABI64_FPU_DIR) 
+ALL_TRASH += $(ABI64_FPU_DIR)

 $(ABI64_FPU_DIR):
 	-mkdir $(ABI64_FPU_DIR)
@ -714,7 +724,7 @@ endif
 ######################## ABI64_INT stuff #########################
 ifdef HAVE_ABI64_INT
 ABI64_INT_DIR = $(OBJDIR)/$(OS_TARGET)_ABI64_INT
-ALL_TRASH += $(ABI64_INT_DIR) 
+ALL_TRASH += $(ABI64_INT_DIR)

 $(ABI64_INT_DIR):
 	-mkdir $(ABI64_INT_DIR)
@ -770,7 +780,9 @@ ifeq ($(CPU_ARCH),arm)
 # Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
 USES_SOFTFLOAT_ABI := $(shell $(CC) -o - -E -dM - $(CFLAGS) < /dev/null | grep __SOFTFP__ > /dev/null && echo 1)
 $(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
-$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -march=armv7 -mfpu=neon$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
+ifndef NSS_DISABLE_ARM32_NEON
+$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
+endif
 endif
 ifeq ($(CPU_ARCH),aarch64)
 $(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
@ -785,6 +797,12 @@ $(OBJDIR)/$(PROG_PREFIX)rijndael$(OBJ_SUFFIX): CFLAGS += -mcrypto -maltivec -mvs
 endif
 endif

-$(OBJDIR)/$(PROG_PREFIX)Hacl_Chacha20_Vec128$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4 -mavx -maes 
-$(OBJDIR)/$(PROG_PREFIX)Hacl_Chacha20Poly1305_128$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4 -mavx -maes 
-$(OBJDIR)/$(PROG_PREFIX)Hacl_Poly1305_128$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4 -mavx -maes -mpclmul
+$(OBJDIR)/$(PROG_PREFIX)Hacl_Chacha20_Vec128$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4.1 -msse4.2 -mavx -maes
+$(OBJDIR)/$(PROG_PREFIX)Hacl_Chacha20Poly1305_128$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4.1 -msse4.2 -mavx -maes
+$(OBJDIR)/$(PROG_PREFIX)Hacl_Poly1305_128$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4.1 -msse4.2 -mavx -maes -mpclmul
+
+ifndef NSS_DISABLE_AVX2
+$(OBJDIR)/$(PROG_PREFIX)Hacl_Chacha20Poly1305_256$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4.1 -msse4.2 -mavx2 -maes
+$(OBJDIR)/$(PROG_PREFIX)Hacl_Chacha20_Vec256$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4.1 -msse4.2 -mavx -mavx2 -maes
+$(OBJDIR)/$(PROG_PREFIX)Hacl_Poly1305_256$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4.1 -msse4.2 -mavx -mavx2 -maes -mpclmul
+endif
--- a/security/nss/lib/freebl/blapi.h
+++ b/security/nss/lib/freebl/blapi.h
@ -856,6 +856,28 @@ extern SECStatus
 AES_Decrypt(AESContext *cx, unsigned char *output,
            unsigned int *outputLen, unsigned int maxOutputLen,
            const unsigned char *input, unsigned int inputLen);
+/*
+** Perform AES AEAD operation (either encrypt or decrypt), controlled by
+** the context.
+**  "cx" the context
+**  "output" the output buffer to store the encrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
+**  "params" pointer to an AEAD specific param PKCS #11 param structure
+**  "paramsLen" length of the param structure pointed to by params
+**  "aad" addition authenticated data
+**  "aadLen" the amount of additional authenticated data.
+*/
+extern SECStatus
+AES_AEAD(AESContext *cx, unsigned char *output,
+         unsigned int *outputLen, unsigned int maxOutputLen,
+         const unsigned char *input, unsigned int inputLen,
+         void *params, unsigned int paramsLen,
+         const unsigned char *aad, unsigned int aadLen);

 /******************************************/
 /*
@ -1014,6 +1036,20 @@ extern SECStatus ChaCha20Poly1305_Open(
    const unsigned char *nonce, unsigned int nonceLen,
    const unsigned char *ad, unsigned int adLen);

+extern SECStatus ChaCha20Poly1305_Encrypt(
+    const ChaCha20Poly1305Context *ctx, unsigned char *output,
+    unsigned int *outputLen, unsigned int maxOutputLen,
+    const unsigned char *input, unsigned int inputLen,
+    const unsigned char *nonce, unsigned int nonceLen,
+    const unsigned char *ad, unsigned int adLen, unsigned char *tagOut);
+
+extern SECStatus ChaCha20Poly1305_Decrypt(
+    const ChaCha20Poly1305Context *ctx, unsigned char *output,
+    unsigned int *outputLen, unsigned int maxOutputLen,
+    const unsigned char *input, unsigned int inputLen,
+    const unsigned char *nonce, unsigned int nonceLen,
+    const unsigned char *ad, unsigned int adLen, unsigned char *tagIn);
+
 extern SECStatus ChaCha20_Xor(
    unsigned char *output, const unsigned char *block, unsigned int len,
    const unsigned char *k, const unsigned char *nonce, PRUint32 ctr);
--- a/security/nss/lib/freebl/blapii.h
+++ b/security/nss/lib/freebl/blapii.h
@ -18,6 +18,12 @@ typedef SECStatus (*freeblCipherFunc)(void *cx, unsigned char *output,
                                      unsigned int *outputLen, unsigned int maxOutputLen,
                                      const unsigned char *input, unsigned int inputLen,
                                      unsigned int blocksize);
+typedef SECStatus (*freeblAeadFunc)(void *cx, unsigned char *output,
+                                    unsigned int *outputLen, unsigned int maxOutputLen,
+                                    const unsigned char *input, unsigned int inputLen,
+                                    void *params, unsigned int paramsLen,
+                                    const unsigned char *aad, unsigned int aadLen,
+                                    unsigned int blocksize);
 typedef void (*freeblDestroyFunc)(void *cx, PRBool freeit);

 SEC_BEGIN_PROTOS
@ -80,6 +86,7 @@ SECStatus generate_prime(mp_int *prime, int primeLen);
 PRBool aesni_support();
 PRBool clmul_support();
 PRBool avx_support();
+PRBool avx2_support();
 PRBool ssse3_support();
 PRBool sse4_1_support();
 PRBool sse4_2_support();
--- a/security/nss/lib/freebl/blapit.h
+++ b/security/nss/lib/freebl/blapit.h
@ -199,6 +199,35 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
 */
 #define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j)))

+/* When we are generating a gcm iv from a random number, we need to calculate
+ * an acceptable iteration count to avoid birthday attacks. (randomly
+ * generating the same IV twice).
+ *
+ * We use the approximation n = sqrt(2*m*p) to find an acceptable n given m
+ * and p.
+ * where n is the number of iterations.
+ *       m is the number of possible random values.
+ *       p is the probability of collision (0-1).
+ *
+ * We want to calculate the constant number GCM_IV_RANDOM_BIRTHDAY_BITS, which
+ * is the number of bits we subtract off of the length of the iv (in bits) to
+ * get a safe count value (log2).
+ *
+ * Since we do the calculation in bits, so we need to take the whole
+ * equation log2:
+ *       log2 n = (1+(log2 m)+(log2 p))/2
+ * Since p < 1, log2 p is negative. Also note that the length of the iv in
+ * bits is log2 m, so if we set GCMIV_RANDOM_BIRTHDAY_BITS =- log2 p - 1.
+ * then we can calculate a safe counter value with:
+ *        n = 2^((ivLenBits - GCMIV_RANDOM_BIRTHDAY_BITS)/2)
+ *
+ * If we arbitrarily set p = 10^-18 (1 chance in trillion trillion operation)
+ * we get GCMIV_RANDOM_BIRTHDAY_BITS = -(-18)/.301 -1 = 59 (.301 = log10 2)
+ * GCMIV_RANDOM_BIRTHDAY_BITS should be at least 59, call it a round 64. NOTE:
+ * the variable IV size for TLS is 64 bits, which explains why it's not safe
+ * to use a random value for the nonce in TLS. */
+#define GCMIV_RANDOM_BIRTHDAY_BITS 64
+
 /***************************************************************************
 ** Opaque objects
 */
--- a/security/nss/lib/freebl/blinit.c
+++ b/security/nss/lib/freebl/blinit.c
@ -27,6 +27,7 @@ static PRCallOnceType coFreeblInit;
 static PRBool aesni_support_ = PR_FALSE;
 static PRBool clmul_support_ = PR_FALSE;
 static PRBool avx_support_ = PR_FALSE;
+static PRBool avx2_support_ = PR_FALSE;
 static PRBool ssse3_support_ = PR_FALSE;
 static PRBool sse4_1_support_ = PR_FALSE;
 static PRBool sse4_2_support_ = PR_FALSE;
@ -75,28 +76,43 @@ check_xcr0_ymm()
 #define ECX_XSAVE (1 << 26)
 #define ECX_OSXSAVE (1 << 27)
 #define ECX_AVX (1 << 28)
+#define EBX_AVX2 (1 << 5)
+#define EBX_BMI1 (1 << 3)
+#define EBX_BMI2 (1 << 8)
+#define ECX_FMA (1 << 12)
+#define ECX_MOVBE (1 << 22)
 #define ECX_SSSE3 (1 << 9)
 #define ECX_SSE4_1 (1 << 19)
 #define ECX_SSE4_2 (1 << 20)
 #define AVX_BITS (ECX_XSAVE | ECX_OSXSAVE | ECX_AVX)
+#define AVX2_EBX_BITS (EBX_AVX2 | EBX_BMI1 | EBX_BMI2)
+#define AVX2_ECX_BITS (ECX_FMA | ECX_MOVBE)

 void
 CheckX86CPUSupport()
 {
    unsigned long eax, ebx, ecx, edx;
+    unsigned long eax7, ebx7, ecx7, edx7;
    char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
    char *disable_pclmul = PR_GetEnvSecure("NSS_DISABLE_PCLMUL");
    char *disable_avx = PR_GetEnvSecure("NSS_DISABLE_AVX");
+    char *disable_avx2 = PR_GetEnvSecure("NSS_DISABLE_AVX2");
    char *disable_ssse3 = PR_GetEnvSecure("NSS_DISABLE_SSSE3");
    char *disable_sse4_1 = PR_GetEnvSecure("NSS_DISABLE_SSE4_1");
    char *disable_sse4_2 = PR_GetEnvSecure("NSS_DISABLE_SSE4_2");
    freebl_cpuid(1, &eax, &ebx, &ecx, &edx);
+    freebl_cpuid(7, &eax7, &ebx7, &ecx7, &edx7);
    aesni_support_ = (PRBool)((ecx & ECX_AESNI) != 0 && disable_hw_aes == NULL);
    clmul_support_ = (PRBool)((ecx & ECX_CLMUL) != 0 && disable_pclmul == NULL);
    /* For AVX we check AVX, OSXSAVE, and XSAVE
     * as well as XMM and YMM state. */
    avx_support_ = (PRBool)((ecx & AVX_BITS) == AVX_BITS) && check_xcr0_ymm() &&
                   disable_avx == NULL;
+    /* For AVX2 we check AVX2, BMI1, BMI2, FMA, MOVBE.
+     * We do not check for AVX above. */
+    avx2_support_ = (PRBool)((ebx7 & AVX2_EBX_BITS) == AVX2_EBX_BITS &&
+                             (ecx & AVX2_ECX_BITS) == AVX2_ECX_BITS &&
+                             disable_avx2 == NULL);
    ssse3_support_ = (PRBool)((ecx & ECX_SSSE3) != 0 &&
                              disable_ssse3 == NULL);
    sse4_1_support_ = (PRBool)((ecx & ECX_SSE4_1) != 0 &&
@ -384,6 +400,11 @@ avx_support()
    return avx_support_;
 }
 PRBool
+avx2_support()
+{
+    return avx2_support_;
+}
+PRBool
 ssse3_support()
 {
    return ssse3_support_;
--- a/security/nss/lib/freebl/chacha20poly1305.c
+++ b/security/nss/lib/freebl/chacha20poly1305.c
@ -15,9 +15,17 @@
 #include "blapii.h"
 #include "chacha20poly1305.h"

-// There are two implementations of ChaCha20Poly1305:
-// 1) 128-bit with hardware acceleration used on x64
-// 2) 32-bit used on all other platforms
+// There are three implementations of ChaCha20Poly1305:
+// 1) 128-bit with AVX hardware acceleration used on x64
+// 2) 256-bit with AVX2 hardware acceleration used on x64
+// 3) 32-bit used on all other platforms
+
+// On x64 when AVX2 and other necessary registers are available,
+// the 256bit-verctorized version will be used. When AVX2 features
+// are unavailable or disabled but AVX registers are available, the
+// 128bit-vectorized version will be used. In all other cases the
+// scalar version of the HACL* code will be used.
+
 // Instead of including the headers (they bring other things we don't want),
 // we declare the functions here.
 // Usage is guarded by runtime checks of required hardware features.
@ -35,6 +43,19 @@ Hacl_Chacha20Poly1305_128_aead_decrypt(uint8_t *k, uint8_t *n1, uint32_t aadlen,
                                       uint8_t *aad, uint32_t mlen, uint8_t *m,
                                       uint8_t *cipher, uint8_t *mac);

+// Forward declaration from Hacl_Chacha20_Vec256.h and Hacl_Chacha20Poly1305_256.h.
+extern void Hacl_Chacha20_Vec256_chacha20_encrypt_256(uint32_t len, uint8_t *out,
+                                                      uint8_t *text, uint8_t *key,
+                                                      uint8_t *n1, uint32_t ctr);
+extern void
+Hacl_Chacha20Poly1305_256_aead_encrypt(uint8_t *k, uint8_t *n1, uint32_t aadlen,
+                                       uint8_t *aad, uint32_t mlen, uint8_t *m,
+                                       uint8_t *cipher, uint8_t *mac);
+extern uint32_t
+Hacl_Chacha20Poly1305_256_aead_decrypt(uint8_t *k, uint8_t *n1, uint32_t aadlen,
+                                       uint8_t *aad, uint32_t mlen, uint8_t *m,
+                                       uint8_t *cipher, uint8_t *mac);
+
 // Forward declaration from Hacl_Chacha20.h and Hacl_Chacha20Poly1305_32.h.
 extern void Hacl_Chacha20_chacha20_encrypt(uint32_t len, uint8_t *out,
                                           uint8_t *text, uint8_t *key,
@ -113,7 +134,15 @@ ChaCha20Xor(uint8_t *output, uint8_t *block, uint32_t len, uint8_t *k,
 {
 #ifdef NSS_X64
    if (ssse3_support() && sse4_1_support() && avx_support()) {
+#ifdef NSS_DISABLE_AVX2
        Hacl_Chacha20_Vec128_chacha20_encrypt_128(len, output, block, k, nonce, ctr);
+#else
+        if (avx2_support()) {
+            Hacl_Chacha20_Vec256_chacha20_encrypt_256(len, output, block, k, nonce, ctr);
+        } else {
+            Hacl_Chacha20_Vec128_chacha20_encrypt_128(len, output, block, k, nonce, ctr);
+        }
+#endif
    } else
 #endif
    {
@ -167,9 +196,21 @@ ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx, unsigned char *output,

 #ifdef NSS_X64
    if (ssse3_support() && sse4_1_support() && avx_support()) {
+#ifdef NSS_DISABLE_AVX2
        Hacl_Chacha20Poly1305_128_aead_encrypt(
            (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
            (uint8_t *)input, output, output + inputLen);
+#else
+        if (avx2_support()) {
+            Hacl_Chacha20Poly1305_256_aead_encrypt(
+                (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
+                (uint8_t *)input, output, output + inputLen);
+        } else {
+            Hacl_Chacha20Poly1305_128_aead_encrypt(
+                (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
+                (uint8_t *)input, output, output + inputLen);
+        }
+#endif
    } else
 #endif
    {
@ -217,9 +258,21 @@ ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx, unsigned char *output,
    uint32_t res = 1;
 #ifdef NSS_X64
    if (ssse3_support() && sse4_1_support() && avx_support()) {
+#ifdef NSS_DISABLE_AVX2
        res = Hacl_Chacha20Poly1305_128_aead_decrypt(
            (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, ciphertextLen,
            (uint8_t *)output, (uint8_t *)input, (uint8_t *)input + ciphertextLen);
+#else
+        if (avx2_support()) {
+            res = Hacl_Chacha20Poly1305_256_aead_decrypt(
+                (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, ciphertextLen,
+                (uint8_t *)output, (uint8_t *)input, (uint8_t *)input + ciphertextLen);
+        } else {
+            res = Hacl_Chacha20Poly1305_128_aead_decrypt(
+                (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, ciphertextLen,
+                (uint8_t *)output, (uint8_t *)input, (uint8_t *)input + ciphertextLen);
+        }
+#endif
    } else
 #endif
    {
@ -237,3 +290,99 @@ ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx, unsigned char *output,
    return SECSuccess;
 #endif
 }
+
+SECStatus
+ChaCha20Poly1305_Encrypt(const ChaCha20Poly1305Context *ctx,
+                         unsigned char *output, unsigned int *outputLen,
+                         unsigned int maxOutputLen, const unsigned char *input,
+                         unsigned int inputLen, const unsigned char *nonce,
+                         unsigned int nonceLen, const unsigned char *ad,
+                         unsigned int adLen, unsigned char *outTag)
+{
+#ifdef NSS_DISABLE_CHACHAPOLY
+    return SECFailure;
+#else
+
+    if (nonceLen != 12) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    // ChaCha has a 64 octet block, with a 32-bit block counter.
+    if (sizeof(inputLen) > 4 && inputLen >= (1ULL << (6 + 32))) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    if (maxOutputLen < inputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+#ifdef NSS_X64
+    if (ssse3_support() && sse4_1_support() && avx_support()) {
+        Hacl_Chacha20Poly1305_128_aead_encrypt(
+            (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
+            (uint8_t *)input, output, outTag);
+    } else
+#endif
+    {
+        Hacl_Chacha20Poly1305_32_aead_encrypt(
+            (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
+            (uint8_t *)input, output, outTag);
+    }
+
+    *outputLen = inputLen;
+    return SECSuccess;
+#endif
+}
+
+SECStatus
+ChaCha20Poly1305_Decrypt(const ChaCha20Poly1305Context *ctx,
+                         unsigned char *output, unsigned int *outputLen,
+                         unsigned int maxOutputLen, const unsigned char *input,
+                         unsigned int inputLen, const unsigned char *nonce,
+                         unsigned int nonceLen, const unsigned char *ad,
+                         unsigned int adLen, const unsigned char *tagIn)
+{
+#ifdef NSS_DISABLE_CHACHAPOLY
+    return SECFailure;
+#else
+    unsigned int ciphertextLen;
+
+    if (nonceLen != 12) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    ciphertextLen = inputLen;
+    if (maxOutputLen < ciphertextLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+    // ChaCha has a 64 octet block, with a 32-bit block counter.
+    if (sizeof(inputLen) > 4 && inputLen >= (1ULL << (6 + 32))) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+
+    uint32_t res = 1;
+#ifdef NSS_X64
+    if (ssse3_support() && sse4_1_support() && avx_support()) {
+        res = Hacl_Chacha20Poly1305_128_aead_decrypt(
+            (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, ciphertextLen,
+            (uint8_t *)output, (uint8_t *)input, (uint8_t *)tagIn);
+    } else
+#endif
+    {
+        res = Hacl_Chacha20Poly1305_32_aead_decrypt(
+            (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, ciphertextLen,
+            (uint8_t *)output, (uint8_t *)input, (uint8_t *)tagIn);
+    }
+
+    if (res) {
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        return SECFailure;
+    }
+
+    *outputLen = ciphertextLen;
+    return SECSuccess;
+#endif
+}
--- a/security/nss/lib/freebl/fipsfreebl.c
+++ b/security/nss/lib/freebl/fipsfreebl.c
@ -361,7 +361,7 @@ freebl_fips_AES_PowerUpSelfTest(int aes_key_size)
    AESContext *aes_context;
    unsigned int aes_bytes_encrypted;
    unsigned int aes_bytes_decrypted;
-    CK_GCM_PARAMS gcmParams;
+    CK_NSS_GCM_PARAMS gcmParams;
    SECStatus aes_status;

    /*check if aes_key_size is 128, 192, or 256 bits */
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@ -54,11 +54,10 @@
      ],
    },
    {
-      # TODO: make this so that all hardware accelerated code is in here.
-      'target_name': 'hw-acc-crypto',
+      'target_name': 'hw-acc-crypto-avx',
      'type': 'static_library',
      # 'sources': [
-      #   All hardware accelerated crypto currently requires x64
+      #   All AVX hardware accelerated crypto currently requires x64
      # ],
      'dependencies': [
        '<(DEPTH)/exports.gyp:nss_exports'
@ -67,11 +66,13 @@
        [ 'target_arch=="x64"', {
          'cflags': [
            '-mssse3',
-            '-msse4'
+            '-msse4.1',
+            '-msse4.2'
          ],
          'cflags_mozilla': [
            '-mssse3',
-            '-msse4',
+            '-msse4.1',
+            '-msse4.2',
            '-mpclmul',
            '-maes',
            '-mavx',
@ -94,7 +95,8 @@
          'xcode_settings': {
            'OTHER_CFLAGS': [
              '-mssse3',
-              '-msse4',
+              '-msse4.1',
+              '-msse4.2',
              '-mpclmul',
              '-maes',
              '-mavx',
@ -117,6 +119,75 @@
        }],
      ],
    },
+    {
+      'target_name': 'hw-acc-crypto-avx2',
+      'type': 'static_library',
+      # 'sources': [
+      #   All AVX2 hardware accelerated crypto currently requires x64
+      # ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports'
+      ],
+      'conditions': [
+        [ 'target_arch=="x64"', {
+          'cflags': [
+            '-mssse3',
+            '-msse4.1',
+            '-msse4.2'
+          ],
+          'cflags_mozilla': [
+            '-mssse3',
+            '-msse4.1',
+            '-msse4.2',
+            '-mpclmul',
+            '-maes',
+            '-mavx',
+            '-mavx2',
+          ],
+          # GCC doesn't define this.
+          'defines': [
+            '__SSSE3__',
+          ],
+        }],
+        [ 'OS=="linux" or OS=="android" or OS=="dragonfly" or OS=="freebsd" or \
+           OS=="netbsd" or OS=="openbsd"', {
+          'cflags': [
+            '-mpclmul',
+            '-maes',
+            '-mavx',
+            '-mavx2',
+          ],
+        }],
+        # macOS build doesn't use cflags.
+        [ 'OS=="mac" or OS=="ios"', {
+          'xcode_settings': {
+            'OTHER_CFLAGS': [
+              '-mssse3',
+              '-msse4.1',
+              '-msse4.2',
+              '-mpclmul',
+              '-maes',
+              '-mavx',
+              '-mavx2',
+            ],
+          },
+        }],
+        [ 'target_arch=="arm"', {
+          # Gecko doesn't support non-NEON platform on Android, but tier-3
+          # platform such as Linux/arm will need it
+          'cflags_mozilla': [
+            '-mfpu=neon'
+          ],
+        }],
+        [ 'target_arch=="x64"', {
+          'sources': [
+            'verified/Hacl_Poly1305_256.c',
+            'verified/Hacl_Chacha20_Vec256.c',
+            'verified/Hacl_Chacha20Poly1305_256.c',
+          ],
+        }],
+      ],
+    },
    {
      'target_name': 'gcm-aes-x86_c_lib',
      'type': 'static_library',
@ -253,7 +324,8 @@
      ],
      'dependencies': [
        '<(DEPTH)/exports.gyp:nss_exports',
-        'hw-acc-crypto',
+        'hw-acc-crypto-avx',
+        'hw-acc-crypto-avx2',
      ],
      'conditions': [
        [ 'target_arch=="ia32" or target_arch=="x64"', {
@ -265,11 +337,16 @@
            'armv8_c_lib'
          ],
        }],
-        [ 'target_arch=="arm"', {
+        [ 'disable_arm32_neon==0 and target_arch=="arm"', {
          'dependencies': [
            'gcm-aes-arm32-neon_c_lib',
          ],
        }],
+        [ 'disable_arm32_neon==1 and target_arch=="arm"', {
+          'defines!': [
+            'NSS_DISABLE_ARM32_NEON',
+          ],
+        }],
        [ 'target_arch=="arm64" or target_arch=="aarch64"', {
          'dependencies': [
            'gcm-aes-aarch64_c_lib',
@ -314,7 +391,8 @@
      ],
      'dependencies': [
        '<(DEPTH)/exports.gyp:nss_exports',
-        'hw-acc-crypto',
+        'hw-acc-crypto-avx',
+        'hw-acc-crypto-avx2',
      ],
      'conditions': [
        [ 'target_arch=="ia32" or target_arch=="x64"', {
@ -326,11 +404,16 @@
            'armv8_c_lib',
          ],
        }],
-        [ 'target_arch=="arm"', {
+        [ 'disable_arm32_neon==0 and target_arch=="arm"', {
          'dependencies': [
            'gcm-aes-arm32-neon_c_lib',
          ],
        }],
+        [ 'disable_arm32_neon==1 and target_arch=="arm"', {
+          'defines!': [
+            'NSS_DISABLE_ARM32_NEON',
+          ],
+        }],
        [ 'target_arch=="arm64" or target_arch=="aarch64"', {
          'dependencies': [
            'gcm-aes-aarch64_c_lib',
@ -394,7 +477,8 @@
      'type': 'shared_library',
      'dependencies': [
        '<(DEPTH)/exports.gyp:nss_exports',
-        'hw-acc-crypto',
+        'hw-acc-crypto-avx',
+        'hw-acc-crypto-avx2',
      ],
    },
    {
@ -410,7 +494,8 @@
      ],
      'dependencies': [
        '<(DEPTH)/exports.gyp:nss_exports',
-        'hw-acc-crypto',
+        'hw-acc-crypto-avx',
+        'hw-acc-crypto-avx2',
      ],
      'asflags_mozilla': [
        '-mcpu=v9', '-Wa,-xarch=v9a'
--- a/security/nss/lib/freebl/gcm.c
+++ b/security/nss/lib/freebl/gcm.c
@ -9,6 +9,7 @@
 #endif
 #include "blapii.h"
 #include "blapit.h"
+#include "blapi.h"
 #include "gcm.h"
 #include "ctr.h"
 #include "secerr.h"
@ -21,7 +22,8 @@
 #if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \
    (defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6)
 #define USE_ARM_GCM
-#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN)
+#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN) && \
+    !defined(NSS_DISABLE_ARM32_NEON)
 /* We don't test on big endian platform, so disable this on big endian. */
 #define USE_ARM_GCM
 #endif
@ -524,10 +526,18 @@ gcmHash_Reset(gcmHashContext *ghash, const unsigned char *AAD,
 struct GCMContextStr {
    gcmHashContext *ghash_context;
    CTRContext ctr_context;
+    freeblCipherFunc cipher;
+    void *cipher_context;
    unsigned long tagBits;
    unsigned char tagKey[MAX_BLOCK_SIZE];
+    PRBool ctr_context_init;
+    gcmIVContext gcm_iv;
 };

+SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv,
+                          unsigned int ivLen, unsigned int tagBits,
+                          const unsigned char *aad, unsigned int aadLen);
+
 GCMContext *
 GCM_CreateContext(void *context, freeblCipherFunc cipher,
                  const unsigned char *params)
@ -536,9 +546,7 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher,
    gcmHashContext *ghash = NULL;
    unsigned char H[MAX_BLOCK_SIZE];
    unsigned int tmp;
-    PRBool freeCtr = PR_FALSE;
-    const CK_GCM_PARAMS *gcmParams = (const CK_GCM_PARAMS *)params;
-    CK_AES_CTR_PARAMS ctrParams;
+    const CK_NSS_GCM_PARAMS *gcmParams = (const CK_NSS_GCM_PARAMS *)params;
    SECStatus rv;
 #ifdef DISABLE_HW_GCM
    const PRBool sw = PR_TRUE;
@ -546,23 +554,12 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher,
    const PRBool sw = PR_FALSE;
 #endif

-    if (gcmParams->ulIvLen == 0) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    if (gcmParams->ulTagBits != 128 && gcmParams->ulTagBits != 120 &&
-        gcmParams->ulTagBits != 112 && gcmParams->ulTagBits != 104 &&
-        gcmParams->ulTagBits != 96 && gcmParams->ulTagBits != 64 &&
-        gcmParams->ulTagBits != 32) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
    gcm = PORT_ZNew(GCMContext);
    if (gcm == NULL) {
        return NULL;
    }
+    gcm->cipher = cipher;
+    gcm->cipher_context = context;
    ghash = PORT_ZNewAligned(gcmHashContext, 16, mem);

    /* first plug in the ghash context */
@ -577,51 +574,29 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher,
        goto loser;
    }

-    /* fill in the Counter context */
-    ctrParams.ulCounterBits = 32;
-    PORT_Memset(ctrParams.cb, 0, sizeof(ctrParams.cb));
-    if (gcmParams->ulIvLen == 12) {
-        PORT_Memcpy(ctrParams.cb, gcmParams->pIv, gcmParams->ulIvLen);
-        ctrParams.cb[AES_BLOCK_SIZE - 1] = 1;
-    } else {
-        rv = gcmHash_Update(ghash, gcmParams->pIv, gcmParams->ulIvLen);
-        if (rv != SECSuccess) {
-            goto loser;
-        }
-        rv = gcmHash_Final(ghash, ctrParams.cb, &tmp, AES_BLOCK_SIZE);
-        if (rv != SECSuccess) {
-            goto loser;
-        }
+    gcm_InitIVContext(&gcm->gcm_iv);
+    gcm->ctr_context_init = PR_FALSE;
+
+    /* if gcmPara/ms is NULL, then we are creating an PKCS #11 MESSAGE
+     * style context, in which we initialize the key once, then do separate
+     * iv/aad's for each message. In that case we only initialize the key
+     * and ghash. We initialize the counter in each separate message */
+    if (gcmParams == NULL) {
+        /* OK we are finished with init, if we are doing MESSAGE interface,
+         * return from here */
+        return gcm;
    }
-    rv = CTR_InitContext(&gcm->ctr_context, context, cipher,
-                         (unsigned char *)&ctrParams);
+
+    rv = gcm_InitCounter(gcm, gcmParams->pIv, gcmParams->ulIvLen,
+                         gcmParams->ulTagBits, gcmParams->pAAD,
+                         gcmParams->ulAADLen);
    if (rv != SECSuccess) {
        goto loser;
    }
-    freeCtr = PR_TRUE;
-
-    /* fill in the gcm structure */
-    gcm->tagBits = gcmParams->ulTagBits; /* save for final step */
-    /* calculate the final tag key. NOTE: gcm->tagKey is zero to start with.
-     * if this assumption changes, we would need to explicitly clear it here */
-    rv = CTR_Update(&gcm->ctr_context, gcm->tagKey, &tmp, AES_BLOCK_SIZE,
-                    gcm->tagKey, AES_BLOCK_SIZE, AES_BLOCK_SIZE);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    /* finally mix in the AAD data */
-    rv = gcmHash_Reset(ghash, gcmParams->pAAD, gcmParams->ulAADLen);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
+    gcm->ctr_context_init = PR_TRUE;
    return gcm;

 loser:
-    if (freeCtr) {
-        CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
-    }
    if (ghash && ghash->mem) {
        PORT_Free(ghash->mem);
    }
@ -631,13 +606,93 @@ loser:
    return NULL;
 }

+SECStatus
+gcm_InitCounter(GCMContext *gcm, const unsigned char *iv, unsigned int ivLen,
+                unsigned int tagBits, const unsigned char *aad,
+                unsigned int aadLen)
+{
+    gcmHashContext *ghash = gcm->ghash_context;
+    unsigned int tmp;
+    PRBool freeCtr = PR_FALSE;
+    CK_AES_CTR_PARAMS ctrParams;
+    SECStatus rv;
+
+    /* Verify our parameters here */
+    if (ivLen == 0) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+
+    if (tagBits != 128 && tagBits != 120 &&
+        tagBits != 112 && tagBits != 104 &&
+        tagBits != 96 && tagBits != 64 &&
+        tagBits != 32) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+
+    /* fill in the Counter context */
+    ctrParams.ulCounterBits = 32;
+    PORT_Memset(ctrParams.cb, 0, sizeof(ctrParams.cb));
+    if (ivLen == 12) {
+        PORT_Memcpy(ctrParams.cb, iv, ivLen);
+        ctrParams.cb[AES_BLOCK_SIZE - 1] = 1;
+    } else {
+        rv = gcmHash_Reset(ghash, NULL, 0);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+        rv = gcmHash_Update(ghash, iv, ivLen);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+        rv = gcmHash_Final(ghash, ctrParams.cb, &tmp, AES_BLOCK_SIZE);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+    }
+    rv = CTR_InitContext(&gcm->ctr_context, gcm->cipher_context, gcm->cipher,
+                         (unsigned char *)&ctrParams);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    freeCtr = PR_TRUE;
+
+    /* fill in the gcm structure */
+    gcm->tagBits = tagBits; /* save for final step */
+    /* calculate the final tag key. NOTE: gcm->tagKey is zero to start with.
+     * if this assumption changes, we would need to explicitly clear it here */
+    PORT_Memset(gcm->tagKey, 0, sizeof(gcm->tagKey));
+    rv = CTR_Update(&gcm->ctr_context, gcm->tagKey, &tmp, AES_BLOCK_SIZE,
+                    gcm->tagKey, AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* finally mix in the AAD data */
+    rv = gcmHash_Reset(ghash, aad, aadLen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+    if (freeCtr) {
+        CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+    }
+    return SECFailure;
+}
+
 void
 GCM_DestroyContext(GCMContext *gcm, PRBool freeit)
 {
    /* these two are statically allocated and will be freed when we free
     * gcm. call their destroy functions to free up any locally
     * allocated data (like mp_int's) */
-    CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+    if (gcm->ctr_context_init) {
+        CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+    }
    PORT_Free(gcm->ghash_context->mem);
    PORT_Memset(&gcm->tagBits, 0, sizeof(gcm->tagBits));
    PORT_Memset(gcm->tagKey, 0, sizeof(gcm->tagKey));
@ -706,6 +761,11 @@ GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf,
        return SECFailure;
    }

+    if (!gcm->ctr_context_init) {
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
+    }
+
    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
    if (UINT_MAX - inlen < tagBytes) {
        PORT_SetError(SEC_ERROR_INPUT_LEN);
@ -764,6 +824,11 @@ GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf,
        return SECFailure;
    }

+    if (!gcm->ctr_context_init) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;

    /* get the authentication block */
@ -798,3 +863,298 @@ GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf,
    return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
                      inbuf, inlen, AES_BLOCK_SIZE);
 }
+
+void
+gcm_InitIVContext(gcmIVContext *gcmIv)
+{
+    gcmIv->counter = 0;
+    gcmIv->max_count = 0;
+    gcmIv->ivGen = CKG_GENERATE;
+    gcmIv->ivLen = 0;
+    gcmIv->fixedBits = 0;
+}
+
+/*
+ * generate the IV on the fly and return it to the application.
+ *   This function keeps a counter, which may be used in the IV
+ *   generation, or may be used in simply to make sure we don't
+ *   generate to many IV's from this same key.
+ *   PKCS #11 defines 4 generating values:
+ *       1) CKG_NO_GENERATE: just use the passed in IV as it.
+ *       2) CKG_GENERATE: the application doesn't care what generation
+ *       scheme is use (we default to counter in this code).
+ *       3) CKG_GENERATE_COUNTER: The IV is the value of a counter.
+ *       4) CKG_GENERATE_RANDOM: The IV is randomly generated.
+ *   We add a fifth rule:
+ *       5) CKG_GENERATE_COUNTER_XOR: The Counter value is xor'ed with
+ *       the IV.
+ *   The value fixedBits specifies the number of bits that will be passed
+ *   on from the original IV. The counter or the random data is is loaded
+ *   in the remainder of the IV not covered by fixedBits, overwriting any
+ *   data there. In the xor case the counter is xor'ed with the data in the
+ *   IV. In all cases only bits outside of fixedBits is modified.
+ *   The number of IV's we can generate is restricted by the size of the
+ *   variable part of the IV and the generation algorithm used. Because of
+ *   this, we require subsequent calls on this context to use the same
+ *   generator, IV len, and fixed bits as the first call.
+ */
+SECStatus
+gcm_GenerateIV(gcmIVContext *gcmIv, unsigned char *iv, unsigned int ivLen,
+               unsigned int fixedBits, CK_GENERATOR_FUNCTION ivGen)
+{
+    unsigned int i;
+    unsigned int flexBits;
+    unsigned int ivOffset;
+    unsigned int ivNewCount;
+    unsigned char ivMask;
+    unsigned char ivSave;
+    SECStatus rv;
+
+    if (gcmIv->counter != 0) {
+        /* If we've already generated a message, make sure all subsequent
+         * messages are using the same generator */
+        if ((gcmIv->ivGen != ivGen) || (gcmIv->fixedBits != fixedBits) ||
+            (gcmIv->ivLen != ivLen)) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+    } else {
+        /* remember these values */
+        gcmIv->ivGen = ivGen;
+        gcmIv->fixedBits = fixedBits;
+        gcmIv->ivLen = ivLen;
+        /* now calculate how may bits of IV we have to supply */
+        flexBits = ivLen * PR_BITS_PER_BYTE; /* bytes->bits */
+        /* first make sure we aren't going to overflow */
+        if (flexBits < fixedBits) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+        flexBits -= fixedBits;
+        /* if we are generating a random number reduce the acceptable bits to
+         * avoid birthday attacks */
+        if (ivGen == CKG_GENERATE_RANDOM) {
+            if (flexBits <= GCMIV_RANDOM_BIRTHDAY_BITS) {
+                PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                return SECFailure;
+            }
+            /* see freebl/blapit.h for how we calculate
+             * GCMIV_RANDOM_BIRTHDAY_BITS */
+            flexBits -= GCMIV_RANDOM_BIRTHDAY_BITS;
+            flexBits = flexBits >> 1;
+        }
+        if (flexBits == 0) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+        /* Turn those bits into the number of IV's we can safely return */
+        if (flexBits >= sizeof(gcmIv->max_count) * PR_BITS_PER_BYTE) {
+            gcmIv->max_count = PR_UINT64(0xffffffffffffffff);
+        } else {
+            gcmIv->max_count = PR_UINT64(1) << flexBits;
+        }
+    }
+
+    /* no generate, accept the IV from the source */
+    if (ivGen == CKG_NO_GENERATE) {
+        gcmIv->counter = 1;
+        return SECSuccess;
+    }
+
+    /* make sure we haven't exceeded the number of IVs we can return
+     * for this key, generator, and IV size */
+    if (gcmIv->counter >= gcmIv->max_count) {
+        /* use a unique error from just bad user input */
+        PORT_SetError(SEC_ERROR_EXTRA_INPUT);
+        return SECFailure;
+    }
+
+    /* build to mask to handle the first byte of the IV */
+    ivOffset = fixedBits / PR_BITS_PER_BYTE;
+    ivMask = 0xff >> ((8 - (fixedBits & 7)) & 7);
+    ivNewCount = ivLen - ivOffset;
+
+    /* finally generate the IV */
+    switch (ivGen) {
+        case CKG_GENERATE: /* default to counter */
+        case CKG_GENERATE_COUNTER:
+            iv[ivOffset] = (iv[ivOffset] & ~ivMask) |
+                           (PORT_GET_BYTE_BE(gcmIv->counter, 0, ivNewCount) & ivMask);
+            for (i = 1; i < ivNewCount; i++) {
+                iv[ivOffset + i] = PORT_GET_BYTE_BE(gcmIv->counter, i, ivNewCount);
+            }
+            break;
+        /* for TLS 1.3 */
+        case CKG_GENERATE_COUNTER_XOR:
+            iv[ivOffset] ^=
+                (PORT_GET_BYTE_BE(gcmIv->counter, 0, ivNewCount) & ivMask);
+            for (i = 1; i < ivNewCount; i++) {
+                iv[ivOffset + i] ^= PORT_GET_BYTE_BE(gcmIv->counter, i, ivNewCount);
+            }
+            break;
+        case CKG_GENERATE_RANDOM:
+            ivSave = iv[ivOffset] & ~ivMask;
+            rv = RNG_GenerateGlobalRandomBytes(iv + ivOffset, ivNewCount);
+            iv[ivOffset] = ivSave | (iv[ivOffset] & ivMask);
+            if (rv != SECSuccess) {
+                return rv;
+            }
+            break;
+    }
+    gcmIv->counter++;
+    return SECSuccess;
+}
+
+SECStatus
+GCM_EncryptAEAD(GCMContext *gcm, unsigned char *outbuf,
+                unsigned int *outlen, unsigned int maxout,
+                const unsigned char *inbuf, unsigned int inlen,
+                void *params, unsigned int paramLen,
+                const unsigned char *aad, unsigned int aadLen,
+                unsigned int blocksize)
+{
+    SECStatus rv;
+    unsigned int tagBytes;
+    unsigned int len;
+    const CK_GCM_MESSAGE_PARAMS *gcmParams =
+        (const CK_GCM_MESSAGE_PARAMS *)params;
+
+    PORT_Assert(blocksize == AES_BLOCK_SIZE);
+    if (blocksize != AES_BLOCK_SIZE) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    /* paramLen comes all the way from the application layer, make sure
+     * it's correct */
+    if (paramLen != sizeof(CK_GCM_MESSAGE_PARAMS)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    /* if we were initialized with the C_EncryptInit, we shouldn't be in this
+     * function */
+    if (gcm->ctr_context_init) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    if (maxout < inlen) {
+        *outlen = inlen;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    rv = gcm_GenerateIV(&gcm->gcm_iv, gcmParams->pIv, gcmParams->ulIvLen,
+                        gcmParams->ulIvFixedBits, gcmParams->ivGenerator);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    rv = gcm_InitCounter(gcm, gcmParams->pIv, gcmParams->ulIvLen,
+                         gcmParams->ulTagBits, aad, aadLen);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
+
+    rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
+                    inbuf, inlen, AES_BLOCK_SIZE);
+    CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    rv = gcmHash_Update(gcm->ghash_context, outbuf, *outlen);
+    if (rv != SECSuccess) {
+        PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */
+        *outlen = 0;
+        return SECFailure;
+    }
+    rv = gcm_GetTag(gcm, gcmParams->pTag, &len, tagBytes);
+    if (rv != SECSuccess) {
+        PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */
+        *outlen = 0;
+        return SECFailure;
+    };
+    return SECSuccess;
+}
+
+SECStatus
+GCM_DecryptAEAD(GCMContext *gcm, unsigned char *outbuf,
+                unsigned int *outlen, unsigned int maxout,
+                const unsigned char *inbuf, unsigned int inlen,
+                void *params, unsigned int paramLen,
+                const unsigned char *aad, unsigned int aadLen,
+                unsigned int blocksize)
+{
+    SECStatus rv;
+    unsigned int tagBytes;
+    unsigned char tag[MAX_BLOCK_SIZE];
+    const unsigned char *intag;
+    unsigned int len;
+    const CK_GCM_MESSAGE_PARAMS *gcmParams =
+        (const CK_GCM_MESSAGE_PARAMS *)params;
+
+    PORT_Assert(blocksize == AES_BLOCK_SIZE);
+    if (blocksize != AES_BLOCK_SIZE) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    /* paramLen comes all the way from the application layer, make sure
+     * it's correct */
+    if (paramLen != sizeof(CK_GCM_MESSAGE_PARAMS)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    /* if we were initialized with the C_DecryptInit, we shouldn't be in this
+     * function */
+    if (gcm->ctr_context_init) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    if (maxout < inlen) {
+        *outlen = inlen;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    rv = gcm_InitCounter(gcm, gcmParams->pIv, gcmParams->ulIvLen,
+                         gcmParams->ulTagBits, aad, aadLen);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
+    intag = gcmParams->pTag;
+    PORT_Assert(tagBytes != 0);
+
+    /* verify the block */
+    rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
+    if (rv != SECSuccess) {
+        CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+        return SECFailure;
+    }
+    rv = gcm_GetTag(gcm, tag, &len, AES_BLOCK_SIZE);
+    if (rv != SECSuccess) {
+        CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+        return SECFailure;
+    }
+    /* Don't decrypt if we can't authenticate the encrypted data!
+     * This assumes that if tagBits is may not be a multiple of 8, intag will
+     * preserve the masked off missing bits.  */
+    if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
+        /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
+        CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        PORT_Memset(tag, 0, sizeof(tag));
+        return SECFailure;
+    }
+    PORT_Memset(tag, 0, sizeof(tag));
+    /* finish the decryption */
+    rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
+                    inbuf, inlen, AES_BLOCK_SIZE);
+    CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+    return rv;
+}
--- a/security/nss/lib/freebl/gcm.h
+++ b/security/nss/lib/freebl/gcm.h
@ -6,6 +6,7 @@
 #define GCM_H 1

 #include "blapii.h"
+#include "pkcs11t.h"
 #include <stdint.h>

 #ifdef NSS_X86_OR_X64
@ -78,6 +79,18 @@ SECStatus GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf,
                            unsigned int *outlen, unsigned int maxout,
                            const unsigned char *inbuf, unsigned int inlen,
                            unsigned int blocksize);
+SECStatus GCM_EncryptAEAD(GCMContext *gcm, unsigned char *outbuf,
+                          unsigned int *outlen, unsigned int maxout,
+                          const unsigned char *inbuf, unsigned int inlen,
+                          void *params, unsigned int paramLen,
+                          const unsigned char *aad, unsigned int aadLen,
+                          unsigned int blocksize);
+SECStatus GCM_DecryptAEAD(GCMContext *gcm, unsigned char *outbuf,
+                          unsigned int *outlen, unsigned int maxout,
+                          const unsigned char *inbuf, unsigned int inlen,
+                          void *params, unsigned int paramLen,
+                          const unsigned char *aad, unsigned int aadLen,
+                          unsigned int blocksize);

 /* These functions are here only so we can test them */
 #define GCM_HASH_LEN_LEN 8 /* gcm hash defines lengths to be 64 bits */
@ -102,6 +115,15 @@ pre_align struct gcmHashContextStr {
    gcmHashContext *mem;
 } post_align;

+typedef struct gcmIVContextStr gcmIVContext;
+struct gcmIVContextStr {
+    PRUint64 counter;
+    PRUint64 max_count;
+    CK_GENERATOR_FUNCTION ivGen;
+    unsigned int fixedBits;
+    unsigned int ivLen;
+};
+
 SECStatus gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf,
                         unsigned int len);
 SECStatus gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H,
@ -111,6 +133,11 @@ SECStatus gcmHash_Reset(gcmHashContext *ghash, const unsigned char *AAD,
 SECStatus gcmHash_Final(gcmHashContext *ghash, unsigned char *outbuf,
                        unsigned int *outlen, unsigned int maxout);

+void gcm_InitIVContext(gcmIVContext *gcmiv);
+SECStatus gcm_GenerateIV(gcmIVContext *gcmIv, unsigned char *iv,
+                         unsigned int ivLen, unsigned int fixedBits,
+                         CK_GENERATOR_FUNCTION ivGen);
+
 SEC_END_PROTOS

 #endif
--- a/security/nss/lib/freebl/intel-gcm-wrap.c
+++ b/security/nss/lib/freebl/intel-gcm-wrap.c
@ -36,8 +36,16 @@ struct intel_AES_GCMContextStr {
    unsigned long tagBits;
    unsigned long Alen;
    unsigned long Mlen;
+    freeblCipherFunc cipher;
+    PRBool ctr_context_init;
+    gcmIVContext gcm_iv;
 };

+SECStatus intel_aes_gcmInitCounter(intel_AES_GCMContext *gcm,
+                                   const unsigned char *iv,
+                                   unsigned long ivLen, unsigned long tagBits,
+                                   const unsigned char *aad, unsigned long aadLen);
+
 intel_AES_GCMContext *
 intel_AES_GCM_CreateContext(void *context,
                            freeblCipherFunc cipher,
@ -45,38 +53,9 @@ intel_AES_GCM_CreateContext(void *context,
 {
    intel_AES_GCMContext *gcm = NULL;
    AESContext *aes = (AESContext *)context;
-    const CK_GCM_PARAMS *gcmParams = (const CK_GCM_PARAMS *)params;
-    unsigned char buff[AES_BLOCK_SIZE]; /* aux buffer */
-
-    unsigned long IV_whole_len = gcmParams->ulIvLen & (~0xful);
-    unsigned int IV_remainder_len = gcmParams->ulIvLen & 0xful;
-    unsigned long AAD_whole_len = gcmParams->ulAADLen & (~0xful);
-    unsigned int AAD_remainder_len = gcmParams->ulAADLen & 0xful;
-
-    __m128i BSWAP_MASK = _mm_setr_epi8(15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0);
-    __m128i ONE = _mm_set_epi32(0, 0, 0, 1);
-    unsigned int j;
+    const CK_NSS_GCM_PARAMS *gcmParams = (const CK_NSS_GCM_PARAMS *)params;
    SECStatus rv;

-    if (gcmParams->ulIvLen == 0) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    if (gcmParams->ulTagBits != 128 && gcmParams->ulTagBits != 120 &&
-        gcmParams->ulTagBits != 112 && gcmParams->ulTagBits != 104 &&
-        gcmParams->ulTagBits != 96 && gcmParams->ulTagBits != 64 &&
-        gcmParams->ulTagBits != 32) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    // Limit AADLen in accordance with SP800-38D
-    if (sizeof(AAD_whole_len) >= 8 && AAD_whole_len > (1ULL << 61) - 1) {
-        PORT_SetError(SEC_ERROR_INPUT_LEN);
-        return NULL;
-    }
-
    gcm = PORT_ZNew(intel_AES_GCMContext);
    if (gcm == NULL) {
        return NULL;
@ -84,40 +63,102 @@ intel_AES_GCM_CreateContext(void *context,

    /* initialize context fields */
    gcm->aes_context = aes;
-    gcm->tagBits = gcmParams->ulTagBits;
+    gcm->cipher = cipher;
    gcm->Alen = 0;
    gcm->Mlen = 0;
+    gcm->ctr_context_init = PR_FALSE;

    /* first prepare H and its derivatives for ghash */
    intel_aes_gcmINIT(gcm->Htbl, (unsigned char *)aes->k.expandedKey, aes->Nr);

+    gcm_InitIVContext(&gcm->gcm_iv);
+
+    /* if gcmParams is NULL, then we are creating an PKCS #11 MESSAGE
+     * style context, in which we initialize the key once, then do separate
+     * iv/aad's for each message. If we are doing that kind of operation,
+     * we've finished with init here. We'll init the Counter in each AEAD
+     * call */
+    if (gcmParams == NULL) {
+        return gcm;
+    }
+
+    rv = intel_aes_gcmInitCounter(gcm, gcmParams->pIv,
+                                  gcmParams->ulIvLen, gcmParams->ulTagBits,
+                                  gcmParams->pAAD, gcmParams->ulAADLen);
+    if (rv != SECSuccess) {
+        PORT_Free(gcm);
+        return NULL;
+    }
+    gcm->ctr_context_init = PR_TRUE;
+
+    return gcm;
+}
+
+SECStatus
+intel_aes_gcmInitCounter(intel_AES_GCMContext *gcm,
+                         const unsigned char *iv, unsigned long ivLen,
+                         unsigned long tagBits,
+                         const unsigned char *aad, unsigned long aadLen)
+{
+    unsigned char buff[AES_BLOCK_SIZE]; /* aux buffer */
+    unsigned long IV_whole_len = ivLen & (~0xful);
+    unsigned int IV_remainder_len = ivLen & 0xful;
+    unsigned long AAD_whole_len = aadLen & (~0xful);
+    unsigned int AAD_remainder_len = aadLen & 0xful;
+    unsigned int j;
+    __m128i BSWAP_MASK = _mm_setr_epi8(15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0);
+    __m128i ONE = _mm_set_epi32(0, 0, 0, 1);
+    SECStatus rv;
+
+    if (ivLen == 0) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (tagBits != 128 && tagBits != 120 && tagBits != 112 &&
+        tagBits != 104 && tagBits != 96 && tagBits != 64 &&
+        tagBits != 32) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    gcm->tagBits = tagBits;
+
+    /* reset the aad and message length counters */
+    gcm->Alen = 0;
+    gcm->Mlen = 0;
+
+    // Limit AADLen in accordance with SP800-38D
+    if (sizeof(AAD_whole_len) >= 8 && AAD_whole_len > (1ULL << 61) - 1) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
    /* Initial TAG value is zero */
    _mm_storeu_si128((__m128i *)gcm->T, _mm_setzero_si128());
    _mm_storeu_si128((__m128i *)gcm->X0, _mm_setzero_si128());

    /* Init the counter */
-    if (gcmParams->ulIvLen == 12) {
+    if (ivLen == 12) {
        _mm_storeu_si128((__m128i *)gcm->CTR,
-                         _mm_setr_epi32(((unsigned int *)gcmParams->pIv)[0],
-                                        ((unsigned int *)gcmParams->pIv)[1],
-                                        ((unsigned int *)gcmParams->pIv)[2],
+                         _mm_setr_epi32(((unsigned int *)iv)[0],
+                                        ((unsigned int *)iv)[1],
+                                        ((unsigned int *)iv)[2],
                                        0x01000000));
    } else {
        /* If IV size is not 96 bits, then the initial counter value is GHASH
         * of the IV */
-        intel_aes_gcmAAD(gcm->Htbl, gcmParams->pIv, IV_whole_len, gcm->T);
+        intel_aes_gcmAAD(gcm->Htbl, (unsigned char *)iv, IV_whole_len, gcm->T);

        /* Partial block */
        if (IV_remainder_len) {
            PORT_Memset(buff, 0, AES_BLOCK_SIZE);
-            PORT_Memcpy(buff, gcmParams->pIv + IV_whole_len, IV_remainder_len);
+            PORT_Memcpy(buff, iv + IV_whole_len, IV_remainder_len);
            intel_aes_gcmAAD(gcm->Htbl, buff, AES_BLOCK_SIZE, gcm->T);
        }

        intel_aes_gcmTAG(
            gcm->Htbl,
            gcm->T,
-            gcmParams->ulIvLen,
+            ivLen,
            0,
            gcm->X0,
            gcm->CTR);
@ -128,10 +169,10 @@ intel_AES_GCM_CreateContext(void *context,

    /* Encrypt the initial counter, will be used to encrypt the GHASH value,
     * in the end */
-    rv = (*cipher)(context, gcm->X0, &j, AES_BLOCK_SIZE, gcm->CTR,
-                   AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+    rv = (*gcm->cipher)(gcm->aes_context, gcm->X0, &j, AES_BLOCK_SIZE, gcm->CTR,
+                        AES_BLOCK_SIZE, AES_BLOCK_SIZE);
    if (rv != SECSuccess) {
-        goto loser;
+        return SECFailure;
    }

    /* Promote the counter by 1 */
@ -141,18 +182,14 @@ intel_AES_GCM_CreateContext(void *context,
     * creation from the AAD, because that would allow to reuse the H, which
     * only changes when the AES key changes, and not every package, like the
     * IV and AAD */
-    intel_aes_gcmAAD(gcm->Htbl, gcmParams->pAAD, AAD_whole_len, gcm->T);
+    intel_aes_gcmAAD(gcm->Htbl, (unsigned char *)aad, AAD_whole_len, gcm->T);
    if (AAD_remainder_len) {
        PORT_Memset(buff, 0, AES_BLOCK_SIZE);
-        PORT_Memcpy(buff, gcmParams->pAAD + AAD_whole_len, AAD_remainder_len);
+        PORT_Memcpy(buff, aad + AAD_whole_len, AAD_remainder_len);
        intel_aes_gcmAAD(gcm->Htbl, buff, AES_BLOCK_SIZE, gcm->T);
    }
-    gcm->Alen += gcmParams->ulAADLen;
-    return gcm;
-
-loser:
-    PORT_Free(gcm);
-    return NULL;
+    gcm->Alen += aadLen;
+    return SECSuccess;
 }

 void
@ -183,6 +220,11 @@ intel_AES_GCM_EncryptUpdate(intel_AES_GCMContext *gcm,
        return SECFailure;
    }

+    if (!gcm->ctr_context_init) {
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
+    }
+
    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
    if (UINT_MAX - inlen < tagBytes) {
        PORT_SetError(SEC_ERROR_INPUT_LEN);
@ -229,6 +271,11 @@ intel_AES_GCM_DecryptUpdate(intel_AES_GCMContext *gcm,
    unsigned char T[AES_BLOCK_SIZE];
    const unsigned char *intag;

+    if (!gcm->ctr_context_init) {
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
+    }
+
    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;

    /* get the authentication block */
@ -281,4 +328,140 @@ intel_AES_GCM_DecryptUpdate(intel_AES_GCMContext *gcm,
    return SECSuccess;
 }

+SECStatus
+intel_AES_GCM_EncryptAEAD(intel_AES_GCMContext *gcm,
+                          unsigned char *outbuf,
+                          unsigned int *outlen, unsigned int maxout,
+                          const unsigned char *inbuf, unsigned int inlen,
+                          void *params, unsigned int paramLen,
+                          const unsigned char *aad, unsigned int aadLen,
+                          unsigned int blocksize)
+{
+    unsigned int tagBytes;
+    unsigned char T[AES_BLOCK_SIZE];
+    const CK_GCM_MESSAGE_PARAMS *gcmParams =
+        (const CK_GCM_MESSAGE_PARAMS *)params;
+    SECStatus rv;
+
+    // GCM has a 16 octet block, with a 32-bit block counter
+    // Limit in accordance with SP800-38D
+    if (sizeof(inlen) > 4 &&
+        inlen >= ((1ULL << 32) - 2) * AES_BLOCK_SIZE) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    /* paramLen comes all the way from the application layer, make sure
+     * it's correct */
+    if (paramLen != sizeof(CK_GCM_MESSAGE_PARAMS)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* if we were initialized with the C_EncryptInit, we shouldn't be in this
+     * function */
+    if (gcm->ctr_context_init) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    if (maxout < inlen) {
+        *outlen = inlen;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    rv = gcm_GenerateIV(&gcm->gcm_iv, gcmParams->pIv, gcmParams->ulIvLen,
+                        gcmParams->ulIvFixedBits, gcmParams->ivGenerator);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    rv = intel_aes_gcmInitCounter(gcm, gcmParams->pIv, gcmParams->ulIvLen,
+                                  gcmParams->ulTagBits, aad, aadLen);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
+
+    intel_aes_gcmENC(inbuf, outbuf, gcm, inlen);
+
+    gcm->Mlen += inlen;
+
+    intel_aes_gcmTAG(gcm->Htbl, gcm->T, gcm->Mlen, gcm->Alen, gcm->X0, T);
+
+    *outlen = inlen;
+    PORT_Memcpy(gcmParams->pTag, T, tagBytes);
+    return SECSuccess;
+}
+
+SECStatus
+intel_AES_GCM_DecryptAEAD(intel_AES_GCMContext *gcm,
+                          unsigned char *outbuf,
+                          unsigned int *outlen, unsigned int maxout,
+                          const unsigned char *inbuf, unsigned int inlen,
+                          void *params, unsigned int paramLen,
+                          const unsigned char *aad, unsigned int aadLen,
+                          unsigned int blocksize)
+{
+    unsigned int tagBytes;
+    unsigned char T[AES_BLOCK_SIZE];
+    const unsigned char *intag;
+    const CK_GCM_MESSAGE_PARAMS *gcmParams =
+        (const CK_GCM_MESSAGE_PARAMS *)params;
+    SECStatus rv;
+
+    /* paramLen comes all the way from the application layer, make sure
+     * it's correct */
+    if (paramLen != sizeof(CK_GCM_MESSAGE_PARAMS)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    /* if we were initialized with the C_DecryptInit, we shouldn't be in this
+     * function */
+    if (gcm->ctr_context_init) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    // GCM has a 16 octet block, with a 32-bit block counter
+    // Limit in accordance with SP800-38D
+    if (sizeof(inlen) > 4 &&
+        inlen >= ((1ULL << 32) - 2) * AES_BLOCK_SIZE) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+
+    if (maxout < inlen) {
+        *outlen = inlen;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    rv = intel_aes_gcmInitCounter(gcm, gcmParams->pIv, gcmParams->ulIvLen,
+                                  gcmParams->ulTagBits, aad, aadLen);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
+    intag = gcmParams->pTag;
+    PORT_Assert(tagBytes != 0);
+
+    intel_aes_gcmDEC(inbuf, outbuf, gcm, inlen);
+
+    gcm->Mlen += inlen;
+    intel_aes_gcmTAG(gcm->Htbl, gcm->T, gcm->Mlen, gcm->Alen, gcm->X0, T);
+
+    if (NSS_SecureMemcmp(T, intag, tagBytes) != 0) {
+        memset(outbuf, 0, inlen);
+        *outlen = 0;
+        /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        return SECFailure;
+    }
+    *outlen = inlen;
+
+    return SECSuccess;
+}
 #endif
--- a/security/nss/lib/freebl/intel-gcm.h
+++ b/security/nss/lib/freebl/intel-gcm.h
@ -40,6 +40,20 @@ SECStatus intel_AES_GCM_DecryptUpdate(intel_AES_GCMContext *gcm, unsigned char *
                                      unsigned int *outlen, unsigned int maxout,
                                      const unsigned char *inbuf, unsigned int inlen,
                                      unsigned int blocksize);
+SECStatus intel_AES_GCM_EncryptAEAD(intel_AES_GCMContext *gcm,
+                                    unsigned char *outbuf,
+                                    unsigned int *outlen, unsigned int maxout,
+                                    const unsigned char *inbuf, unsigned int inlen,
+                                    void *params, unsigned int paramLen,
+                                    const unsigned char *aad, unsigned int aadLen,
+                                    unsigned int blocksize);
+SECStatus intel_AES_GCM_DecryptAEAD(intel_AES_GCMContext *gcm,
+                                    unsigned char *outbuf,
+                                    unsigned int *outlen, unsigned int maxout,
+                                    const unsigned char *inbuf, unsigned int inlen,
+                                    void *params, unsigned int paramLen,
+                                    const unsigned char *aad, unsigned int aadLen,
+                                    unsigned int blocksize);

 /* Prototypes of functions in the assembler file for fast AES-GCM, using
   Intel AES-NI and CLMUL-NI, as described in [1]
--- a/security/nss/lib/freebl/ldvector.c
+++ b/security/nss/lib/freebl/ldvector.c
@ -327,9 +327,14 @@ static const struct FREEBLVectorStr vector =
      CMAC_Begin,
      CMAC_Update,
      CMAC_Finish,
-      CMAC_Destroy
+      CMAC_Destroy,

      /* End of version 3.022 */
+      ChaCha20Poly1305_Encrypt,
+      ChaCha20Poly1305_Decrypt,
+      AES_AEAD
+
+      /* End of version 3.023 */
    };

 const FREEBLVector*
--- a/security/nss/lib/freebl/loader.c
+++ b/security/nss/lib/freebl/loader.c
@ -470,6 +470,19 @@ AES_Decrypt(AESContext *cx, unsigned char *output,
                                   input, inputLen);
 }

+SECStatus
+AES_AEAD(AESContext *cx, unsigned char *output,
+         unsigned int *outputLen, unsigned int maxOutputLen,
+         const unsigned char *input, unsigned int inputLen,
+         void *params, unsigned int paramsLen,
+         const unsigned char *aad, unsigned int aadLen)
+{
+    if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+        return SECFailure;
+    return (vector->p_AES_AEAD)(cx, output, outputLen, maxOutputLen, input,
+                                inputLen, params, paramsLen, aad, aadLen);
+}
+
 SECStatus
 MD5_Hash(unsigned char *dest, const char *src)
 {
@ -2127,6 +2140,38 @@ ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx,
        nonce, nonceLen, ad, adLen);
 }

+SECStatus
+ChaCha20Poly1305_Encrypt(const ChaCha20Poly1305Context *ctx,
+                         unsigned char *output, unsigned int *outputLen,
+                         unsigned int maxOutputLen,
+                         const unsigned char *input, unsigned int inputLen,
+                         const unsigned char *nonce, unsigned int nonceLen,
+                         const unsigned char *ad, unsigned int adLen,
+                         unsigned char *tagOut)
+{
+    if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+        return SECFailure;
+    return (vector->p_ChaCha20Poly1305_Encrypt)(
+        ctx, output, outputLen, maxOutputLen, input, inputLen,
+        nonce, nonceLen, ad, adLen, tagOut);
+}
+
+SECStatus
+ChaCha20Poly1305_Decrypt(const ChaCha20Poly1305Context *ctx,
+                         unsigned char *output, unsigned int *outputLen,
+                         unsigned int maxOutputLen,
+                         const unsigned char *input, unsigned int inputLen,
+                         const unsigned char *nonce, unsigned int nonceLen,
+                         const unsigned char *ad, unsigned int adLen,
+                         unsigned char *tagIn)
+{
+    if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+        return SECFailure;
+    return (vector->p_ChaCha20Poly1305_Decrypt)(
+        ctx, output, outputLen, maxOutputLen, input, inputLen,
+        nonce, nonceLen, ad, adLen, tagIn);
+}
+
 int
 EC_GetPointSize(const ECParams *params)
 {
--- a/security/nss/lib/freebl/loader.h
+++ b/security/nss/lib/freebl/loader.h
@ -10,7 +10,7 @@

 #include "blapi.h"

-#define FREEBL_VERSION 0x0316
+#define FREEBL_VERSION 0x0323

 struct FREEBLVectorStr {

@ -778,6 +778,25 @@ struct FREEBLVectorStr {
    void (*p_CMAC_Destroy)(CMACContext *ctx, PRBool free_it);

    /* Version 3.022 came to here */
+    SECStatus (*p_ChaCha20Poly1305_Encrypt)(
+        const ChaCha20Poly1305Context *ctx, unsigned char *output,
+        unsigned int *outputLen, unsigned int maxOutputLen,
+        const unsigned char *input, unsigned int inputLen,
+        const unsigned char *nonce, unsigned int nonceLen,
+        const unsigned char *ad, unsigned int adLen, unsigned char *tagOut);
+
+    SECStatus (*p_ChaCha20Poly1305_Decrypt)(
+        const ChaCha20Poly1305Context *ctx, unsigned char *output,
+        unsigned int *outputLen, unsigned int maxOutputLen,
+        const unsigned char *input, unsigned int inputLen,
+        const unsigned char *nonce, unsigned int nonceLen,
+        const unsigned char *ad, unsigned int adLen, unsigned char *tagIn);
+    SECStatus (*p_AES_AEAD)(AESContext *cx, unsigned char *output,
+                            unsigned int *outputLen, unsigned int maxOutputLen,
+                            const unsigned char *input, unsigned int inputLen,
+                            void *params, unsigned int paramsLen,
+                            const unsigned char *aad, unsigned int aadLen);
+    /* Version 3.023 came to here */

    /* Add new function pointers at the end of this struct and bump
     * FREEBL_VERSION at the beginning of this file. */
--- a/security/nss/lib/freebl/mpi/mpcpucache.c
+++ b/security/nss/lib/freebl/mpi/mpcpucache.c
@ -39,7 +39,8 @@ freebl_cpuid(unsigned long op, unsigned long *eax,
             unsigned long *ebx, unsigned long *ecx,
             unsigned long *edx)
 {
-    __asm__("cpuid\n\t"
+    __asm__("xor %%ecx, %%ecx\n\t"
+            "cpuid\n\t"
            : "=a"(*eax),
              "=b"(*ebx),
              "=c"(*ecx),
--- a/security/nss/lib/freebl/rijndael.c
+++ b/security/nss/lib/freebl/rijndael.c
@ -999,6 +999,7 @@ AES_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
    }

    /* finally, set up any mode specific contexts */
+    cx->worker_aead = 0;
    switch (mode) {
        case NSS_AES_CTS:
            cx->worker_cx = CTS_CreateContext(cx, cx->worker, iv);
@ -1013,6 +1014,8 @@ AES_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
                cx->worker_cx = intel_AES_GCM_CreateContext(cx, cx->worker, iv);
                cx->worker = (freeblCipherFunc)(encrypt ? intel_AES_GCM_EncryptUpdate
                                                        : intel_AES_GCM_DecryptUpdate);
+                cx->worker_aead = (freeblAeadFunc)(encrypt ? intel_AES_GCM_EncryptAEAD
+                                                           : intel_AES_GCM_DecryptAEAD);
                cx->destroy = (freeblDestroyFunc)intel_AES_GCM_DestroyContext;
                cx->isBlock = PR_FALSE;
            } else
@ -1021,6 +1024,9 @@ AES_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
                cx->worker_cx = GCM_CreateContext(cx, cx->worker, iv);
                cx->worker = (freeblCipherFunc)(encrypt ? GCM_EncryptUpdate
                                                        : GCM_DecryptUpdate);
+                cx->worker_aead = (freeblAeadFunc)(encrypt ? GCM_EncryptAEAD
+                                                           : GCM_DecryptAEAD);
+
                cx->destroy = (freeblDestroyFunc)GCM_DestroyContext;
                cx->isBlock = PR_FALSE;
            }
@ -1170,7 +1176,7 @@ AES_Decrypt(AESContext *cx, unsigned char *output,
        PORT_SetError(SEC_ERROR_INPUT_LEN);
        return SECFailure;
    }
-    if (maxOutputLen < inputLen) {
+    if ((cx->mode != NSS_AES_GCM) && (maxOutputLen < inputLen)) {
        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
        return SECFailure;
    }
@ -1178,3 +1184,55 @@ AES_Decrypt(AESContext *cx, unsigned char *output,
    return (*cx->worker)(cx->worker_cx, output, outputLen, maxOutputLen,
                         input, inputLen, AES_BLOCK_SIZE);
 }
+
+/*
+ * AES_Encrypt_AEAD
+ *
+ * Encrypt using GCM or CCM. include the nonce, extra data, and the tag
+ */
+SECStatus
+AES_AEAD(AESContext *cx, unsigned char *output,
+         unsigned int *outputLen, unsigned int maxOutputLen,
+         const unsigned char *input, unsigned int inputLen,
+         void *params, unsigned int paramsLen,
+         const unsigned char *aad, unsigned int aadLen)
+{
+    /* Check args */
+    if (cx == NULL || output == NULL || (input == NULL && inputLen != 0) || (aad == NULL && aadLen != 0) || params == NULL) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    if (cx->worker_aead == NULL) {
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
+    }
+    if (maxOutputLen < inputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+    *outputLen = inputLen;
+#if UINT_MAX > MP_32BIT_MAX
+    /*
+     * we can guarentee that GSM won't overlfow if we limit the input to
+     * 2^36 bytes. For simplicity, we are limiting it to 2^32 for now.
+     *
+     * We do it here to cover both hardware and software GCM operations.
+     */
+    {
+        PR_STATIC_ASSERT(sizeof(unsigned int) > 4);
+    }
+    if (inputLen > MP_32BIT_MAX) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+#else
+    /* if we can't pass in a 32_bit number, then no such check needed */
+    {
+        PR_STATIC_ASSERT(sizeof(unsigned int) <= 4);
+    }
+#endif
+
+    return (*cx->worker_aead)(cx->worker_cx, output, outputLen, maxOutputLen,
+                              input, inputLen, params, paramsLen, aad, aadLen,
+                              AES_BLOCK_SIZE);
+}
--- a/security/nss/lib/freebl/rijndael.h
+++ b/security/nss/lib/freebl/rijndael.h
@ -69,6 +69,7 @@ struct AESContextStr {
    unsigned int Nr;
    freeblCipherFunc worker;
    unsigned char iv[AES_BLOCK_SIZE];
+    freeblAeadFunc worker_aead;
    freeblDestroyFunc destroy;
    void *worker_cx;
    PRBool isBlock;
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20.c
@ -27,13 +27,8 @@ uint32_t
    Hacl_Impl_Chacha20_Vec_chacha20_constants[4U] =
        { (uint32_t)0x61707865U, (uint32_t)0x3320646eU, (uint32_t)0x79622d32U, (uint32_t)0x6b206574U };

-inline static void
-Hacl_Impl_Chacha20_Core32_quarter_round(
-    uint32_t *st,
-    uint32_t a,
-    uint32_t b,
-    uint32_t c,
-    uint32_t d)
+static inline void
+quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d)
 {
    uint32_t sta = st[a];
    uint32_t stb0 = st[b];
@ -69,74 +64,42 @@ Hacl_Impl_Chacha20_Core32_quarter_round(
    st[b] = std22;
 }

-inline static void
-Hacl_Impl_Chacha20_Core32_double_round(uint32_t *st)
+static inline void
+double_round(uint32_t *st)
 {
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)0U,
-                                            (uint32_t)4U,
-                                            (uint32_t)8U,
-                                            (uint32_t)12U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)1U,
-                                            (uint32_t)5U,
-                                            (uint32_t)9U,
-                                            (uint32_t)13U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)2U,
-                                            (uint32_t)6U,
-                                            (uint32_t)10U,
-                                            (uint32_t)14U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)3U,
-                                            (uint32_t)7U,
-                                            (uint32_t)11U,
-                                            (uint32_t)15U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)0U,
-                                            (uint32_t)5U,
-                                            (uint32_t)10U,
-                                            (uint32_t)15U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)1U,
-                                            (uint32_t)6U,
-                                            (uint32_t)11U,
-                                            (uint32_t)12U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)2U,
-                                            (uint32_t)7U,
-                                            (uint32_t)8U,
-                                            (uint32_t)13U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)3U,
-                                            (uint32_t)4U,
-                                            (uint32_t)9U,
-                                            (uint32_t)14U);
+    quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U);
+    quarter_round(st, (uint32_t)1U, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U);
+    quarter_round(st, (uint32_t)2U, (uint32_t)6U, (uint32_t)10U, (uint32_t)14U);
+    quarter_round(st, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U, (uint32_t)15U);
+    quarter_round(st, (uint32_t)0U, (uint32_t)5U, (uint32_t)10U, (uint32_t)15U);
+    quarter_round(st, (uint32_t)1U, (uint32_t)6U, (uint32_t)11U, (uint32_t)12U);
+    quarter_round(st, (uint32_t)2U, (uint32_t)7U, (uint32_t)8U, (uint32_t)13U);
+    quarter_round(st, (uint32_t)3U, (uint32_t)4U, (uint32_t)9U, (uint32_t)14U);
 }

-inline static void
-Hacl_Impl_Chacha20_rounds(uint32_t *st)
+static inline void
+rounds(uint32_t *st)
 {
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
+    double_round(st);
+    double_round(st);
+    double_round(st);
+    double_round(st);
+    double_round(st);
+    double_round(st);
+    double_round(st);
+    double_round(st);
+    double_round(st);
+    double_round(st);
 }

-inline static void
-Hacl_Impl_Chacha20_chacha20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr)
+static inline void
+chacha20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr)
 {
-    memcpy(k, ctx, (uint32_t)16U * sizeof ctx[0U]);
+    memcpy(k, ctx, (uint32_t)16U * sizeof(ctx[0U]));
    uint32_t ctr_u32 = ctr;
    k[12U] = k[12U] + ctr_u32;
-    Hacl_Impl_Chacha20_rounds(k);
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
+    rounds(k);
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
        uint32_t *os = k;
        uint32_t x = k[i] + ctx[i];
        os[i] = x;
@ -145,20 +108,20 @@ Hacl_Impl_Chacha20_chacha20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr)
 }

 static uint32_t
-    Hacl_Impl_Chacha20_chacha20_constants[4U] =
+    chacha20_constants[4U] =
        { (uint32_t)0x61707865U, (uint32_t)0x3320646eU, (uint32_t)0x79622d32U, (uint32_t)0x6b206574U };

-inline static void
-Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n1, uint32_t ctr)
+static inline void
+chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n1, uint32_t ctr)
 {
    uint32_t *uu____0 = ctx;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) {
        uint32_t *os = uu____0;
-        uint32_t x = Hacl_Impl_Chacha20_chacha20_constants[i];
+        uint32_t x = chacha20_constants[i];
        os[i] = x;
    }
    uint32_t *uu____1 = ctx + (uint32_t)4U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) {
        uint32_t *os = uu____1;
        uint8_t *bj = k + i * (uint32_t)4U;
        uint32_t u = load32_le(bj);
@ -168,7 +131,7 @@ Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n1, uint32_
    }
    ctx[12U] = ctr;
    uint32_t *uu____2 = ctx + (uint32_t)13U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i++) {
        uint32_t *os = uu____2;
        uint8_t *bj = n1 + i * (uint32_t)4U;
        uint32_t u = load32_le(bj);
@ -178,17 +141,13 @@ Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n1, uint32_
    }
 }

-inline static void
-Hacl_Impl_Chacha20_chacha20_encrypt_block(
-    uint32_t *ctx,
-    uint8_t *out,
-    uint32_t incr1,
-    uint8_t *text)
+static inline void
+chacha20_encrypt_block(uint32_t *ctx, uint8_t *out, uint32_t incr1, uint8_t *text)
 {
    uint32_t k[16U] = { 0U };
-    Hacl_Impl_Chacha20_chacha20_core(k, ctx, incr1);
+    chacha20_core(k, ctx, incr1);
    uint32_t bl[16U] = { 0U };
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
        uint32_t *os = bl;
        uint8_t *bj = text + i * (uint32_t)4U;
        uint32_t u = load32_le(bj);
@ -196,48 +155,36 @@ Hacl_Impl_Chacha20_chacha20_encrypt_block(
        uint32_t x = r;
        os[i] = x;
    }
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
        uint32_t *os = bl;
        uint32_t x = bl[i] ^ k[i];
        os[i] = x;
    }
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
        store32_le(out + i * (uint32_t)4U, bl[i]);
    }
 }

-inline static void
-Hacl_Impl_Chacha20_chacha20_encrypt_last(
-    uint32_t *ctx,
-    uint32_t len,
-    uint8_t *out,
-    uint32_t incr1,
-    uint8_t *text)
+static inline void
+chacha20_encrypt_last(uint32_t *ctx, uint32_t len, uint8_t *out, uint32_t incr1, uint8_t *text)
 {
    uint8_t plain[64U] = { 0U };
-    memcpy(plain, text, len * sizeof text[0U]);
-    Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, plain, incr1, plain);
-    memcpy(out, plain, len * sizeof plain[0U]);
+    memcpy(plain, text, len * sizeof(text[0U]));
+    chacha20_encrypt_block(ctx, plain, incr1, plain);
+    memcpy(out, plain, len * sizeof(plain[0U]));
 }

-inline static void
-Hacl_Impl_Chacha20_chacha20_update(uint32_t *ctx, uint32_t len, uint8_t *out, uint8_t *text)
+static inline void
+chacha20_update(uint32_t *ctx, uint32_t len, uint8_t *out, uint8_t *text)
 {
    uint32_t rem1 = len % (uint32_t)64U;
    uint32_t nb = len / (uint32_t)64U;
    uint32_t rem2 = len % (uint32_t)64U;
-    for (uint32_t i = (uint32_t)0U; i < nb; i = i + (uint32_t)1U) {
-        Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx,
-                                                  out + i * (uint32_t)64U,
-                                                  i,
-                                                  text + i * (uint32_t)64U);
+    for (uint32_t i = (uint32_t)0U; i < nb; i++) {
+        chacha20_encrypt_block(ctx, out + i * (uint32_t)64U, i, text + i * (uint32_t)64U);
    }
    if (rem2 > (uint32_t)0U) {
-        Hacl_Impl_Chacha20_chacha20_encrypt_last(ctx,
-                                                 rem1,
-                                                 out + nb * (uint32_t)64U,
-                                                 nb,
-                                                 text + nb * (uint32_t)64U);
+        chacha20_encrypt_last(ctx, rem1, out + nb * (uint32_t)64U, nb, text + nb * (uint32_t)64U);
    }
 }

@ -251,8 +198,8 @@ Hacl_Chacha20_chacha20_encrypt(
    uint32_t ctr)
 {
    uint32_t ctx[16U] = { 0U };
-    Hacl_Impl_Chacha20_chacha20_init(ctx, key, n1, ctr);
-    Hacl_Impl_Chacha20_chacha20_update(ctx, len, out, text);
+    chacha20_init(ctx, key, n1, ctr);
+    chacha20_update(ctx, len, out, text);
 }

 void
@ -265,6 +212,6 @@ Hacl_Chacha20_chacha20_decrypt(
    uint32_t ctr)
 {
    uint32_t ctx[16U] = { 0U };
-    Hacl_Impl_Chacha20_chacha20_init(ctx, key, n1, ctr);
-    Hacl_Impl_Chacha20_chacha20_update(ctx, len, out, cipher);
+    chacha20_init(ctx, key, n1, ctr);
+    chacha20_update(ctx, len, out, cipher);
 }
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_128.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_128.c
@ -23,11 +23,8 @@

 #include "Hacl_Chacha20Poly1305_128.h"

-inline static void
-Hacl_Chacha20Poly1305_128_poly1305_padded_128(
-    Lib_IntVector_Intrinsics_vec128 *ctx,
-    uint32_t len,
-    uint8_t *text)
+static inline void
+poly1305_padded_128(Lib_IntVector_Intrinsics_vec128 *ctx, uint32_t len, uint8_t *text)
 {
    uint32_t n1 = len / (uint32_t)16U;
    uint32_t r = len % (uint32_t)16U;
@ -45,7 +42,7 @@ Hacl_Chacha20Poly1305_128_poly1305_padded_128(
        uint32_t len1 = len0 - bs;
        uint8_t *text1 = t00 + bs;
        uint32_t nb = len1 / bs;
-        for (uint32_t i = (uint32_t)0U; i < nb; i = i + (uint32_t)1U) {
+        for (uint32_t i = (uint32_t)0U; i < nb; i++) {
            uint8_t *block = text1 + i * bs;
            Lib_IntVector_Intrinsics_vec128 e[5U];
            for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
@ -200,57 +197,43 @@ Hacl_Chacha20Poly1305_128_poly1305_padded_128(
            Lib_IntVector_Intrinsics_vec128 t3 = a34;
            Lib_IntVector_Intrinsics_vec128 t4 = a44;
            Lib_IntVector_Intrinsics_vec128
-                l = Lib_IntVector_Intrinsics_vec128_add64(t01, Lib_IntVector_Intrinsics_vec128_zero);
+                mask261 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU);
            Lib_IntVector_Intrinsics_vec128
-                tmp0 =
-                    Lib_IntVector_Intrinsics_vec128_and(l,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+                z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U);
            Lib_IntVector_Intrinsics_vec128
-                c01 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(t1, c01);
+                z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U);
+            Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask261);
+            Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask261);
+            Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0);
+            Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1);
            Lib_IntVector_Intrinsics_vec128
-                tmp1 =
-                    Lib_IntVector_Intrinsics_vec128_and(l0,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+                z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U);
            Lib_IntVector_Intrinsics_vec128
-                c11 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(t2, c11);
+                z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U);
            Lib_IntVector_Intrinsics_vec128
-                tmp2 =
-                    Lib_IntVector_Intrinsics_vec128_and(l1,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+                t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U);
+            Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t);
+            Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask261);
+            Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask261);
+            Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01);
+            Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12);
            Lib_IntVector_Intrinsics_vec128
-                c21 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(t3, c21);
+                z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U);
            Lib_IntVector_Intrinsics_vec128
-                tmp3 =
-                    Lib_IntVector_Intrinsics_vec128_and(l2,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+                z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U);
+            Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask261);
+            Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask261);
+            Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02);
+            Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13);
            Lib_IntVector_Intrinsics_vec128
-                c31 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(t4, c31);
-            Lib_IntVector_Intrinsics_vec128
-                tmp4 =
-                    Lib_IntVector_Intrinsics_vec128_and(l3,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128
-                l4 =
-                    Lib_IntVector_Intrinsics_vec128_add64(tmp0,
-                                                          Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U));
-            Lib_IntVector_Intrinsics_vec128
-                tmp01 =
-                    Lib_IntVector_Intrinsics_vec128_and(l4,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                c5 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128 tmp11 = Lib_IntVector_Intrinsics_vec128_add64(tmp1, c5);
-            Lib_IntVector_Intrinsics_vec128 o00 = tmp01;
-            Lib_IntVector_Intrinsics_vec128 o10 = tmp11;
-            Lib_IntVector_Intrinsics_vec128 o20 = tmp2;
-            Lib_IntVector_Intrinsics_vec128 o30 = tmp3;
-            Lib_IntVector_Intrinsics_vec128 o40 = tmp4;
+                z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U);
+            Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask261);
+            Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03);
+            Lib_IntVector_Intrinsics_vec128 o00 = x02;
+            Lib_IntVector_Intrinsics_vec128 o10 = x12;
+            Lib_IntVector_Intrinsics_vec128 o20 = x21;
+            Lib_IntVector_Intrinsics_vec128 o30 = x32;
+            Lib_IntVector_Intrinsics_vec128 o40 = x42;
            acc0[0U] = o00;
            acc0[1U] = o10;
            acc0[2U] = o20;
@ -283,7 +266,7 @@ Hacl_Chacha20Poly1305_128_poly1305_padded_128(
    uint8_t *t10 = blocks + len0;
    uint32_t nb = len1 / (uint32_t)16U;
    uint32_t rem2 = len1 % (uint32_t)16U;
-    for (uint32_t i = (uint32_t)0U; i < nb; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < nb; i++) {
        uint8_t *block = t10 + i * (uint32_t)16U;
        Lib_IntVector_Intrinsics_vec128 e[5U];
        for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
@ -448,57 +431,43 @@ Hacl_Chacha20Poly1305_128_poly1305_padded_128(
        Lib_IntVector_Intrinsics_vec128 t3 = a36;
        Lib_IntVector_Intrinsics_vec128 t4 = a46;
        Lib_IntVector_Intrinsics_vec128
-            l = Lib_IntVector_Intrinsics_vec128_add64(t01, Lib_IntVector_Intrinsics_vec128_zero);
+            mask261 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU);
        Lib_IntVector_Intrinsics_vec128
-            tmp0 =
-                Lib_IntVector_Intrinsics_vec128_and(l,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            c01 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(t11, c01);
+            z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U);
+        Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask261);
+        Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask261);
+        Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0);
+        Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1);
        Lib_IntVector_Intrinsics_vec128
-            tmp1 =
-                Lib_IntVector_Intrinsics_vec128_and(l0,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            c11 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(t2, c11);
+            z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            tmp2 =
-                Lib_IntVector_Intrinsics_vec128_and(l1,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U);
+        Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t);
+        Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask261);
+        Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask261);
+        Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01);
+        Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12);
        Lib_IntVector_Intrinsics_vec128
-            c21 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(t3, c21);
+            z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            tmp3 =
-                Lib_IntVector_Intrinsics_vec128_and(l2,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U);
+        Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask261);
+        Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask261);
+        Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02);
+        Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13);
        Lib_IntVector_Intrinsics_vec128
-            c31 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(t4, c31);
-        Lib_IntVector_Intrinsics_vec128
-            tmp4 =
-                Lib_IntVector_Intrinsics_vec128_and(l3,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128
-            l4 =
-                Lib_IntVector_Intrinsics_vec128_add64(tmp0,
-                                                      Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U));
-        Lib_IntVector_Intrinsics_vec128
-            tmp01 =
-                Lib_IntVector_Intrinsics_vec128_and(l4,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c5 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 tmp11 = Lib_IntVector_Intrinsics_vec128_add64(tmp1, c5);
-        Lib_IntVector_Intrinsics_vec128 o0 = tmp01;
-        Lib_IntVector_Intrinsics_vec128 o1 = tmp11;
-        Lib_IntVector_Intrinsics_vec128 o2 = tmp2;
-        Lib_IntVector_Intrinsics_vec128 o3 = tmp3;
-        Lib_IntVector_Intrinsics_vec128 o4 = tmp4;
+            z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U);
+        Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask261);
+        Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03);
+        Lib_IntVector_Intrinsics_vec128 o0 = x02;
+        Lib_IntVector_Intrinsics_vec128 o1 = x12;
+        Lib_IntVector_Intrinsics_vec128 o2 = x21;
+        Lib_IntVector_Intrinsics_vec128 o3 = x32;
+        Lib_IntVector_Intrinsics_vec128 o4 = x42;
        acc0[0U] = o0;
        acc0[1U] = o1;
        acc0[2U] = o2;
@ -511,7 +480,7 @@ Hacl_Chacha20Poly1305_128_poly1305_padded_128(
        for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
            e[_i] = Lib_IntVector_Intrinsics_vec128_zero;
        uint8_t tmp[16U] = { 0U };
-        memcpy(tmp, last1, rem2 * sizeof last1[0U]);
+        memcpy(tmp, last1, rem2 * sizeof(last1[0U]));
        uint64_t u0 = load64_le(tmp);
        uint64_t lo = u0;
        uint64_t u = load64_le(tmp + (uint32_t)8U);
@ -672,57 +641,43 @@ Hacl_Chacha20Poly1305_128_poly1305_padded_128(
        Lib_IntVector_Intrinsics_vec128 t3 = a36;
        Lib_IntVector_Intrinsics_vec128 t4 = a46;
        Lib_IntVector_Intrinsics_vec128
-            l = Lib_IntVector_Intrinsics_vec128_add64(t01, Lib_IntVector_Intrinsics_vec128_zero);
+            mask261 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU);
        Lib_IntVector_Intrinsics_vec128
-            tmp0 =
-                Lib_IntVector_Intrinsics_vec128_and(l,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            c01 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(t11, c01);
+            z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U);
+        Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask261);
+        Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask261);
+        Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0);
+        Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1);
        Lib_IntVector_Intrinsics_vec128
-            tmp1 =
-                Lib_IntVector_Intrinsics_vec128_and(l0,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            c11 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(t2, c11);
+            z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            tmp2 =
-                Lib_IntVector_Intrinsics_vec128_and(l1,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U);
+        Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t);
+        Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask261);
+        Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask261);
+        Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01);
+        Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12);
        Lib_IntVector_Intrinsics_vec128
-            c21 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(t3, c21);
+            z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            tmp3 =
-                Lib_IntVector_Intrinsics_vec128_and(l2,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U);
+        Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask261);
+        Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask261);
+        Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02);
+        Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13);
        Lib_IntVector_Intrinsics_vec128
-            c31 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(t4, c31);
-        Lib_IntVector_Intrinsics_vec128
-            tmp4 =
-                Lib_IntVector_Intrinsics_vec128_and(l3,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128
-            l4 =
-                Lib_IntVector_Intrinsics_vec128_add64(tmp0,
-                                                      Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U));
-        Lib_IntVector_Intrinsics_vec128
-            tmp01 =
-                Lib_IntVector_Intrinsics_vec128_and(l4,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c5 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 tmp11 = Lib_IntVector_Intrinsics_vec128_add64(tmp1, c5);
-        Lib_IntVector_Intrinsics_vec128 o0 = tmp01;
-        Lib_IntVector_Intrinsics_vec128 o1 = tmp11;
-        Lib_IntVector_Intrinsics_vec128 o2 = tmp2;
-        Lib_IntVector_Intrinsics_vec128 o3 = tmp3;
-        Lib_IntVector_Intrinsics_vec128 o4 = tmp4;
+            z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U);
+        Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask261);
+        Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03);
+        Lib_IntVector_Intrinsics_vec128 o0 = x02;
+        Lib_IntVector_Intrinsics_vec128 o1 = x12;
+        Lib_IntVector_Intrinsics_vec128 o2 = x21;
+        Lib_IntVector_Intrinsics_vec128 o3 = x32;
+        Lib_IntVector_Intrinsics_vec128 o4 = x42;
        acc0[0U] = o0;
        acc0[1U] = o1;
        acc0[2U] = o2;
@ -730,7 +685,7 @@ Hacl_Chacha20Poly1305_128_poly1305_padded_128(
        acc0[4U] = o4;
    }
    uint8_t tmp[16U] = { 0U };
-    memcpy(tmp, rem1, r * sizeof rem1[0U]);
+    memcpy(tmp, rem1, r * sizeof(rem1[0U]));
    if (r > (uint32_t)0U) {
        Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U;
        Lib_IntVector_Intrinsics_vec128 *acc = ctx;
@ -897,57 +852,43 @@ Hacl_Chacha20Poly1305_128_poly1305_padded_128(
        Lib_IntVector_Intrinsics_vec128 t3 = a36;
        Lib_IntVector_Intrinsics_vec128 t4 = a46;
        Lib_IntVector_Intrinsics_vec128
-            l = Lib_IntVector_Intrinsics_vec128_add64(t0, Lib_IntVector_Intrinsics_vec128_zero);
+            mask261 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU);
        Lib_IntVector_Intrinsics_vec128
-            tmp0 =
-                Lib_IntVector_Intrinsics_vec128_and(l,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            c01 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(t1, c01);
+            z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U);
+        Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask261);
+        Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask261);
+        Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0);
+        Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1);
        Lib_IntVector_Intrinsics_vec128
-            tmp1 =
-                Lib_IntVector_Intrinsics_vec128_and(l0,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            c11 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(t2, c11);
+            z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            tmp2 =
-                Lib_IntVector_Intrinsics_vec128_and(l1,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U);
+        Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t);
+        Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask261);
+        Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask261);
+        Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01);
+        Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12);
        Lib_IntVector_Intrinsics_vec128
-            c21 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(t3, c21);
+            z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U);
        Lib_IntVector_Intrinsics_vec128
-            tmp3 =
-                Lib_IntVector_Intrinsics_vec128_and(l2,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+            z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U);
+        Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask261);
+        Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask261);
+        Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02);
+        Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13);
        Lib_IntVector_Intrinsics_vec128
-            c31 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(t4, c31);
-        Lib_IntVector_Intrinsics_vec128
-            tmp4 =
-                Lib_IntVector_Intrinsics_vec128_and(l3,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128
-            l4 =
-                Lib_IntVector_Intrinsics_vec128_add64(tmp0,
-                                                      Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U));
-        Lib_IntVector_Intrinsics_vec128
-            tmp01 =
-                Lib_IntVector_Intrinsics_vec128_and(l4,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c5 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 tmp11 = Lib_IntVector_Intrinsics_vec128_add64(tmp1, c5);
-        Lib_IntVector_Intrinsics_vec128 o0 = tmp01;
-        Lib_IntVector_Intrinsics_vec128 o1 = tmp11;
-        Lib_IntVector_Intrinsics_vec128 o2 = tmp2;
-        Lib_IntVector_Intrinsics_vec128 o3 = tmp3;
-        Lib_IntVector_Intrinsics_vec128 o4 = tmp4;
+            z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U);
+        Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask261);
+        Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03);
+        Lib_IntVector_Intrinsics_vec128 o0 = x02;
+        Lib_IntVector_Intrinsics_vec128 o1 = x12;
+        Lib_IntVector_Intrinsics_vec128 o2 = x21;
+        Lib_IntVector_Intrinsics_vec128 o3 = x32;
+        Lib_IntVector_Intrinsics_vec128 o4 = x42;
        acc[0U] = o0;
        acc[1U] = o1;
        acc[2U] = o2;
@ -957,8 +898,8 @@ Hacl_Chacha20Poly1305_128_poly1305_padded_128(
    }
 }

-inline static void
-Hacl_Chacha20Poly1305_128_poly1305_do_128(
+static inline void
+poly1305_do_128(
    uint8_t *k,
    uint32_t aadlen,
    uint8_t *aad,
@ -971,8 +912,8 @@ Hacl_Chacha20Poly1305_128_poly1305_do_128(
        ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero;
    uint8_t block[16U] = { 0U };
    Hacl_Poly1305_128_poly1305_init(ctx, k);
-    Hacl_Chacha20Poly1305_128_poly1305_padded_128(ctx, aadlen, aad);
-    Hacl_Chacha20Poly1305_128_poly1305_padded_128(ctx, mlen, m);
+    poly1305_padded_128(ctx, aadlen, aad);
+    poly1305_padded_128(ctx, mlen, m);
    store64_le(block, (uint64_t)aadlen);
    store64_le(block + (uint32_t)8U, (uint64_t)mlen);
    Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U;
@ -1140,57 +1081,43 @@ Hacl_Chacha20Poly1305_128_poly1305_do_128(
    Lib_IntVector_Intrinsics_vec128 t3 = a36;
    Lib_IntVector_Intrinsics_vec128 t4 = a46;
    Lib_IntVector_Intrinsics_vec128
-        l = Lib_IntVector_Intrinsics_vec128_add64(t0, Lib_IntVector_Intrinsics_vec128_zero);
+        mask261 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU);
    Lib_IntVector_Intrinsics_vec128
-        tmp0 =
-            Lib_IntVector_Intrinsics_vec128_and(l,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+        z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U);
    Lib_IntVector_Intrinsics_vec128
-        c01 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(t1, c01);
+        z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U);
+    Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask261);
+    Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask261);
+    Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0);
+    Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1);
    Lib_IntVector_Intrinsics_vec128
-        tmp1 =
-            Lib_IntVector_Intrinsics_vec128_and(l0,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+        z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U);
    Lib_IntVector_Intrinsics_vec128
-        c11 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(t2, c11);
+        z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U);
    Lib_IntVector_Intrinsics_vec128
-        tmp2 =
-            Lib_IntVector_Intrinsics_vec128_and(l1,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+        t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U);
+    Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t);
+    Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask261);
+    Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask261);
+    Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01);
+    Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12);
    Lib_IntVector_Intrinsics_vec128
-        c21 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(t3, c21);
+        z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U);
    Lib_IntVector_Intrinsics_vec128
-        tmp3 =
-            Lib_IntVector_Intrinsics_vec128_and(l2,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
+        z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U);
+    Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask261);
+    Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask261);
+    Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02);
+    Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13);
    Lib_IntVector_Intrinsics_vec128
-        c31 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(t4, c31);
-    Lib_IntVector_Intrinsics_vec128
-        tmp4 =
-            Lib_IntVector_Intrinsics_vec128_and(l3,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128
-        l4 =
-            Lib_IntVector_Intrinsics_vec128_add64(tmp0,
-                                                  Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U));
-    Lib_IntVector_Intrinsics_vec128
-        tmp01 =
-            Lib_IntVector_Intrinsics_vec128_and(l4,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        c5 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128 tmp11 = Lib_IntVector_Intrinsics_vec128_add64(tmp1, c5);
-    Lib_IntVector_Intrinsics_vec128 o0 = tmp01;
-    Lib_IntVector_Intrinsics_vec128 o1 = tmp11;
-    Lib_IntVector_Intrinsics_vec128 o2 = tmp2;
-    Lib_IntVector_Intrinsics_vec128 o3 = tmp3;
-    Lib_IntVector_Intrinsics_vec128 o4 = tmp4;
+        z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U);
+    Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask261);
+    Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03);
+    Lib_IntVector_Intrinsics_vec128 o0 = x02;
+    Lib_IntVector_Intrinsics_vec128 o1 = x12;
+    Lib_IntVector_Intrinsics_vec128 o2 = x21;
+    Lib_IntVector_Intrinsics_vec128 o3 = x32;
+    Lib_IntVector_Intrinsics_vec128 o4 = x42;
    acc[0U] = o0;
    acc[1U] = o1;
    acc[2U] = o2;
@ -1214,7 +1141,7 @@ Hacl_Chacha20Poly1305_128_aead_encrypt(
    uint8_t tmp[64U] = { 0U };
    Hacl_Chacha20_Vec128_chacha20_encrypt_128((uint32_t)64U, tmp, tmp, k, n1, (uint32_t)0U);
    uint8_t *key = tmp;
-    Hacl_Chacha20Poly1305_128_poly1305_do_128(key, aadlen, aad, mlen, cipher, mac);
+    poly1305_do_128(key, aadlen, aad, mlen, cipher, mac);
 }

 uint32_t
@ -1232,9 +1159,9 @@ Hacl_Chacha20Poly1305_128_aead_decrypt(
    uint8_t tmp[64U] = { 0U };
    Hacl_Chacha20_Vec128_chacha20_encrypt_128((uint32_t)64U, tmp, tmp, k, n1, (uint32_t)0U);
    uint8_t *key = tmp;
-    Hacl_Chacha20Poly1305_128_poly1305_do_128(key, aadlen, aad, mlen, cipher, computed_mac);
+    poly1305_do_128(key, aadlen, aad, mlen, cipher, computed_mac);
    uint8_t res = (uint8_t)255U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
        uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]);
        res = uu____0 & res;
    }
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_256.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_256.c
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_256.h
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_256.h
@ -0,0 +1,60 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "libintvector.h"
+#include "kremlin/internal/types.h"
+#include "kremlin/lowstar_endianness.h"
+#include <string.h>
+#include <stdbool.h>
+
+#ifndef __Hacl_Chacha20Poly1305_256_H
+#define __Hacl_Chacha20Poly1305_256_H
+
+#include "Hacl_Kremlib.h"
+#include "Hacl_Chacha20_Vec256.h"
+#include "Hacl_Poly1305_256.h"
+
+void
+Hacl_Chacha20Poly1305_256_aead_encrypt(
+    uint8_t *k,
+    uint8_t *n1,
+    uint32_t aadlen,
+    uint8_t *aad,
+    uint32_t mlen,
+    uint8_t *m,
+    uint8_t *cipher,
+    uint8_t *mac);
+
+uint32_t
+Hacl_Chacha20Poly1305_256_aead_decrypt(
+    uint8_t *k,
+    uint8_t *n1,
+    uint32_t aadlen,
+    uint8_t *aad,
+    uint32_t mlen,
+    uint8_t *m,
+    uint8_t *cipher,
+    uint8_t *mac);
+
+#define __Hacl_Chacha20Poly1305_256_H_DEFINED
+#endif
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_32.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_32.c
@ -23,8 +23,8 @@

 #include "Hacl_Chacha20Poly1305_32.h"

-static void
-Hacl_Chacha20Poly1305_32_poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t *text)
+static inline void
+poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t *text)
 {
    uint32_t n1 = len / (uint32_t)16U;
    uint32_t r = len % (uint32_t)16U;
@ -34,7 +34,7 @@ Hacl_Chacha20Poly1305_32_poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t
    uint64_t *acc0 = ctx;
    uint32_t nb = n1 * (uint32_t)16U / (uint32_t)16U;
    uint32_t rem2 = n1 * (uint32_t)16U % (uint32_t)16U;
-    for (uint32_t i = (uint32_t)0U; i < nb; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < nb; i++) {
        uint8_t *block = blocks + i * (uint32_t)16U;
        uint64_t e[5U] = { 0U };
        uint64_t u0 = load64_le(block);
@ -118,30 +118,35 @@ Hacl_Chacha20Poly1305_32_poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t
        uint64_t t2 = a26;
        uint64_t t3 = a36;
        uint64_t t4 = a46;
-        uint64_t l = t0 + (uint64_t)0U;
-        uint64_t tmp0 = l & (uint64_t)0x3ffffffU;
-        uint64_t c01 = l >> (uint32_t)26U;
-        uint64_t l0 = t1 + c01;
-        uint64_t tmp1 = l0 & (uint64_t)0x3ffffffU;
-        uint64_t c11 = l0 >> (uint32_t)26U;
-        uint64_t l1 = t2 + c11;
-        uint64_t tmp2 = l1 & (uint64_t)0x3ffffffU;
-        uint64_t c21 = l1 >> (uint32_t)26U;
-        uint64_t l2 = t3 + c21;
-        uint64_t tmp3 = l2 & (uint64_t)0x3ffffffU;
-        uint64_t c31 = l2 >> (uint32_t)26U;
-        uint64_t l3 = t4 + c31;
-        uint64_t tmp4 = l3 & (uint64_t)0x3ffffffU;
-        uint64_t c4 = l3 >> (uint32_t)26U;
-        uint64_t l4 = tmp0 + c4 * (uint64_t)5U;
-        uint64_t tmp01 = l4 & (uint64_t)0x3ffffffU;
-        uint64_t c5 = l4 >> (uint32_t)26U;
-        uint64_t tmp11 = tmp1 + c5;
-        uint64_t o0 = tmp01;
-        uint64_t o1 = tmp11;
-        uint64_t o2 = tmp2;
-        uint64_t o3 = tmp3;
-        uint64_t o4 = tmp4;
+        uint64_t mask261 = (uint64_t)0x3ffffffU;
+        uint64_t z0 = t0 >> (uint32_t)26U;
+        uint64_t z1 = t3 >> (uint32_t)26U;
+        uint64_t x0 = t0 & mask261;
+        uint64_t x3 = t3 & mask261;
+        uint64_t x1 = t1 + z0;
+        uint64_t x4 = t4 + z1;
+        uint64_t z01 = x1 >> (uint32_t)26U;
+        uint64_t z11 = x4 >> (uint32_t)26U;
+        uint64_t t = z11 << (uint32_t)2U;
+        uint64_t z12 = z11 + t;
+        uint64_t x11 = x1 & mask261;
+        uint64_t x41 = x4 & mask261;
+        uint64_t x2 = t2 + z01;
+        uint64_t x01 = x0 + z12;
+        uint64_t z02 = x2 >> (uint32_t)26U;
+        uint64_t z13 = x01 >> (uint32_t)26U;
+        uint64_t x21 = x2 & mask261;
+        uint64_t x02 = x01 & mask261;
+        uint64_t x31 = x3 + z02;
+        uint64_t x12 = x11 + z13;
+        uint64_t z03 = x31 >> (uint32_t)26U;
+        uint64_t x32 = x31 & mask261;
+        uint64_t x42 = x41 + z03;
+        uint64_t o0 = x02;
+        uint64_t o1 = x12;
+        uint64_t o2 = x21;
+        uint64_t o3 = x32;
+        uint64_t o4 = x42;
        acc0[0U] = o0;
        acc0[1U] = o1;
        acc0[2U] = o2;
@ -152,7 +157,7 @@ Hacl_Chacha20Poly1305_32_poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t
        uint8_t *last1 = blocks + nb * (uint32_t)16U;
        uint64_t e[5U] = { 0U };
        uint8_t tmp[16U] = { 0U };
-        memcpy(tmp, last1, rem2 * sizeof last1[0U]);
+        memcpy(tmp, last1, rem2 * sizeof(last1[0U]));
        uint64_t u0 = load64_le(tmp);
        uint64_t lo = u0;
        uint64_t u = load64_le(tmp + (uint32_t)8U);
@ -234,30 +239,35 @@ Hacl_Chacha20Poly1305_32_poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t
        uint64_t t2 = a26;
        uint64_t t3 = a36;
        uint64_t t4 = a46;
-        uint64_t l = t0 + (uint64_t)0U;
-        uint64_t tmp0 = l & (uint64_t)0x3ffffffU;
-        uint64_t c01 = l >> (uint32_t)26U;
-        uint64_t l0 = t1 + c01;
-        uint64_t tmp1 = l0 & (uint64_t)0x3ffffffU;
-        uint64_t c11 = l0 >> (uint32_t)26U;
-        uint64_t l1 = t2 + c11;
-        uint64_t tmp2 = l1 & (uint64_t)0x3ffffffU;
-        uint64_t c21 = l1 >> (uint32_t)26U;
-        uint64_t l2 = t3 + c21;
-        uint64_t tmp3 = l2 & (uint64_t)0x3ffffffU;
-        uint64_t c31 = l2 >> (uint32_t)26U;
-        uint64_t l3 = t4 + c31;
-        uint64_t tmp4 = l3 & (uint64_t)0x3ffffffU;
-        uint64_t c4 = l3 >> (uint32_t)26U;
-        uint64_t l4 = tmp0 + c4 * (uint64_t)5U;
-        uint64_t tmp01 = l4 & (uint64_t)0x3ffffffU;
-        uint64_t c5 = l4 >> (uint32_t)26U;
-        uint64_t tmp11 = tmp1 + c5;
-        uint64_t o0 = tmp01;
-        uint64_t o1 = tmp11;
-        uint64_t o2 = tmp2;
-        uint64_t o3 = tmp3;
-        uint64_t o4 = tmp4;
+        uint64_t mask261 = (uint64_t)0x3ffffffU;
+        uint64_t z0 = t0 >> (uint32_t)26U;
+        uint64_t z1 = t3 >> (uint32_t)26U;
+        uint64_t x0 = t0 & mask261;
+        uint64_t x3 = t3 & mask261;
+        uint64_t x1 = t1 + z0;
+        uint64_t x4 = t4 + z1;
+        uint64_t z01 = x1 >> (uint32_t)26U;
+        uint64_t z11 = x4 >> (uint32_t)26U;
+        uint64_t t = z11 << (uint32_t)2U;
+        uint64_t z12 = z11 + t;
+        uint64_t x11 = x1 & mask261;
+        uint64_t x41 = x4 & mask261;
+        uint64_t x2 = t2 + z01;
+        uint64_t x01 = x0 + z12;
+        uint64_t z02 = x2 >> (uint32_t)26U;
+        uint64_t z13 = x01 >> (uint32_t)26U;
+        uint64_t x21 = x2 & mask261;
+        uint64_t x02 = x01 & mask261;
+        uint64_t x31 = x3 + z02;
+        uint64_t x12 = x11 + z13;
+        uint64_t z03 = x31 >> (uint32_t)26U;
+        uint64_t x32 = x31 & mask261;
+        uint64_t x42 = x41 + z03;
+        uint64_t o0 = x02;
+        uint64_t o1 = x12;
+        uint64_t o2 = x21;
+        uint64_t o3 = x32;
+        uint64_t o4 = x42;
        acc0[0U] = o0;
        acc0[1U] = o1;
        acc0[2U] = o2;
@ -265,7 +275,7 @@ Hacl_Chacha20Poly1305_32_poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t
        acc0[4U] = o4;
    }
    uint8_t tmp[16U] = { 0U };
-    memcpy(tmp, rem1, r * sizeof rem1[0U]);
+    memcpy(tmp, rem1, r * sizeof(rem1[0U]));
    if (r > (uint32_t)0U) {
        uint64_t *pre = ctx + (uint32_t)5U;
        uint64_t *acc = ctx;
@ -351,30 +361,35 @@ Hacl_Chacha20Poly1305_32_poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t
        uint64_t t2 = a26;
        uint64_t t3 = a36;
        uint64_t t4 = a46;
-        uint64_t l = t0 + (uint64_t)0U;
-        uint64_t tmp0 = l & (uint64_t)0x3ffffffU;
-        uint64_t c01 = l >> (uint32_t)26U;
-        uint64_t l0 = t1 + c01;
-        uint64_t tmp1 = l0 & (uint64_t)0x3ffffffU;
-        uint64_t c11 = l0 >> (uint32_t)26U;
-        uint64_t l1 = t2 + c11;
-        uint64_t tmp2 = l1 & (uint64_t)0x3ffffffU;
-        uint64_t c21 = l1 >> (uint32_t)26U;
-        uint64_t l2 = t3 + c21;
-        uint64_t tmp3 = l2 & (uint64_t)0x3ffffffU;
-        uint64_t c31 = l2 >> (uint32_t)26U;
-        uint64_t l3 = t4 + c31;
-        uint64_t tmp4 = l3 & (uint64_t)0x3ffffffU;
-        uint64_t c4 = l3 >> (uint32_t)26U;
-        uint64_t l4 = tmp0 + c4 * (uint64_t)5U;
-        uint64_t tmp01 = l4 & (uint64_t)0x3ffffffU;
-        uint64_t c5 = l4 >> (uint32_t)26U;
-        uint64_t tmp11 = tmp1 + c5;
-        uint64_t o0 = tmp01;
-        uint64_t o1 = tmp11;
-        uint64_t o2 = tmp2;
-        uint64_t o3 = tmp3;
-        uint64_t o4 = tmp4;
+        uint64_t mask261 = (uint64_t)0x3ffffffU;
+        uint64_t z0 = t0 >> (uint32_t)26U;
+        uint64_t z1 = t3 >> (uint32_t)26U;
+        uint64_t x0 = t0 & mask261;
+        uint64_t x3 = t3 & mask261;
+        uint64_t x1 = t1 + z0;
+        uint64_t x4 = t4 + z1;
+        uint64_t z01 = x1 >> (uint32_t)26U;
+        uint64_t z11 = x4 >> (uint32_t)26U;
+        uint64_t t = z11 << (uint32_t)2U;
+        uint64_t z12 = z11 + t;
+        uint64_t x11 = x1 & mask261;
+        uint64_t x41 = x4 & mask261;
+        uint64_t x2 = t2 + z01;
+        uint64_t x01 = x0 + z12;
+        uint64_t z02 = x2 >> (uint32_t)26U;
+        uint64_t z13 = x01 >> (uint32_t)26U;
+        uint64_t x21 = x2 & mask261;
+        uint64_t x02 = x01 & mask261;
+        uint64_t x31 = x3 + z02;
+        uint64_t x12 = x11 + z13;
+        uint64_t z03 = x31 >> (uint32_t)26U;
+        uint64_t x32 = x31 & mask261;
+        uint64_t x42 = x41 + z03;
+        uint64_t o0 = x02;
+        uint64_t o1 = x12;
+        uint64_t o2 = x21;
+        uint64_t o3 = x32;
+        uint64_t o4 = x42;
        acc[0U] = o0;
        acc[1U] = o1;
        acc[2U] = o2;
@ -384,8 +399,8 @@ Hacl_Chacha20Poly1305_32_poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t
    }
 }

-static void
-Hacl_Chacha20Poly1305_32_poly1305_do_32(
+static inline void
+poly1305_do_32(
    uint8_t *k,
    uint32_t aadlen,
    uint8_t *aad,
@ -396,8 +411,8 @@ Hacl_Chacha20Poly1305_32_poly1305_do_32(
    uint64_t ctx[25U] = { 0U };
    uint8_t block[16U] = { 0U };
    Hacl_Poly1305_32_poly1305_init(ctx, k);
-    Hacl_Chacha20Poly1305_32_poly1305_padded_32(ctx, aadlen, aad);
-    Hacl_Chacha20Poly1305_32_poly1305_padded_32(ctx, mlen, m);
+    poly1305_padded_32(ctx, aadlen, aad);
+    poly1305_padded_32(ctx, mlen, m);
    store64_le(block, (uint64_t)aadlen);
    store64_le(block + (uint32_t)8U, (uint64_t)mlen);
    uint64_t *pre = ctx + (uint32_t)5U;
@ -484,30 +499,35 @@ Hacl_Chacha20Poly1305_32_poly1305_do_32(
    uint64_t t2 = a26;
    uint64_t t3 = a36;
    uint64_t t4 = a46;
-    uint64_t l = t0 + (uint64_t)0U;
-    uint64_t tmp0 = l & (uint64_t)0x3ffffffU;
-    uint64_t c01 = l >> (uint32_t)26U;
-    uint64_t l0 = t1 + c01;
-    uint64_t tmp1 = l0 & (uint64_t)0x3ffffffU;
-    uint64_t c11 = l0 >> (uint32_t)26U;
-    uint64_t l1 = t2 + c11;
-    uint64_t tmp2 = l1 & (uint64_t)0x3ffffffU;
-    uint64_t c21 = l1 >> (uint32_t)26U;
-    uint64_t l2 = t3 + c21;
-    uint64_t tmp3 = l2 & (uint64_t)0x3ffffffU;
-    uint64_t c31 = l2 >> (uint32_t)26U;
-    uint64_t l3 = t4 + c31;
-    uint64_t tmp4 = l3 & (uint64_t)0x3ffffffU;
-    uint64_t c4 = l3 >> (uint32_t)26U;
-    uint64_t l4 = tmp0 + c4 * (uint64_t)5U;
-    uint64_t tmp01 = l4 & (uint64_t)0x3ffffffU;
-    uint64_t c5 = l4 >> (uint32_t)26U;
-    uint64_t tmp11 = tmp1 + c5;
-    uint64_t o0 = tmp01;
-    uint64_t o1 = tmp11;
-    uint64_t o2 = tmp2;
-    uint64_t o3 = tmp3;
-    uint64_t o4 = tmp4;
+    uint64_t mask261 = (uint64_t)0x3ffffffU;
+    uint64_t z0 = t0 >> (uint32_t)26U;
+    uint64_t z1 = t3 >> (uint32_t)26U;
+    uint64_t x0 = t0 & mask261;
+    uint64_t x3 = t3 & mask261;
+    uint64_t x1 = t1 + z0;
+    uint64_t x4 = t4 + z1;
+    uint64_t z01 = x1 >> (uint32_t)26U;
+    uint64_t z11 = x4 >> (uint32_t)26U;
+    uint64_t t = z11 << (uint32_t)2U;
+    uint64_t z12 = z11 + t;
+    uint64_t x11 = x1 & mask261;
+    uint64_t x41 = x4 & mask261;
+    uint64_t x2 = t2 + z01;
+    uint64_t x01 = x0 + z12;
+    uint64_t z02 = x2 >> (uint32_t)26U;
+    uint64_t z13 = x01 >> (uint32_t)26U;
+    uint64_t x21 = x2 & mask261;
+    uint64_t x02 = x01 & mask261;
+    uint64_t x31 = x3 + z02;
+    uint64_t x12 = x11 + z13;
+    uint64_t z03 = x31 >> (uint32_t)26U;
+    uint64_t x32 = x31 & mask261;
+    uint64_t x42 = x41 + z03;
+    uint64_t o0 = x02;
+    uint64_t o1 = x12;
+    uint64_t o2 = x21;
+    uint64_t o3 = x32;
+    uint64_t o4 = x42;
    acc[0U] = o0;
    acc[1U] = o1;
    acc[2U] = o2;
@ -531,7 +551,7 @@ Hacl_Chacha20Poly1305_32_aead_encrypt(
    uint8_t tmp[64U] = { 0U };
    Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n1, (uint32_t)0U);
    uint8_t *key = tmp;
-    Hacl_Chacha20Poly1305_32_poly1305_do_32(key, aadlen, aad, mlen, cipher, mac);
+    poly1305_do_32(key, aadlen, aad, mlen, cipher, mac);
 }

 uint32_t
@ -549,9 +569,9 @@ Hacl_Chacha20Poly1305_32_aead_decrypt(
    uint8_t tmp[64U] = { 0U };
    Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n1, (uint32_t)0U);
    uint8_t *key = tmp;
-    Hacl_Chacha20Poly1305_32_poly1305_do_32(key, aadlen, aad, mlen, cipher, computed_mac);
+    poly1305_do_32(key, aadlen, aad, mlen, cipher, computed_mac);
    uint8_t res = (uint8_t)255U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
        uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]);
        res = uu____0 & res;
    }
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
@ -23,8 +23,8 @@

 #include "Hacl_Chacha20_Vec128.h"

-static void
-Hacl_Chacha20_Vec128_double_round_128(Lib_IntVector_Intrinsics_vec128 *st)
+static inline void
+double_round_128(Lib_IntVector_Intrinsics_vec128 *st)
 {
    st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[4U]);
    Lib_IntVector_Intrinsics_vec128 std = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[0U]);
@ -124,27 +124,27 @@ Hacl_Chacha20_Vec128_double_round_128(Lib_IntVector_Intrinsics_vec128 *st)
    st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std30, (uint32_t)7U);
 }

-static void
-Hacl_Chacha20_Vec128_chacha20_core_128(
+static inline void
+chacha20_core_128(
    Lib_IntVector_Intrinsics_vec128 *k,
    Lib_IntVector_Intrinsics_vec128 *ctx,
    uint32_t ctr)
 {
-    memcpy(k, ctx, (uint32_t)16U * sizeof ctx[0U]);
+    memcpy(k, ctx, (uint32_t)16U * sizeof(ctx[0U]));
    uint32_t ctr_u32 = (uint32_t)4U * ctr;
    Lib_IntVector_Intrinsics_vec128 cv = Lib_IntVector_Intrinsics_vec128_load32(ctr_u32);
    k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
+    double_round_128(k);
+    double_round_128(k);
+    double_round_128(k);
+    double_round_128(k);
+    double_round_128(k);
+    double_round_128(k);
+    double_round_128(k);
+    double_round_128(k);
+    double_round_128(k);
+    double_round_128(k);
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
        Lib_IntVector_Intrinsics_vec128 *os = k;
        Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_add32(k[i], ctx[i]);
        os[i] = x;
@ -152,22 +152,18 @@ Hacl_Chacha20_Vec128_chacha20_core_128(
    k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv);
 }

-static void
-Hacl_Chacha20_Vec128_chacha20_init_128(
-    Lib_IntVector_Intrinsics_vec128 *ctx,
-    uint8_t *k,
-    uint8_t *n1,
-    uint32_t ctr)
+static inline void
+chacha20_init_128(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *k, uint8_t *n1, uint32_t ctr)
 {
    uint32_t ctx1[16U] = { 0U };
    uint32_t *uu____0 = ctx1;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) {
        uint32_t *os = uu____0;
        uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i];
        os[i] = x;
    }
    uint32_t *uu____1 = ctx1 + (uint32_t)4U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) {
        uint32_t *os = uu____1;
        uint8_t *bj = k + i * (uint32_t)4U;
        uint32_t u = load32_le(bj);
@ -177,7 +173,7 @@ Hacl_Chacha20_Vec128_chacha20_init_128(
    }
    ctx1[12U] = ctr;
    uint32_t *uu____2 = ctx1 + (uint32_t)13U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i++) {
        uint32_t *os = uu____2;
        uint8_t *bj = n1 + i * (uint32_t)4U;
        uint32_t u = load32_le(bj);
@ -185,7 +181,7 @@ Hacl_Chacha20_Vec128_chacha20_init_128(
        uint32_t x = r;
        os[i] = x;
    }
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
        Lib_IntVector_Intrinsics_vec128 *os = ctx;
        uint32_t x = ctx1[i];
        Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_load32(x);
@ -193,10 +189,10 @@ Hacl_Chacha20_Vec128_chacha20_init_128(
    }
    Lib_IntVector_Intrinsics_vec128
        ctr1 =
-            Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)3U,
-                                                    (uint32_t)2U,
+            Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)0U,
                                                    (uint32_t)1U,
-                                                    (uint32_t)0U);
+                                                    (uint32_t)2U,
+                                                    (uint32_t)3U);
    Lib_IntVector_Intrinsics_vec128 c12 = ctx[12U];
    ctx[12U] = Lib_IntVector_Intrinsics_vec128_add32(c12, ctr1);
 }
@ -213,26 +209,17 @@ Hacl_Chacha20_Vec128_chacha20_encrypt_128(
    Lib_IntVector_Intrinsics_vec128 ctx[16U];
    for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
        ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-    Hacl_Chacha20_Vec128_chacha20_init_128(ctx, key, n1, ctr);
-    uint32_t rem1 = len % ((uint32_t)4U * (uint32_t)64U);
-    uint32_t nb = len / ((uint32_t)4U * (uint32_t)64U);
-    uint32_t rem2 = len % ((uint32_t)4U * (uint32_t)64U);
-    for (uint32_t i0 = (uint32_t)0U; i0 < nb; i0 = i0 + (uint32_t)1U) {
-        uint8_t *uu____0 = out + i0 * (uint32_t)4U * (uint32_t)64U;
-        uint8_t *uu____1 = text + i0 * (uint32_t)256U;
+    chacha20_init_128(ctx, key, n1, ctr);
+    uint32_t rem1 = len % (uint32_t)256U;
+    uint32_t nb = len / (uint32_t)256U;
+    uint32_t rem2 = len % (uint32_t)256U;
+    for (uint32_t i = (uint32_t)0U; i < nb; i++) {
+        uint8_t *uu____0 = out + i * (uint32_t)256U;
+        uint8_t *uu____1 = text + i * (uint32_t)256U;
        Lib_IntVector_Intrinsics_vec128 k[16U];
        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
            k[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        Hacl_Chacha20_Vec128_chacha20_core_128(k, ctx, i0);
-        Lib_IntVector_Intrinsics_vec128 bl[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            bl[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128
-                x = Lib_IntVector_Intrinsics_vec128_load_le(uu____1 + i * (uint32_t)4U * (uint32_t)4U);
-            os[i] = x;
-        }
+        chacha20_core_128(k, ctx, i);
        Lib_IntVector_Intrinsics_vec128 v00 = k[0U];
        Lib_IntVector_Intrinsics_vec128 v16 = k[1U];
        Lib_IntVector_Intrinsics_vec128 v20 = k[2U];
@ -345,33 +332,22 @@ Hacl_Chacha20_Vec128_chacha20_encrypt_128(
        k[13U] = v7;
        k[14U] = v11;
        k[15U] = v15;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_xor(bl[i], k[i]);
-            os[i] = x;
-        }
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128_store_le(uu____0 + i * (uint32_t)16U, bl[i]);
+        for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) {
+            Lib_IntVector_Intrinsics_vec128
+                x = Lib_IntVector_Intrinsics_vec128_load_le(uu____1 + i0 * (uint32_t)16U);
+            Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i0]);
+            Lib_IntVector_Intrinsics_vec128_store_le(uu____0 + i0 * (uint32_t)16U, y);
        }
    }
    if (rem2 > (uint32_t)0U) {
-        uint8_t *uu____2 = out + nb * (uint32_t)4U * (uint32_t)64U;
-        uint8_t *uu____3 = text + nb * (uint32_t)4U * (uint32_t)64U;
+        uint8_t *uu____2 = out + nb * (uint32_t)256U;
+        uint8_t *uu____3 = text + nb * (uint32_t)256U;
        uint8_t plain[256U] = { 0U };
-        memcpy(plain, uu____3, rem1 * sizeof uu____3[0U]);
+        memcpy(plain, uu____3, rem1 * sizeof(uu____3[0U]));
        Lib_IntVector_Intrinsics_vec128 k[16U];
        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
            k[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        Hacl_Chacha20_Vec128_chacha20_core_128(k, ctx, nb);
-        Lib_IntVector_Intrinsics_vec128 bl[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            bl[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128
-                x = Lib_IntVector_Intrinsics_vec128_load_le(plain + i * (uint32_t)4U * (uint32_t)4U);
-            os[i] = x;
-        }
+        chacha20_core_128(k, ctx, nb);
        Lib_IntVector_Intrinsics_vec128 v00 = k[0U];
        Lib_IntVector_Intrinsics_vec128 v16 = k[1U];
        Lib_IntVector_Intrinsics_vec128 v20 = k[2U];
@ -484,15 +460,13 @@ Hacl_Chacha20_Vec128_chacha20_encrypt_128(
        k[13U] = v7;
        k[14U] = v11;
        k[15U] = v15;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_xor(bl[i], k[i]);
-            os[i] = x;
+        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
+            Lib_IntVector_Intrinsics_vec128
+                x = Lib_IntVector_Intrinsics_vec128_load_le(plain + i * (uint32_t)16U);
+            Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i]);
+            Lib_IntVector_Intrinsics_vec128_store_le(plain + i * (uint32_t)16U, y);
        }
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128_store_le(plain + i * (uint32_t)16U, bl[i]);
-        }
-        memcpy(uu____2, plain, rem1 * sizeof plain[0U]);
+        memcpy(uu____2, plain, rem1 * sizeof(plain[0U]));
    }
 }

@ -508,26 +482,17 @@ Hacl_Chacha20_Vec128_chacha20_decrypt_128(
    Lib_IntVector_Intrinsics_vec128 ctx[16U];
    for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
        ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-    Hacl_Chacha20_Vec128_chacha20_init_128(ctx, key, n1, ctr);
-    uint32_t rem1 = len % ((uint32_t)4U * (uint32_t)64U);
-    uint32_t nb = len / ((uint32_t)4U * (uint32_t)64U);
-    uint32_t rem2 = len % ((uint32_t)4U * (uint32_t)64U);
-    for (uint32_t i0 = (uint32_t)0U; i0 < nb; i0 = i0 + (uint32_t)1U) {
-        uint8_t *uu____0 = out + i0 * (uint32_t)4U * (uint32_t)64U;
-        uint8_t *uu____1 = cipher + i0 * (uint32_t)256U;
+    chacha20_init_128(ctx, key, n1, ctr);
+    uint32_t rem1 = len % (uint32_t)256U;
+    uint32_t nb = len / (uint32_t)256U;
+    uint32_t rem2 = len % (uint32_t)256U;
+    for (uint32_t i = (uint32_t)0U; i < nb; i++) {
+        uint8_t *uu____0 = out + i * (uint32_t)256U;
+        uint8_t *uu____1 = cipher + i * (uint32_t)256U;
        Lib_IntVector_Intrinsics_vec128 k[16U];
        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
            k[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        Hacl_Chacha20_Vec128_chacha20_core_128(k, ctx, i0);
-        Lib_IntVector_Intrinsics_vec128 bl[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            bl[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128
-                x = Lib_IntVector_Intrinsics_vec128_load_le(uu____1 + i * (uint32_t)4U * (uint32_t)4U);
-            os[i] = x;
-        }
+        chacha20_core_128(k, ctx, i);
        Lib_IntVector_Intrinsics_vec128 v00 = k[0U];
        Lib_IntVector_Intrinsics_vec128 v16 = k[1U];
        Lib_IntVector_Intrinsics_vec128 v20 = k[2U];
@ -640,33 +605,22 @@ Hacl_Chacha20_Vec128_chacha20_decrypt_128(
        k[13U] = v7;
        k[14U] = v11;
        k[15U] = v15;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_xor(bl[i], k[i]);
-            os[i] = x;
-        }
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128_store_le(uu____0 + i * (uint32_t)16U, bl[i]);
+        for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) {
+            Lib_IntVector_Intrinsics_vec128
+                x = Lib_IntVector_Intrinsics_vec128_load_le(uu____1 + i0 * (uint32_t)16U);
+            Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i0]);
+            Lib_IntVector_Intrinsics_vec128_store_le(uu____0 + i0 * (uint32_t)16U, y);
        }
    }
    if (rem2 > (uint32_t)0U) {
-        uint8_t *uu____2 = out + nb * (uint32_t)4U * (uint32_t)64U;
-        uint8_t *uu____3 = cipher + nb * (uint32_t)4U * (uint32_t)64U;
+        uint8_t *uu____2 = out + nb * (uint32_t)256U;
+        uint8_t *uu____3 = cipher + nb * (uint32_t)256U;
        uint8_t plain[256U] = { 0U };
-        memcpy(plain, uu____3, rem1 * sizeof uu____3[0U]);
+        memcpy(plain, uu____3, rem1 * sizeof(uu____3[0U]));
        Lib_IntVector_Intrinsics_vec128 k[16U];
        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
            k[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        Hacl_Chacha20_Vec128_chacha20_core_128(k, ctx, nb);
-        Lib_IntVector_Intrinsics_vec128 bl[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            bl[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128
-                x = Lib_IntVector_Intrinsics_vec128_load_le(plain + i * (uint32_t)4U * (uint32_t)4U);
-            os[i] = x;
-        }
+        chacha20_core_128(k, ctx, nb);
        Lib_IntVector_Intrinsics_vec128 v00 = k[0U];
        Lib_IntVector_Intrinsics_vec128 v16 = k[1U];
        Lib_IntVector_Intrinsics_vec128 v20 = k[2U];
@ -779,14 +733,12 @@ Hacl_Chacha20_Vec128_chacha20_decrypt_128(
        k[13U] = v7;
        k[14U] = v11;
        k[15U] = v15;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_xor(bl[i], k[i]);
-            os[i] = x;
+        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
+            Lib_IntVector_Intrinsics_vec128
+                x = Lib_IntVector_Intrinsics_vec128_load_le(plain + i * (uint32_t)16U);
+            Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i]);
+            Lib_IntVector_Intrinsics_vec128_store_le(plain + i * (uint32_t)16U, y);
        }
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128_store_le(plain + i * (uint32_t)16U, bl[i]);
-        }
-        memcpy(uu____2, plain, rem1 * sizeof plain[0U]);
+        memcpy(uu____2, plain, rem1 * sizeof(plain[0U]));
    }
 }
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec256.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec256.c
@ -0,0 +1,876 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "Hacl_Chacha20_Vec256.h"
+
+static inline void
+double_round_256(Lib_IntVector_Intrinsics_vec256 *st)
+{
+    st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[4U]);
+    Lib_IntVector_Intrinsics_vec256 std = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[0U]);
+    st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std, (uint32_t)16U);
+    st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[12U]);
+    Lib_IntVector_Intrinsics_vec256 std0 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[8U]);
+    st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std0, (uint32_t)12U);
+    st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[4U]);
+    Lib_IntVector_Intrinsics_vec256 std1 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[0U]);
+    st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std1, (uint32_t)8U);
+    st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[12U]);
+    Lib_IntVector_Intrinsics_vec256 std2 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[8U]);
+    st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std2, (uint32_t)7U);
+    st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[5U]);
+    Lib_IntVector_Intrinsics_vec256 std3 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[1U]);
+    st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std3, (uint32_t)16U);
+    st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[13U]);
+    Lib_IntVector_Intrinsics_vec256 std4 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[9U]);
+    st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std4, (uint32_t)12U);
+    st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[5U]);
+    Lib_IntVector_Intrinsics_vec256 std5 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[1U]);
+    st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std5, (uint32_t)8U);
+    st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[13U]);
+    Lib_IntVector_Intrinsics_vec256 std6 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[9U]);
+    st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std6, (uint32_t)7U);
+    st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[6U]);
+    Lib_IntVector_Intrinsics_vec256 std7 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[2U]);
+    st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std7, (uint32_t)16U);
+    st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[14U]);
+    Lib_IntVector_Intrinsics_vec256 std8 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[10U]);
+    st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std8, (uint32_t)12U);
+    st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[6U]);
+    Lib_IntVector_Intrinsics_vec256 std9 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[2U]);
+    st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std9, (uint32_t)8U);
+    st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[14U]);
+    Lib_IntVector_Intrinsics_vec256 std10 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[10U]);
+    st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std10, (uint32_t)7U);
+    st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[7U]);
+    Lib_IntVector_Intrinsics_vec256 std11 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[3U]);
+    st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std11, (uint32_t)16U);
+    st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[15U]);
+    Lib_IntVector_Intrinsics_vec256 std12 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[11U]);
+    st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std12, (uint32_t)12U);
+    st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[7U]);
+    Lib_IntVector_Intrinsics_vec256 std13 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[3U]);
+    st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std13, (uint32_t)8U);
+    st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[15U]);
+    Lib_IntVector_Intrinsics_vec256 std14 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[11U]);
+    st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std14, (uint32_t)7U);
+    st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[5U]);
+    Lib_IntVector_Intrinsics_vec256 std15 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[0U]);
+    st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std15, (uint32_t)16U);
+    st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[15U]);
+    Lib_IntVector_Intrinsics_vec256 std16 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[10U]);
+    st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std16, (uint32_t)12U);
+    st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[5U]);
+    Lib_IntVector_Intrinsics_vec256 std17 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[0U]);
+    st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std17, (uint32_t)8U);
+    st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[15U]);
+    Lib_IntVector_Intrinsics_vec256 std18 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[10U]);
+    st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std18, (uint32_t)7U);
+    st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[6U]);
+    Lib_IntVector_Intrinsics_vec256 std19 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[1U]);
+    st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std19, (uint32_t)16U);
+    st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[12U]);
+    Lib_IntVector_Intrinsics_vec256 std20 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[11U]);
+    st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std20, (uint32_t)12U);
+    st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[6U]);
+    Lib_IntVector_Intrinsics_vec256 std21 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[1U]);
+    st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std21, (uint32_t)8U);
+    st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[12U]);
+    Lib_IntVector_Intrinsics_vec256 std22 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[11U]);
+    st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std22, (uint32_t)7U);
+    st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[7U]);
+    Lib_IntVector_Intrinsics_vec256 std23 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[2U]);
+    st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std23, (uint32_t)16U);
+    st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[13U]);
+    Lib_IntVector_Intrinsics_vec256 std24 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[8U]);
+    st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std24, (uint32_t)12U);
+    st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[7U]);
+    Lib_IntVector_Intrinsics_vec256 std25 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[2U]);
+    st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std25, (uint32_t)8U);
+    st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[13U]);
+    Lib_IntVector_Intrinsics_vec256 std26 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[8U]);
+    st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std26, (uint32_t)7U);
+    st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[4U]);
+    Lib_IntVector_Intrinsics_vec256 std27 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[3U]);
+    st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std27, (uint32_t)16U);
+    st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[14U]);
+    Lib_IntVector_Intrinsics_vec256 std28 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[9U]);
+    st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std28, (uint32_t)12U);
+    st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[4U]);
+    Lib_IntVector_Intrinsics_vec256 std29 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[3U]);
+    st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std29, (uint32_t)8U);
+    st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[14U]);
+    Lib_IntVector_Intrinsics_vec256 std30 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[9U]);
+    st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std30, (uint32_t)7U);
+}
+
+static inline void
+chacha20_core_256(
+    Lib_IntVector_Intrinsics_vec256 *k,
+    Lib_IntVector_Intrinsics_vec256 *ctx,
+    uint32_t ctr)
+{
+    memcpy(k, ctx, (uint32_t)16U * sizeof(ctx[0U]));
+    uint32_t ctr_u32 = (uint32_t)8U * ctr;
+    Lib_IntVector_Intrinsics_vec256 cv = Lib_IntVector_Intrinsics_vec256_load32(ctr_u32);
+    k[12U] = Lib_IntVector_Intrinsics_vec256_add32(k[12U], cv);
+    double_round_256(k);
+    double_round_256(k);
+    double_round_256(k);
+    double_round_256(k);
+    double_round_256(k);
+    double_round_256(k);
+    double_round_256(k);
+    double_round_256(k);
+    double_round_256(k);
+    double_round_256(k);
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
+        Lib_IntVector_Intrinsics_vec256 *os = k;
+        Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_add32(k[i], ctx[i]);
+        os[i] = x;
+    }
+    k[12U] = Lib_IntVector_Intrinsics_vec256_add32(k[12U], cv);
+}
+
+static inline void
+chacha20_init_256(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *k, uint8_t *n1, uint32_t ctr)
+{
+    uint32_t ctx1[16U] = { 0U };
+    uint32_t *uu____0 = ctx1;
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) {
+        uint32_t *os = uu____0;
+        uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i];
+        os[i] = x;
+    }
+    uint32_t *uu____1 = ctx1 + (uint32_t)4U;
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) {
+        uint32_t *os = uu____1;
+        uint8_t *bj = k + i * (uint32_t)4U;
+        uint32_t u = load32_le(bj);
+        uint32_t r = u;
+        uint32_t x = r;
+        os[i] = x;
+    }
+    ctx1[12U] = ctr;
+    uint32_t *uu____2 = ctx1 + (uint32_t)13U;
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i++) {
+        uint32_t *os = uu____2;
+        uint8_t *bj = n1 + i * (uint32_t)4U;
+        uint32_t u = load32_le(bj);
+        uint32_t r = u;
+        uint32_t x = r;
+        os[i] = x;
+    }
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
+        Lib_IntVector_Intrinsics_vec256 *os = ctx;
+        uint32_t x = ctx1[i];
+        Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_load32(x);
+        os[i] = x0;
+    }
+    Lib_IntVector_Intrinsics_vec256
+        ctr1 =
+            Lib_IntVector_Intrinsics_vec256_load32s((uint32_t)0U,
+                                                    (uint32_t)1U,
+                                                    (uint32_t)2U,
+                                                    (uint32_t)3U,
+                                                    (uint32_t)4U,
+                                                    (uint32_t)5U,
+                                                    (uint32_t)6U,
+                                                    (uint32_t)7U);
+    Lib_IntVector_Intrinsics_vec256 c12 = ctx[12U];
+    ctx[12U] = Lib_IntVector_Intrinsics_vec256_add32(c12, ctr1);
+}
+
+void
+Hacl_Chacha20_Vec256_chacha20_encrypt_256(
+    uint32_t len,
+    uint8_t *out,
+    uint8_t *text,
+    uint8_t *key,
+    uint8_t *n1,
+    uint32_t ctr)
+{
+    Lib_IntVector_Intrinsics_vec256 ctx[16U];
+    for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
+        ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero;
+    chacha20_init_256(ctx, key, n1, ctr);
+    uint32_t rem1 = len % (uint32_t)512U;
+    uint32_t nb = len / (uint32_t)512U;
+    uint32_t rem2 = len % (uint32_t)512U;
+    for (uint32_t i = (uint32_t)0U; i < nb; i++) {
+        uint8_t *uu____0 = out + i * (uint32_t)512U;
+        uint8_t *uu____1 = text + i * (uint32_t)512U;
+        Lib_IntVector_Intrinsics_vec256 k[16U];
+        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
+            k[_i] = Lib_IntVector_Intrinsics_vec256_zero;
+        chacha20_core_256(k, ctx, i);
+        Lib_IntVector_Intrinsics_vec256 v00 = k[0U];
+        Lib_IntVector_Intrinsics_vec256 v16 = k[1U];
+        Lib_IntVector_Intrinsics_vec256 v20 = k[2U];
+        Lib_IntVector_Intrinsics_vec256 v30 = k[3U];
+        Lib_IntVector_Intrinsics_vec256 v40 = k[4U];
+        Lib_IntVector_Intrinsics_vec256 v50 = k[5U];
+        Lib_IntVector_Intrinsics_vec256 v60 = k[6U];
+        Lib_IntVector_Intrinsics_vec256 v70 = k[7U];
+        Lib_IntVector_Intrinsics_vec256
+            v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16);
+        Lib_IntVector_Intrinsics_vec256
+            v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16);
+        Lib_IntVector_Intrinsics_vec256
+            v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30);
+        Lib_IntVector_Intrinsics_vec256
+            v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30);
+        Lib_IntVector_Intrinsics_vec256
+            v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50);
+        Lib_IntVector_Intrinsics_vec256
+            v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50);
+        Lib_IntVector_Intrinsics_vec256
+            v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70);
+        Lib_IntVector_Intrinsics_vec256
+            v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70);
+        Lib_IntVector_Intrinsics_vec256
+            v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_, v2_);
+        Lib_IntVector_Intrinsics_vec256
+            v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_, v2_);
+        Lib_IntVector_Intrinsics_vec256
+            v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_, v3_);
+        Lib_IntVector_Intrinsics_vec256
+            v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_, v3_);
+        Lib_IntVector_Intrinsics_vec256
+            v4__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_, v6_);
+        Lib_IntVector_Intrinsics_vec256
+            v5__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_, v6_);
+        Lib_IntVector_Intrinsics_vec256
+            v6__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_, v7_);
+        Lib_IntVector_Intrinsics_vec256
+            v7__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_, v7_);
+        Lib_IntVector_Intrinsics_vec256
+            v0___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0__, v4__);
+        Lib_IntVector_Intrinsics_vec256
+            v1___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0__, v4__);
+        Lib_IntVector_Intrinsics_vec256
+            v2___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1__, v5__);
+        Lib_IntVector_Intrinsics_vec256
+            v3___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1__, v5__);
+        Lib_IntVector_Intrinsics_vec256
+            v4___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2__, v6__);
+        Lib_IntVector_Intrinsics_vec256
+            v5___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2__, v6__);
+        Lib_IntVector_Intrinsics_vec256
+            v6___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3__, v7__);
+        Lib_IntVector_Intrinsics_vec256
+            v7___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3__, v7__);
+        Lib_IntVector_Intrinsics_vec256 v0 = v0___;
+        Lib_IntVector_Intrinsics_vec256 v1 = v2___;
+        Lib_IntVector_Intrinsics_vec256 v2 = v4___;
+        Lib_IntVector_Intrinsics_vec256 v3 = v6___;
+        Lib_IntVector_Intrinsics_vec256 v4 = v1___;
+        Lib_IntVector_Intrinsics_vec256 v5 = v3___;
+        Lib_IntVector_Intrinsics_vec256 v6 = v5___;
+        Lib_IntVector_Intrinsics_vec256 v7 = v7___;
+        Lib_IntVector_Intrinsics_vec256 v01 = k[8U];
+        Lib_IntVector_Intrinsics_vec256 v110 = k[9U];
+        Lib_IntVector_Intrinsics_vec256 v21 = k[10U];
+        Lib_IntVector_Intrinsics_vec256 v31 = k[11U];
+        Lib_IntVector_Intrinsics_vec256 v41 = k[12U];
+        Lib_IntVector_Intrinsics_vec256 v51 = k[13U];
+        Lib_IntVector_Intrinsics_vec256 v61 = k[14U];
+        Lib_IntVector_Intrinsics_vec256 v71 = k[15U];
+        Lib_IntVector_Intrinsics_vec256
+            v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110);
+        Lib_IntVector_Intrinsics_vec256
+            v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110);
+        Lib_IntVector_Intrinsics_vec256
+            v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31);
+        Lib_IntVector_Intrinsics_vec256
+            v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31);
+        Lib_IntVector_Intrinsics_vec256
+            v4_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51);
+        Lib_IntVector_Intrinsics_vec256
+            v5_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51);
+        Lib_IntVector_Intrinsics_vec256
+            v6_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71);
+        Lib_IntVector_Intrinsics_vec256
+            v7_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71);
+        Lib_IntVector_Intrinsics_vec256
+            v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0);
+        Lib_IntVector_Intrinsics_vec256
+            v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0);
+        Lib_IntVector_Intrinsics_vec256
+            v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0);
+        Lib_IntVector_Intrinsics_vec256
+            v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0);
+        Lib_IntVector_Intrinsics_vec256
+            v4__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0);
+        Lib_IntVector_Intrinsics_vec256
+            v5__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0);
+        Lib_IntVector_Intrinsics_vec256
+            v6__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0);
+        Lib_IntVector_Intrinsics_vec256
+            v7__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0);
+        Lib_IntVector_Intrinsics_vec256
+            v0___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0__0, v4__0);
+        Lib_IntVector_Intrinsics_vec256
+            v1___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0__0, v4__0);
+        Lib_IntVector_Intrinsics_vec256
+            v2___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1__0, v5__0);
+        Lib_IntVector_Intrinsics_vec256
+            v3___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1__0, v5__0);
+        Lib_IntVector_Intrinsics_vec256
+            v4___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2__0, v6__0);
+        Lib_IntVector_Intrinsics_vec256
+            v5___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2__0, v6__0);
+        Lib_IntVector_Intrinsics_vec256
+            v6___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3__0, v7__0);
+        Lib_IntVector_Intrinsics_vec256
+            v7___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3__0, v7__0);
+        Lib_IntVector_Intrinsics_vec256 v8 = v0___0;
+        Lib_IntVector_Intrinsics_vec256 v9 = v2___0;
+        Lib_IntVector_Intrinsics_vec256 v10 = v4___0;
+        Lib_IntVector_Intrinsics_vec256 v11 = v6___0;
+        Lib_IntVector_Intrinsics_vec256 v12 = v1___0;
+        Lib_IntVector_Intrinsics_vec256 v13 = v3___0;
+        Lib_IntVector_Intrinsics_vec256 v14 = v5___0;
+        Lib_IntVector_Intrinsics_vec256 v15 = v7___0;
+        k[0U] = v0;
+        k[1U] = v8;
+        k[2U] = v1;
+        k[3U] = v9;
+        k[4U] = v2;
+        k[5U] = v10;
+        k[6U] = v3;
+        k[7U] = v11;
+        k[8U] = v4;
+        k[9U] = v12;
+        k[10U] = v5;
+        k[11U] = v13;
+        k[12U] = v6;
+        k[13U] = v14;
+        k[14U] = v7;
+        k[15U] = v15;
+        for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) {
+            Lib_IntVector_Intrinsics_vec256
+                x = Lib_IntVector_Intrinsics_vec256_load_le(uu____1 + i0 * (uint32_t)32U);
+            Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i0]);
+            Lib_IntVector_Intrinsics_vec256_store_le(uu____0 + i0 * (uint32_t)32U, y);
+        }
+    }
+    if (rem2 > (uint32_t)0U) {
+        uint8_t *uu____2 = out + nb * (uint32_t)512U;
+        uint8_t *uu____3 = text + nb * (uint32_t)512U;
+        uint8_t plain[512U] = { 0U };
+        memcpy(plain, uu____3, rem1 * sizeof(uu____3[0U]));
+        Lib_IntVector_Intrinsics_vec256 k[16U];
+        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
+            k[_i] = Lib_IntVector_Intrinsics_vec256_zero;
+        chacha20_core_256(k, ctx, nb);
+        Lib_IntVector_Intrinsics_vec256 v00 = k[0U];
+        Lib_IntVector_Intrinsics_vec256 v16 = k[1U];
+        Lib_IntVector_Intrinsics_vec256 v20 = k[2U];
+        Lib_IntVector_Intrinsics_vec256 v30 = k[3U];
+        Lib_IntVector_Intrinsics_vec256 v40 = k[4U];
+        Lib_IntVector_Intrinsics_vec256 v50 = k[5U];
+        Lib_IntVector_Intrinsics_vec256 v60 = k[6U];
+        Lib_IntVector_Intrinsics_vec256 v70 = k[7U];
+        Lib_IntVector_Intrinsics_vec256
+            v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16);
+        Lib_IntVector_Intrinsics_vec256
+            v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16);
+        Lib_IntVector_Intrinsics_vec256
+            v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30);
+        Lib_IntVector_Intrinsics_vec256
+            v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30);
+        Lib_IntVector_Intrinsics_vec256
+            v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50);
+        Lib_IntVector_Intrinsics_vec256
+            v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50);
+        Lib_IntVector_Intrinsics_vec256
+            v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70);
+        Lib_IntVector_Intrinsics_vec256
+            v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70);
+        Lib_IntVector_Intrinsics_vec256
+            v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_, v2_);
+        Lib_IntVector_Intrinsics_vec256
+            v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_, v2_);
+        Lib_IntVector_Intrinsics_vec256
+            v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_, v3_);
+        Lib_IntVector_Intrinsics_vec256
+            v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_, v3_);
+        Lib_IntVector_Intrinsics_vec256
+            v4__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_, v6_);
+        Lib_IntVector_Intrinsics_vec256
+            v5__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_, v6_);
+        Lib_IntVector_Intrinsics_vec256
+            v6__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_, v7_);
+        Lib_IntVector_Intrinsics_vec256
+            v7__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_, v7_);
+        Lib_IntVector_Intrinsics_vec256
+            v0___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0__, v4__);
+        Lib_IntVector_Intrinsics_vec256
+            v1___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0__, v4__);
+        Lib_IntVector_Intrinsics_vec256
+            v2___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1__, v5__);
+        Lib_IntVector_Intrinsics_vec256
+            v3___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1__, v5__);
+        Lib_IntVector_Intrinsics_vec256
+            v4___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2__, v6__);
+        Lib_IntVector_Intrinsics_vec256
+            v5___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2__, v6__);
+        Lib_IntVector_Intrinsics_vec256
+            v6___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3__, v7__);
+        Lib_IntVector_Intrinsics_vec256
+            v7___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3__, v7__);
+        Lib_IntVector_Intrinsics_vec256 v0 = v0___;
+        Lib_IntVector_Intrinsics_vec256 v1 = v2___;
+        Lib_IntVector_Intrinsics_vec256 v2 = v4___;
+        Lib_IntVector_Intrinsics_vec256 v3 = v6___;
+        Lib_IntVector_Intrinsics_vec256 v4 = v1___;
+        Lib_IntVector_Intrinsics_vec256 v5 = v3___;
+        Lib_IntVector_Intrinsics_vec256 v6 = v5___;
+        Lib_IntVector_Intrinsics_vec256 v7 = v7___;
+        Lib_IntVector_Intrinsics_vec256 v01 = k[8U];
+        Lib_IntVector_Intrinsics_vec256 v110 = k[9U];
+        Lib_IntVector_Intrinsics_vec256 v21 = k[10U];
+        Lib_IntVector_Intrinsics_vec256 v31 = k[11U];
+        Lib_IntVector_Intrinsics_vec256 v41 = k[12U];
+        Lib_IntVector_Intrinsics_vec256 v51 = k[13U];
+        Lib_IntVector_Intrinsics_vec256 v61 = k[14U];
+        Lib_IntVector_Intrinsics_vec256 v71 = k[15U];
+        Lib_IntVector_Intrinsics_vec256
+            v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110);
+        Lib_IntVector_Intrinsics_vec256
+            v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110);
+        Lib_IntVector_Intrinsics_vec256
+            v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31);
+        Lib_IntVector_Intrinsics_vec256
+            v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31);
+        Lib_IntVector_Intrinsics_vec256
+            v4_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51);
+        Lib_IntVector_Intrinsics_vec256
+            v5_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51);
+        Lib_IntVector_Intrinsics_vec256
+            v6_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71);
+        Lib_IntVector_Intrinsics_vec256
+            v7_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71);
+        Lib_IntVector_Intrinsics_vec256
+            v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0);
+        Lib_IntVector_Intrinsics_vec256
+            v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0);
+        Lib_IntVector_Intrinsics_vec256
+            v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0);
+        Lib_IntVector_Intrinsics_vec256
+            v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0);
+        Lib_IntVector_Intrinsics_vec256
+            v4__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0);
+        Lib_IntVector_Intrinsics_vec256
+            v5__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0);
+        Lib_IntVector_Intrinsics_vec256
+            v6__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0);
+        Lib_IntVector_Intrinsics_vec256
+            v7__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0);
+        Lib_IntVector_Intrinsics_vec256
+            v0___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0__0, v4__0);
+        Lib_IntVector_Intrinsics_vec256
+            v1___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0__0, v4__0);
+        Lib_IntVector_Intrinsics_vec256
+            v2___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1__0, v5__0);
+        Lib_IntVector_Intrinsics_vec256
+            v3___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1__0, v5__0);
+        Lib_IntVector_Intrinsics_vec256
+            v4___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2__0, v6__0);
+        Lib_IntVector_Intrinsics_vec256
+            v5___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2__0, v6__0);
+        Lib_IntVector_Intrinsics_vec256
+            v6___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3__0, v7__0);
+        Lib_IntVector_Intrinsics_vec256
+            v7___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3__0, v7__0);
+        Lib_IntVector_Intrinsics_vec256 v8 = v0___0;
+        Lib_IntVector_Intrinsics_vec256 v9 = v2___0;
+        Lib_IntVector_Intrinsics_vec256 v10 = v4___0;
+        Lib_IntVector_Intrinsics_vec256 v11 = v6___0;
+        Lib_IntVector_Intrinsics_vec256 v12 = v1___0;
+        Lib_IntVector_Intrinsics_vec256 v13 = v3___0;
+        Lib_IntVector_Intrinsics_vec256 v14 = v5___0;
+        Lib_IntVector_Intrinsics_vec256 v15 = v7___0;
+        k[0U] = v0;
+        k[1U] = v8;
+        k[2U] = v1;
+        k[3U] = v9;
+        k[4U] = v2;
+        k[5U] = v10;
+        k[6U] = v3;
+        k[7U] = v11;
+        k[8U] = v4;
+        k[9U] = v12;
+        k[10U] = v5;
+        k[11U] = v13;
+        k[12U] = v6;
+        k[13U] = v14;
+        k[14U] = v7;
+        k[15U] = v15;
+        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
+            Lib_IntVector_Intrinsics_vec256
+                x = Lib_IntVector_Intrinsics_vec256_load_le(plain + i * (uint32_t)32U);
+            Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i]);
+            Lib_IntVector_Intrinsics_vec256_store_le(plain + i * (uint32_t)32U, y);
+        }
+        memcpy(uu____2, plain, rem1 * sizeof(plain[0U]));
+    }
+}
+
+void
+Hacl_Chacha20_Vec256_chacha20_decrypt_256(
+    uint32_t len,
+    uint8_t *out,
+    uint8_t *cipher,
+    uint8_t *key,
+    uint8_t *n1,
+    uint32_t ctr)
+{
+    Lib_IntVector_Intrinsics_vec256 ctx[16U];
+    for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
+        ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero;
+    chacha20_init_256(ctx, key, n1, ctr);
+    uint32_t rem1 = len % (uint32_t)512U;
+    uint32_t nb = len / (uint32_t)512U;
+    uint32_t rem2 = len % (uint32_t)512U;
+    for (uint32_t i = (uint32_t)0U; i < nb; i++) {
+        uint8_t *uu____0 = out + i * (uint32_t)512U;
+        uint8_t *uu____1 = cipher + i * (uint32_t)512U;
+        Lib_IntVector_Intrinsics_vec256 k[16U];
+        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
+            k[_i] = Lib_IntVector_Intrinsics_vec256_zero;
+        chacha20_core_256(k, ctx, i);
+        Lib_IntVector_Intrinsics_vec256 v00 = k[0U];
+        Lib_IntVector_Intrinsics_vec256 v16 = k[1U];
+        Lib_IntVector_Intrinsics_vec256 v20 = k[2U];
+        Lib_IntVector_Intrinsics_vec256 v30 = k[3U];
+        Lib_IntVector_Intrinsics_vec256 v40 = k[4U];
+        Lib_IntVector_Intrinsics_vec256 v50 = k[5U];
+        Lib_IntVector_Intrinsics_vec256 v60 = k[6U];
+        Lib_IntVector_Intrinsics_vec256 v70 = k[7U];
+        Lib_IntVector_Intrinsics_vec256
+            v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16);
+        Lib_IntVector_Intrinsics_vec256
+            v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16);
+        Lib_IntVector_Intrinsics_vec256
+            v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30);
+        Lib_IntVector_Intrinsics_vec256
+            v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30);
+        Lib_IntVector_Intrinsics_vec256
+            v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50);
+        Lib_IntVector_Intrinsics_vec256
+            v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50);
+        Lib_IntVector_Intrinsics_vec256
+            v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70);
+        Lib_IntVector_Intrinsics_vec256
+            v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70);
+        Lib_IntVector_Intrinsics_vec256
+            v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_, v2_);
+        Lib_IntVector_Intrinsics_vec256
+            v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_, v2_);
+        Lib_IntVector_Intrinsics_vec256
+            v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_, v3_);
+        Lib_IntVector_Intrinsics_vec256
+            v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_, v3_);
+        Lib_IntVector_Intrinsics_vec256
+            v4__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_, v6_);
+        Lib_IntVector_Intrinsics_vec256
+            v5__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_, v6_);
+        Lib_IntVector_Intrinsics_vec256
+            v6__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_, v7_);
+        Lib_IntVector_Intrinsics_vec256
+            v7__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_, v7_);
+        Lib_IntVector_Intrinsics_vec256
+            v0___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0__, v4__);
+        Lib_IntVector_Intrinsics_vec256
+            v1___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0__, v4__);
+        Lib_IntVector_Intrinsics_vec256
+            v2___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1__, v5__);
+        Lib_IntVector_Intrinsics_vec256
+            v3___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1__, v5__);
+        Lib_IntVector_Intrinsics_vec256
+            v4___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2__, v6__);
+        Lib_IntVector_Intrinsics_vec256
+            v5___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2__, v6__);
+        Lib_IntVector_Intrinsics_vec256
+            v6___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3__, v7__);
+        Lib_IntVector_Intrinsics_vec256
+            v7___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3__, v7__);
+        Lib_IntVector_Intrinsics_vec256 v0 = v0___;
+        Lib_IntVector_Intrinsics_vec256 v1 = v2___;
+        Lib_IntVector_Intrinsics_vec256 v2 = v4___;
+        Lib_IntVector_Intrinsics_vec256 v3 = v6___;
+        Lib_IntVector_Intrinsics_vec256 v4 = v1___;
+        Lib_IntVector_Intrinsics_vec256 v5 = v3___;
+        Lib_IntVector_Intrinsics_vec256 v6 = v5___;
+        Lib_IntVector_Intrinsics_vec256 v7 = v7___;
+        Lib_IntVector_Intrinsics_vec256 v01 = k[8U];
+        Lib_IntVector_Intrinsics_vec256 v110 = k[9U];
+        Lib_IntVector_Intrinsics_vec256 v21 = k[10U];
+        Lib_IntVector_Intrinsics_vec256 v31 = k[11U];
+        Lib_IntVector_Intrinsics_vec256 v41 = k[12U];
+        Lib_IntVector_Intrinsics_vec256 v51 = k[13U];
+        Lib_IntVector_Intrinsics_vec256 v61 = k[14U];
+        Lib_IntVector_Intrinsics_vec256 v71 = k[15U];
+        Lib_IntVector_Intrinsics_vec256
+            v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110);
+        Lib_IntVector_Intrinsics_vec256
+            v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110);
+        Lib_IntVector_Intrinsics_vec256
+            v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31);
+        Lib_IntVector_Intrinsics_vec256
+            v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31);
+        Lib_IntVector_Intrinsics_vec256
+            v4_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51);
+        Lib_IntVector_Intrinsics_vec256
+            v5_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51);
+        Lib_IntVector_Intrinsics_vec256
+            v6_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71);
+        Lib_IntVector_Intrinsics_vec256
+            v7_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71);
+        Lib_IntVector_Intrinsics_vec256
+            v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0);
+        Lib_IntVector_Intrinsics_vec256
+            v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0);
+        Lib_IntVector_Intrinsics_vec256
+            v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0);
+        Lib_IntVector_Intrinsics_vec256
+            v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0);
+        Lib_IntVector_Intrinsics_vec256
+            v4__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0);
+        Lib_IntVector_Intrinsics_vec256
+            v5__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0);
+        Lib_IntVector_Intrinsics_vec256
+            v6__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0);
+        Lib_IntVector_Intrinsics_vec256
+            v7__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0);
+        Lib_IntVector_Intrinsics_vec256
+            v0___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0__0, v4__0);
+        Lib_IntVector_Intrinsics_vec256
+            v1___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0__0, v4__0);
+        Lib_IntVector_Intrinsics_vec256
+            v2___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1__0, v5__0);
+        Lib_IntVector_Intrinsics_vec256
+            v3___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1__0, v5__0);
+        Lib_IntVector_Intrinsics_vec256
+            v4___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2__0, v6__0);
+        Lib_IntVector_Intrinsics_vec256
+            v5___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2__0, v6__0);
+        Lib_IntVector_Intrinsics_vec256
+            v6___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3__0, v7__0);
+        Lib_IntVector_Intrinsics_vec256
+            v7___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3__0, v7__0);
+        Lib_IntVector_Intrinsics_vec256 v8 = v0___0;
+        Lib_IntVector_Intrinsics_vec256 v9 = v2___0;
+        Lib_IntVector_Intrinsics_vec256 v10 = v4___0;
+        Lib_IntVector_Intrinsics_vec256 v11 = v6___0;
+        Lib_IntVector_Intrinsics_vec256 v12 = v1___0;
+        Lib_IntVector_Intrinsics_vec256 v13 = v3___0;
+        Lib_IntVector_Intrinsics_vec256 v14 = v5___0;
+        Lib_IntVector_Intrinsics_vec256 v15 = v7___0;
+        k[0U] = v0;
+        k[1U] = v8;
+        k[2U] = v1;
+        k[3U] = v9;
+        k[4U] = v2;
+        k[5U] = v10;
+        k[6U] = v3;
+        k[7U] = v11;
+        k[8U] = v4;
+        k[9U] = v12;
+        k[10U] = v5;
+        k[11U] = v13;
+        k[12U] = v6;
+        k[13U] = v14;
+        k[14U] = v7;
+        k[15U] = v15;
+        for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) {
+            Lib_IntVector_Intrinsics_vec256
+                x = Lib_IntVector_Intrinsics_vec256_load_le(uu____1 + i0 * (uint32_t)32U);
+            Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i0]);
+            Lib_IntVector_Intrinsics_vec256_store_le(uu____0 + i0 * (uint32_t)32U, y);
+        }
+    }
+    if (rem2 > (uint32_t)0U) {
+        uint8_t *uu____2 = out + nb * (uint32_t)512U;
+        uint8_t *uu____3 = cipher + nb * (uint32_t)512U;
+        uint8_t plain[512U] = { 0U };
+        memcpy(plain, uu____3, rem1 * sizeof(uu____3[0U]));
+        Lib_IntVector_Intrinsics_vec256 k[16U];
+        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
+            k[_i] = Lib_IntVector_Intrinsics_vec256_zero;
+        chacha20_core_256(k, ctx, nb);
+        Lib_IntVector_Intrinsics_vec256 v00 = k[0U];
+        Lib_IntVector_Intrinsics_vec256 v16 = k[1U];
+        Lib_IntVector_Intrinsics_vec256 v20 = k[2U];
+        Lib_IntVector_Intrinsics_vec256 v30 = k[3U];
+        Lib_IntVector_Intrinsics_vec256 v40 = k[4U];
+        Lib_IntVector_Intrinsics_vec256 v50 = k[5U];
+        Lib_IntVector_Intrinsics_vec256 v60 = k[6U];
+        Lib_IntVector_Intrinsics_vec256 v70 = k[7U];
+        Lib_IntVector_Intrinsics_vec256
+            v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16);
+        Lib_IntVector_Intrinsics_vec256
+            v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16);
+        Lib_IntVector_Intrinsics_vec256
+            v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30);
+        Lib_IntVector_Intrinsics_vec256
+            v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30);
+        Lib_IntVector_Intrinsics_vec256
+            v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50);
+        Lib_IntVector_Intrinsics_vec256
+            v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50);
+        Lib_IntVector_Intrinsics_vec256
+            v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70);
+        Lib_IntVector_Intrinsics_vec256
+            v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70);
+        Lib_IntVector_Intrinsics_vec256
+            v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_, v2_);
+        Lib_IntVector_Intrinsics_vec256
+            v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_, v2_);
+        Lib_IntVector_Intrinsics_vec256
+            v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_, v3_);
+        Lib_IntVector_Intrinsics_vec256
+            v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_, v3_);
+        Lib_IntVector_Intrinsics_vec256
+            v4__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_, v6_);
+        Lib_IntVector_Intrinsics_vec256
+            v5__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_, v6_);
+        Lib_IntVector_Intrinsics_vec256
+            v6__ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_, v7_);
+        Lib_IntVector_Intrinsics_vec256
+            v7__ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_, v7_);
+        Lib_IntVector_Intrinsics_vec256
+            v0___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0__, v4__);
+        Lib_IntVector_Intrinsics_vec256
+            v1___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0__, v4__);
+        Lib_IntVector_Intrinsics_vec256
+            v2___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1__, v5__);
+        Lib_IntVector_Intrinsics_vec256
+            v3___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1__, v5__);
+        Lib_IntVector_Intrinsics_vec256
+            v4___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2__, v6__);
+        Lib_IntVector_Intrinsics_vec256
+            v5___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2__, v6__);
+        Lib_IntVector_Intrinsics_vec256
+            v6___ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3__, v7__);
+        Lib_IntVector_Intrinsics_vec256
+            v7___ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3__, v7__);
+        Lib_IntVector_Intrinsics_vec256 v0 = v0___;
+        Lib_IntVector_Intrinsics_vec256 v1 = v2___;
+        Lib_IntVector_Intrinsics_vec256 v2 = v4___;
+        Lib_IntVector_Intrinsics_vec256 v3 = v6___;
+        Lib_IntVector_Intrinsics_vec256 v4 = v1___;
+        Lib_IntVector_Intrinsics_vec256 v5 = v3___;
+        Lib_IntVector_Intrinsics_vec256 v6 = v5___;
+        Lib_IntVector_Intrinsics_vec256 v7 = v7___;
+        Lib_IntVector_Intrinsics_vec256 v01 = k[8U];
+        Lib_IntVector_Intrinsics_vec256 v110 = k[9U];
+        Lib_IntVector_Intrinsics_vec256 v21 = k[10U];
+        Lib_IntVector_Intrinsics_vec256 v31 = k[11U];
+        Lib_IntVector_Intrinsics_vec256 v41 = k[12U];
+        Lib_IntVector_Intrinsics_vec256 v51 = k[13U];
+        Lib_IntVector_Intrinsics_vec256 v61 = k[14U];
+        Lib_IntVector_Intrinsics_vec256 v71 = k[15U];
+        Lib_IntVector_Intrinsics_vec256
+            v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110);
+        Lib_IntVector_Intrinsics_vec256
+            v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110);
+        Lib_IntVector_Intrinsics_vec256
+            v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31);
+        Lib_IntVector_Intrinsics_vec256
+            v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31);
+        Lib_IntVector_Intrinsics_vec256
+            v4_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51);
+        Lib_IntVector_Intrinsics_vec256
+            v5_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51);
+        Lib_IntVector_Intrinsics_vec256
+            v6_0 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71);
+        Lib_IntVector_Intrinsics_vec256
+            v7_0 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71);
+        Lib_IntVector_Intrinsics_vec256
+            v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0);
+        Lib_IntVector_Intrinsics_vec256
+            v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0);
+        Lib_IntVector_Intrinsics_vec256
+            v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0);
+        Lib_IntVector_Intrinsics_vec256
+            v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0);
+        Lib_IntVector_Intrinsics_vec256
+            v4__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0);
+        Lib_IntVector_Intrinsics_vec256
+            v5__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0);
+        Lib_IntVector_Intrinsics_vec256
+            v6__0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0);
+        Lib_IntVector_Intrinsics_vec256
+            v7__0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0);
+        Lib_IntVector_Intrinsics_vec256
+            v0___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0__0, v4__0);
+        Lib_IntVector_Intrinsics_vec256
+            v1___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0__0, v4__0);
+        Lib_IntVector_Intrinsics_vec256
+            v2___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1__0, v5__0);
+        Lib_IntVector_Intrinsics_vec256
+            v3___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1__0, v5__0);
+        Lib_IntVector_Intrinsics_vec256
+            v4___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2__0, v6__0);
+        Lib_IntVector_Intrinsics_vec256
+            v5___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2__0, v6__0);
+        Lib_IntVector_Intrinsics_vec256
+            v6___0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3__0, v7__0);
+        Lib_IntVector_Intrinsics_vec256
+            v7___0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3__0, v7__0);
+        Lib_IntVector_Intrinsics_vec256 v8 = v0___0;
+        Lib_IntVector_Intrinsics_vec256 v9 = v2___0;
+        Lib_IntVector_Intrinsics_vec256 v10 = v4___0;
+        Lib_IntVector_Intrinsics_vec256 v11 = v6___0;
+        Lib_IntVector_Intrinsics_vec256 v12 = v1___0;
+        Lib_IntVector_Intrinsics_vec256 v13 = v3___0;
+        Lib_IntVector_Intrinsics_vec256 v14 = v5___0;
+        Lib_IntVector_Intrinsics_vec256 v15 = v7___0;
+        k[0U] = v0;
+        k[1U] = v8;
+        k[2U] = v1;
+        k[3U] = v9;
+        k[4U] = v2;
+        k[5U] = v10;
+        k[6U] = v3;
+        k[7U] = v11;
+        k[8U] = v4;
+        k[9U] = v12;
+        k[10U] = v5;
+        k[11U] = v13;
+        k[12U] = v6;
+        k[13U] = v14;
+        k[14U] = v7;
+        k[15U] = v15;
+        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) {
+            Lib_IntVector_Intrinsics_vec256
+                x = Lib_IntVector_Intrinsics_vec256_load_le(plain + i * (uint32_t)32U);
+            Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i]);
+            Lib_IntVector_Intrinsics_vec256_store_le(plain + i * (uint32_t)32U, y);
+        }
+        memcpy(uu____2, plain, rem1 * sizeof(plain[0U]));
+    }
+}
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec256.h
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec256.h
@ -0,0 +1,55 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "libintvector.h"
+#include "kremlin/internal/types.h"
+#include "kremlin/lowstar_endianness.h"
+#include <string.h>
+#include <stdbool.h>
+
+#ifndef __Hacl_Chacha20_Vec256_H
+#define __Hacl_Chacha20_Vec256_H
+
+#include "Hacl_Chacha20.h"
+#include "Hacl_Kremlib.h"
+
+void
+Hacl_Chacha20_Vec256_chacha20_encrypt_256(
+    uint32_t len,
+    uint8_t *out,
+    uint8_t *text,
+    uint8_t *key,
+    uint8_t *n1,
+    uint32_t ctr);
+
+void
+Hacl_Chacha20_Vec256_chacha20_decrypt_256(
+    uint32_t len,
+    uint8_t *out,
+    uint8_t *cipher,
+    uint8_t *key,
+    uint8_t *n1,
+    uint32_t ctr);
+
+#define __Hacl_Chacha20_Vec256_H_DEFINED
+#endif
--- a/security/nss/lib/freebl/verified/Hacl_Curve25519_51.c
+++ b/security/nss/lib/freebl/verified/Hacl_Curve25519_51.c
@ -23,8 +23,8 @@

 #include "Hacl_Curve25519_51.h"

-inline static void
-Hacl_Impl_Curve25519_Field51_fadd(uint64_t *out, uint64_t *f1, uint64_t *f2)
+static inline void
+fadd0(uint64_t *out, uint64_t *f1, uint64_t *f2)
 {
    uint64_t f10 = f1[0U];
    uint64_t f20 = f2[0U];
@ -43,8 +43,8 @@ Hacl_Impl_Curve25519_Field51_fadd(uint64_t *out, uint64_t *f1, uint64_t *f2)
    out[4U] = f14 + f24;
 }

-inline static void
-Hacl_Impl_Curve25519_Field51_fsub(uint64_t *out, uint64_t *f1, uint64_t *f2)
+static inline void
+fsub0(uint64_t *out, uint64_t *f1, uint64_t *f2)
 {
    uint64_t f10 = f1[0U];
    uint64_t f20 = f2[0U];
@ -63,12 +63,8 @@ Hacl_Impl_Curve25519_Field51_fsub(uint64_t *out, uint64_t *f1, uint64_t *f2)
    out[4U] = f14 + (uint64_t)0x3ffffffffffff8U - f24;
 }

-inline static void
-Hacl_Impl_Curve25519_Field51_fmul(
-    uint64_t *out,
-    uint64_t *f1,
-    uint64_t *f2,
-    FStar_UInt128_uint128 *uu____2959)
+static inline void
+fmul0(uint64_t *out, uint64_t *f1, uint64_t *f2)
 {
    uint64_t f10 = f1[0U];
    uint64_t f11 = f1[1U];
@ -145,12 +141,8 @@ Hacl_Impl_Curve25519_Field51_fmul(
    out[4U] = o4;
 }

-inline static void
-Hacl_Impl_Curve25519_Field51_fmul2(
-    uint64_t *out,
-    uint64_t *f1,
-    uint64_t *f2,
-    FStar_UInt128_uint128 *uu____4281)
+static inline void
+fmul20(uint64_t *out, uint64_t *f1, uint64_t *f2)
 {
    uint64_t f10 = f1[0U];
    uint64_t f11 = f1[1U];
@ -310,8 +302,8 @@ Hacl_Impl_Curve25519_Field51_fmul2(
    out[9U] = o24;
 }

-inline static void
-Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uint64_t *f1, uint64_t f2)
+static inline void
+fmul1(uint64_t *out, uint64_t *f1, uint64_t f2)
 {
    uint64_t f10 = f1[0U];
    uint64_t f11 = f1[1U];
@ -354,11 +346,8 @@ Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uint64_t *f1, uint64_t f2)
    out[4U] = o4;
 }

-inline static void
-Hacl_Impl_Curve25519_Field51_fsqr(
-    uint64_t *out,
-    uint64_t *f,
-    FStar_UInt128_uint128 *uu____6941)
+static inline void
+fsqr0(uint64_t *out, uint64_t *f)
 {
    uint64_t f0 = f[0U];
    uint64_t f1 = f[1U];
@ -432,11 +421,8 @@ Hacl_Impl_Curve25519_Field51_fsqr(
    out[4U] = o4;
 }

-inline static void
-Hacl_Impl_Curve25519_Field51_fsqr2(
-    uint64_t *out,
-    uint64_t *f,
-    FStar_UInt128_uint128 *uu____7692)
+static inline void
+fsqr20(uint64_t *out, uint64_t *f)
 {
    uint64_t f10 = f[0U];
    uint64_t f11 = f[1U];
@ -591,7 +577,7 @@ Hacl_Impl_Curve25519_Field51_fsqr2(
 }

 static void
-Hacl_Impl_Curve25519_Field51_store_felem(uint64_t *u64s, uint64_t *f)
+store_felem(uint64_t *u64s, uint64_t *f)
 {
    uint64_t f0 = f[0U];
    uint64_t f1 = f[1U];
@ -651,32 +637,21 @@ Hacl_Impl_Curve25519_Field51_store_felem(uint64_t *u64s, uint64_t *f)
    u64s[3U] = o3;
 }

-inline static void
-Hacl_Impl_Curve25519_Field51_cswap2(uint64_t bit, uint64_t *p1, uint64_t *p2)
+static inline void
+cswap20(uint64_t bit, uint64_t *p1, uint64_t *p2)
 {
    uint64_t mask = (uint64_t)0U - bit;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i++) {
        uint64_t dummy = mask & (p1[i] ^ p2[i]);
        p1[i] = p1[i] ^ dummy;
        p2[i] = p2[i] ^ dummy;
    }
 }

-static uint8_t
-    Hacl_Curve25519_51_g25519[32U] =
-        {
-          (uint8_t)9U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U,
-          (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U,
-          (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U,
-          (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U,
-          (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U
-        };
+static uint8_t g25519[32U] = { (uint8_t)9U };

 static void
-Hacl_Curve25519_51_point_add_and_double(
-    uint64_t *q,
-    uint64_t *p01_tmp1,
-    FStar_UInt128_uint128 *tmp2)
+point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, FStar_UInt128_uint128 *tmp2)
 {
    uint64_t *nq = p01_tmp1;
    uint64_t *nq_p1 = p01_tmp1 + (uint32_t)10U;
@ -689,39 +664,39 @@ Hacl_Curve25519_51_point_add_and_double(
    uint64_t *b = tmp1 + (uint32_t)5U;
    uint64_t *ab = tmp1;
    uint64_t *dc = tmp1 + (uint32_t)10U;
-    Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2);
-    Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2);
+    fadd0(a, x2, z2);
+    fsub0(b, x2, z2);
    uint64_t *x3 = nq_p1;
    uint64_t *z31 = nq_p1 + (uint32_t)5U;
    uint64_t *d0 = dc;
    uint64_t *c0 = dc + (uint32_t)5U;
-    Hacl_Impl_Curve25519_Field51_fadd(c0, x3, z31);
-    Hacl_Impl_Curve25519_Field51_fsub(d0, x3, z31);
-    Hacl_Impl_Curve25519_Field51_fmul2(dc, dc, ab, tmp2);
-    Hacl_Impl_Curve25519_Field51_fadd(x3, d0, c0);
-    Hacl_Impl_Curve25519_Field51_fsub(z31, d0, c0);
+    fadd0(c0, x3, z31);
+    fsub0(d0, x3, z31);
+    fmul20(dc, dc, ab);
+    fadd0(x3, d0, c0);
+    fsub0(z31, d0, c0);
    uint64_t *a1 = tmp1;
    uint64_t *b1 = tmp1 + (uint32_t)5U;
    uint64_t *d = tmp1 + (uint32_t)10U;
    uint64_t *c = tmp1 + (uint32_t)15U;
    uint64_t *ab1 = tmp1;
    uint64_t *dc1 = tmp1 + (uint32_t)10U;
-    Hacl_Impl_Curve25519_Field51_fsqr2(dc1, ab1, tmp2);
-    Hacl_Impl_Curve25519_Field51_fsqr2(nq_p1, nq_p1, tmp2);
+    fsqr20(dc1, ab1);
+    fsqr20(nq_p1, nq_p1);
    a1[0U] = c[0U];
    a1[1U] = c[1U];
    a1[2U] = c[2U];
    a1[3U] = c[3U];
    a1[4U] = c[4U];
-    Hacl_Impl_Curve25519_Field51_fsub(c, d, c);
-    Hacl_Impl_Curve25519_Field51_fmul1(b1, c, (uint64_t)121665U);
-    Hacl_Impl_Curve25519_Field51_fadd(b1, b1, d);
-    Hacl_Impl_Curve25519_Field51_fmul2(nq, dc1, ab1, tmp2);
-    Hacl_Impl_Curve25519_Field51_fmul(z3, z3, x1, tmp2);
+    fsub0(c, d, c);
+    fmul1(b1, c, (uint64_t)121665U);
+    fadd0(b1, b1, d);
+    fmul20(nq, dc1, ab1);
+    fmul0(z3, z3, x1);
 }

 static void
-Hacl_Curve25519_51_point_double(uint64_t *nq, uint64_t *tmp1, FStar_UInt128_uint128 *tmp2)
+point_double(uint64_t *nq, uint64_t *tmp1, FStar_UInt128_uint128 *tmp2)
 {
    uint64_t *x2 = nq;
    uint64_t *z2 = nq + (uint32_t)5U;
@ -731,22 +706,22 @@ Hacl_Curve25519_51_point_double(uint64_t *nq, uint64_t *tmp1, FStar_UInt128_uint
    uint64_t *c = tmp1 + (uint32_t)15U;
    uint64_t *ab = tmp1;
    uint64_t *dc = tmp1 + (uint32_t)10U;
-    Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2);
-    Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2);
-    Hacl_Impl_Curve25519_Field51_fsqr2(dc, ab, tmp2);
+    fadd0(a, x2, z2);
+    fsub0(b, x2, z2);
+    fsqr20(dc, ab);
    a[0U] = c[0U];
    a[1U] = c[1U];
    a[2U] = c[2U];
    a[3U] = c[3U];
    a[4U] = c[4U];
-    Hacl_Impl_Curve25519_Field51_fsub(c, d, c);
-    Hacl_Impl_Curve25519_Field51_fmul1(b, c, (uint64_t)121665U);
-    Hacl_Impl_Curve25519_Field51_fadd(b, b, d);
-    Hacl_Impl_Curve25519_Field51_fmul2(nq, dc, ab, tmp2);
+    fsub0(c, d, c);
+    fmul1(b, c, (uint64_t)121665U);
+    fadd0(b, b, d);
+    fmul20(nq, dc, ab);
 }

 static void
-Hacl_Curve25519_51_montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init1)
+montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init1)
 {
    FStar_UInt128_uint128 tmp2[10U];
    for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i)
@ -756,7 +731,7 @@ Hacl_Curve25519_51_montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init
    uint64_t *p01 = p01_tmp1_swap;
    uint64_t *p03 = p01;
    uint64_t *p11 = p01 + (uint32_t)10U;
-    memcpy(p11, init1, (uint32_t)10U * sizeof init1[0U]);
+    memcpy(p11, init1, (uint32_t)10U * sizeof(init1[0U]));
    uint64_t *x0 = p03;
    uint64_t *z0 = p03 + (uint32_t)5U;
    x0[0U] = (uint64_t)1U;
@ -774,10 +749,10 @@ Hacl_Curve25519_51_montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init
    uint64_t *nq1 = p01_tmp1_swap;
    uint64_t *nq_p11 = p01_tmp1_swap + (uint32_t)10U;
    uint64_t *swap1 = p01_tmp1_swap + (uint32_t)40U;
-    Hacl_Impl_Curve25519_Field51_cswap2((uint64_t)1U, nq1, nq_p11);
-    Hacl_Curve25519_51_point_add_and_double(init1, p01_tmp11, tmp2);
+    cswap20((uint64_t)1U, nq1, nq_p11);
+    point_add_and_double(init1, p01_tmp11, tmp2);
    swap1[0U] = (uint64_t)1U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)251U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)251U; i++) {
        uint64_t *p01_tmp12 = p01_tmp1_swap;
        uint64_t *swap2 = p01_tmp1_swap + (uint32_t)40U;
        uint64_t *nq2 = p01_tmp12;
@ -786,35 +761,31 @@ Hacl_Curve25519_51_montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init
            bit =
                (uint64_t)(key[((uint32_t)253U - i) / (uint32_t)8U] >> ((uint32_t)253U - i) % (uint32_t)8U & (uint8_t)1U);
        uint64_t sw = swap2[0U] ^ bit;
-        Hacl_Impl_Curve25519_Field51_cswap2(sw, nq2, nq_p12);
-        Hacl_Curve25519_51_point_add_and_double(init1, p01_tmp12, tmp2);
+        cswap20(sw, nq2, nq_p12);
+        point_add_and_double(init1, p01_tmp12, tmp2);
        swap2[0U] = bit;
    }
    uint64_t sw = swap1[0U];
-    Hacl_Impl_Curve25519_Field51_cswap2(sw, nq1, nq_p11);
+    cswap20(sw, nq1, nq_p11);
    uint64_t *nq10 = p01_tmp1;
    uint64_t *tmp1 = p01_tmp1 + (uint32_t)20U;
-    Hacl_Curve25519_51_point_double(nq10, tmp1, tmp2);
-    Hacl_Curve25519_51_point_double(nq10, tmp1, tmp2);
-    Hacl_Curve25519_51_point_double(nq10, tmp1, tmp2);
-    memcpy(out, p0, (uint32_t)10U * sizeof p0[0U]);
+    point_double(nq10, tmp1, tmp2);
+    point_double(nq10, tmp1, tmp2);
+    point_double(nq10, tmp1, tmp2);
+    memcpy(out, p0, (uint32_t)10U * sizeof(p0[0U]));
 }

 static void
-Hacl_Curve25519_51_fsquare_times(
-    uint64_t *o,
-    uint64_t *inp,
-    FStar_UInt128_uint128 *tmp,
-    uint32_t n1)
+fsquare_times(uint64_t *o, uint64_t *inp, FStar_UInt128_uint128 *tmp, uint32_t n1)
 {
-    Hacl_Impl_Curve25519_Field51_fsqr(o, inp, tmp);
-    for (uint32_t i = (uint32_t)0U; i < n1 - (uint32_t)1U; i = i + (uint32_t)1U) {
-        Hacl_Impl_Curve25519_Field51_fsqr(o, o, tmp);
+    fsqr0(o, inp);
+    for (uint32_t i = (uint32_t)0U; i < n1 - (uint32_t)1U; i++) {
+        fsqr0(o, o);
    }
 }

 static void
-Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tmp)
+finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tmp)
 {
    uint64_t t1[20U] = { 0U };
    uint64_t *a = t1;
@ -822,34 +793,34 @@ Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tmp)
    uint64_t *c = t1 + (uint32_t)10U;
    uint64_t *t00 = t1 + (uint32_t)15U;
    FStar_UInt128_uint128 *tmp1 = tmp;
-    Hacl_Curve25519_51_fsquare_times(a, i, tmp1, (uint32_t)1U);
-    Hacl_Curve25519_51_fsquare_times(t00, a, tmp1, (uint32_t)2U);
-    Hacl_Impl_Curve25519_Field51_fmul(b, t00, i, tmp);
-    Hacl_Impl_Curve25519_Field51_fmul(a, b, a, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, a, tmp1, (uint32_t)1U);
-    Hacl_Impl_Curve25519_Field51_fmul(b, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, b, tmp1, (uint32_t)5U);
-    Hacl_Impl_Curve25519_Field51_fmul(b, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, b, tmp1, (uint32_t)10U);
-    Hacl_Impl_Curve25519_Field51_fmul(c, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, c, tmp1, (uint32_t)20U);
-    Hacl_Impl_Curve25519_Field51_fmul(t00, t00, c, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, t00, tmp1, (uint32_t)10U);
-    Hacl_Impl_Curve25519_Field51_fmul(b, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, b, tmp1, (uint32_t)50U);
-    Hacl_Impl_Curve25519_Field51_fmul(c, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, c, tmp1, (uint32_t)100U);
-    Hacl_Impl_Curve25519_Field51_fmul(t00, t00, c, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, t00, tmp1, (uint32_t)50U);
-    Hacl_Impl_Curve25519_Field51_fmul(t00, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, t00, tmp1, (uint32_t)5U);
+    fsquare_times(a, i, tmp1, (uint32_t)1U);
+    fsquare_times(t00, a, tmp1, (uint32_t)2U);
+    fmul0(b, t00, i);
+    fmul0(a, b, a);
+    fsquare_times(t00, a, tmp1, (uint32_t)1U);
+    fmul0(b, t00, b);
+    fsquare_times(t00, b, tmp1, (uint32_t)5U);
+    fmul0(b, t00, b);
+    fsquare_times(t00, b, tmp1, (uint32_t)10U);
+    fmul0(c, t00, b);
+    fsquare_times(t00, c, tmp1, (uint32_t)20U);
+    fmul0(t00, t00, c);
+    fsquare_times(t00, t00, tmp1, (uint32_t)10U);
+    fmul0(b, t00, b);
+    fsquare_times(t00, b, tmp1, (uint32_t)50U);
+    fmul0(c, t00, b);
+    fsquare_times(t00, c, tmp1, (uint32_t)100U);
+    fmul0(t00, t00, c);
+    fsquare_times(t00, t00, tmp1, (uint32_t)50U);
+    fmul0(t00, t00, b);
+    fsquare_times(t00, t00, tmp1, (uint32_t)5U);
    uint64_t *a0 = t1;
    uint64_t *t0 = t1 + (uint32_t)15U;
-    Hacl_Impl_Curve25519_Field51_fmul(o, t0, a0, tmp);
+    fmul0(o, t0, a0);
 }

 static void
-Hacl_Curve25519_51_encode_point(uint8_t *o, uint64_t *i)
+encode_point(uint8_t *o, uint64_t *i)
 {
    uint64_t *x = i;
    uint64_t *z = i + (uint32_t)5U;
@ -858,10 +829,10 @@ Hacl_Curve25519_51_encode_point(uint8_t *o, uint64_t *i)
    FStar_UInt128_uint128 tmp_w[10U];
    for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i)
        tmp_w[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
-    Hacl_Curve25519_51_finv(tmp, z, tmp_w);
-    Hacl_Impl_Curve25519_Field51_fmul(tmp, tmp, x, tmp_w);
-    Hacl_Impl_Curve25519_Field51_store_felem(u64s, tmp);
-    for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0 = i0 + (uint32_t)1U) {
+    finv(tmp, z, tmp_w);
+    fmul0(tmp, tmp, x);
+    store_felem(u64s, tmp);
+    for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) {
        store64_le(o + i0 * (uint32_t)8U, u64s[i0]);
    }
 }
@ -871,7 +842,7 @@ Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub)
 {
    uint64_t init1[10U] = { 0U };
    uint64_t tmp[4U] = { 0U };
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) {
        uint64_t *os = tmp;
        uint8_t *bj = pub + i * (uint32_t)8U;
        uint64_t u = load64_le(bj);
@ -901,17 +872,17 @@ Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub)
    x[2U] = f1h | f2l;
    x[3U] = f2h | f3l;
    x[4U] = f3h;
-    Hacl_Curve25519_51_montgomery_ladder(init1, priv, init1);
-    Hacl_Curve25519_51_encode_point(out, init1);
+    montgomery_ladder(init1, priv, init1);
+    encode_point(out, init1);
 }

 void
 Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv)
 {
    uint8_t basepoint[32U] = { 0U };
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) {
        uint8_t *os = basepoint;
-        uint8_t x = Hacl_Curve25519_51_g25519[i];
+        uint8_t x = g25519[i];
        os[i] = x;
    }
    Hacl_Curve25519_51_scalarmult(pub, priv, basepoint);
@ -923,7 +894,7 @@ Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub)
    uint8_t zeros1[32U] = { 0U };
    Hacl_Curve25519_51_scalarmult(out, priv, pub);
    uint8_t res = (uint8_t)255U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i = i + (uint32_t)1U) {
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) {
        uint8_t uu____0 = FStar_UInt8_eq_mask(out[i], zeros1[i]);
        res = uu____0 & res;
    }
--- a/security/nss/lib/freebl/verified/Hacl_Kremlib.h
+++ b/security/nss/lib/freebl/verified/Hacl_Kremlib.h
@ -29,23 +29,23 @@
 #ifndef __Hacl_Kremlib_H
 #define __Hacl_Kremlib_H

-inline static uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b);
+static inline uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b);

-inline static uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b);
+static inline uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b);

-inline static uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b);
+static inline uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b);

-inline static FStar_UInt128_uint128
+static inline FStar_UInt128_uint128
 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);

-inline static FStar_UInt128_uint128
+static inline FStar_UInt128_uint128
 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s);

-inline static FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a);
+static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a);

-inline static uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a);
+static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a);

-inline static FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y);
+static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y);

 #define __Hacl_Kremlib_H_DEFINED
 #endif
--- a/Show More
+++ b/Show More