Update NSS to 3.21 RTM and NSPR to 4.11 RTM

patches/nss-chacha20-poly1305.patch

-diff --git a/nss/lib/freebl/blapi.h b/nss/lib/freebl/blapi.h
+diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h
 index 8324714..682be76 100644
---- a/nss/lib/freebl/blapi.h
-+++ b/nss/lib/freebl/blapi.h
+--- a/lib/freebl/blapi.h
++++ b/lib/freebl/blapi.h
 @@ -986,6 +986,38 @@ Camellia_Decrypt(CamelliaContext *cx, unsigned char *output,
                  unsigned int *outputLen, unsigned int maxOutputLen,
                  const unsigned char *input, unsigned int inputLen);
  
 +/******************************************/
 +/*
 +** ChaCha20+Poly1305 AEAD
 +*/
 +
 +extern SECStatus
@@ skipping 19 matching lines @@
 +extern SECStatus
 +ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx,
 +                     unsigned char *output, unsigned int *outputLen,
 +                     unsigned int maxOutputLen,
 +                     const unsigned char *input, unsigned int inputLen,
 +                     const unsigned char *nonce, unsigned int nonceLen,
 +                     const unsigned char *ad, unsigned int adLen);
  
  /******************************************/
  /*
-diff --git a/nss/lib/freebl/blapit.h b/nss/lib/freebl/blapit.h
+diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h
 index 8e172d4..5726dc7 100644
---- a/nss/lib/freebl/blapit.h
-+++ b/nss/lib/freebl/blapit.h
+--- a/lib/freebl/blapit.h
++++ b/lib/freebl/blapit.h
 @@ -222,6 +222,7 @@ struct SHA256ContextStr     ;
  struct SHA512ContextStr     ;
  struct AESKeyWrapContextStr ;
  struct SEEDContextStr       ;  
 +struct ChaCha20Poly1305ContextStr;
  
  typedef struct DESContextStr        DESContext;
  typedef struct RC2ContextStr        RC2Context;
 @@ -240,6 +241,7 @@ typedef struct SHA512ContextStr     SHA512Context;
  typedef struct SHA512ContextStr     SHA384Context;
  typedef struct AESKeyWrapContextStr AESKeyWrapContext;
  typedef struct SEEDContextStr      SEEDContext;        
 +typedef struct ChaCha20Poly1305ContextStr ChaCha20Poly1305Context;     
  
  /***************************************************************************
  ** RSA Public and Private Key structures
-diff --git a/nss/lib/freebl/chacha20/chacha20.c b/nss/lib/freebl/chacha20/chacha20.c
+diff --git a/lib/freebl/chacha20/chacha20.c b/lib/freebl/chacha20/chacha20.c
 new file mode 100644
 index 0000000..ca0b1ff
 --- /dev/null
-+++ b/nss/lib/freebl/chacha20/chacha20.c
++++ b/lib/freebl/chacha20/chacha20.c
 @@ -0,0 +1,108 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +/* Adopted from the public domain code in NaCl by djb. */
 +
 +#include <string.h>
 +#include <stdio.h>
 +
@@ skipping 89 matching lines @@
 +       out += 64;
 +    }
 +
 +    if (inLen > 0) {
 +       ChaChaCore(block, input, 20);
 +       for (i = 0; i < inLen; i++) {
 +           out[i] = in[i] ^ block[i];
 +       }
 +    }
 +}
-diff --git a/nss/lib/freebl/chacha20/chacha20.h b/nss/lib/freebl/chacha20/chacha20.h
+diff --git a/lib/freebl/chacha20/chacha20.h b/lib/freebl/chacha20/chacha20.h
 new file mode 100644
 index 0000000..6336ba7
 --- /dev/null
-+++ b/nss/lib/freebl/chacha20/chacha20.h
++++ b/lib/freebl/chacha20/chacha20.h
 @@ -0,0 +1,22 @@
 +/*
 + * chacha20.h - header file for ChaCha20 implementation.
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +#ifndef FREEBL_CHACHA20_H_
 +#define FREEBL_CHACHA20_H_
 +
 +#include <stdint.h>
 +
 +/* ChaCha20XOR encrypts |inLen| bytes from |in| with the given key and
 + * nonce and writes the result to |out|, which may be equal to |in|. The
 + * initial block counter is specified by |counter|. */
 +extern void ChaCha20XOR(unsigned char *out,
 +                       const unsigned char *in, unsigned int inLen,
 +                       const unsigned char key[32],
 +                       const unsigned char nonce[8],
 +                       uint64_t counter);
 +
 +#endif  /* FREEBL_CHACHA20_H_ */
-diff --git a/nss/lib/freebl/chacha20/chacha20_vec.c b/nss/lib/freebl/chacha20/chacha20_vec.c
+diff --git a/lib/freebl/chacha20/chacha20_vec.c b/lib/freebl/chacha20/chacha20_vec.c
 new file mode 100644
 index 0000000..c3573b3
 --- /dev/null
-+++ b/nss/lib/freebl/chacha20/chacha20_vec.c
++++ b/lib/freebl/chacha20/chacha20_vec.c
 @@ -0,0 +1,281 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +/* This implementation is by Ted Krovetz and was submitted to SUPERCOP and
 + * marked as public domain. It was been altered to allow for non-aligned inputs
 + * and to allow the block counter to be passed in specifically. */
 +
 +#include <string.h>
@@ skipping 262 matching lines @@
 +           }
 +       } else {
 +           buf[0] = REVV_BE(v0 + s0);
 +       }
 +
 +       for (i=inlen & ~15; i<inlen; i++) {
 +           ((char *)op)[i] = ((char *)ip)[i] ^ ((char *)buf)[i];
 +       }
 +    }
 +}
-diff --git a/nss/lib/freebl/chacha20poly1305.c b/nss/lib/freebl/chacha20poly1305.c
+diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
 new file mode 100644
 index 0000000..6fa5c4b
 --- /dev/null
-+++ b/nss/lib/freebl/chacha20poly1305.c
++++ b/lib/freebl/chacha20poly1305.c
 @@ -0,0 +1,169 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +#ifdef FREEBL_NO_DEPEND
 +#include "stubs.h"
 +#endif
 +
 +#include <string.h>
@@ skipping 150 matching lines @@
 +    Poly1305Do(tag, ad, adLen, input, inputLen - ctx->tagLen, block);
 +    if (NSS_SecureMemcmp(tag, &input[inputLen - ctx->tagLen], ctx->tagLen) != 0) {
 +       PORT_SetError(SEC_ERROR_BAD_DATA);
 +       return SECFailure;
 +    }
 +
 +    ChaCha20XOR(output, input, inputLen - ctx->tagLen, ctx->key, nonce, 1);
 +
 +    return SECSuccess;
 +}
-diff --git a/nss/lib/freebl/chacha20poly1305.h b/nss/lib/freebl/chacha20poly1305.h
+diff --git a/lib/freebl/chacha20poly1305.h b/lib/freebl/chacha20poly1305.h
 new file mode 100644
 index 0000000..c77632a
 --- /dev/null
-+++ b/nss/lib/freebl/chacha20poly1305.h
++++ b/lib/freebl/chacha20poly1305.h
 @@ -0,0 +1,15 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +#ifndef _CHACHA20_POLY1305_H_
 +#define _CHACHA20_POLY1305_H_ 1
 +
 +/* ChaCha20Poly1305ContextStr saves the key and tag length for a
 + * ChaCha20+Poly1305 AEAD operation. */
 +struct ChaCha20Poly1305ContextStr {
 +    unsigned char key[32];
 +    unsigned char tagLen;
 +};
 +
 +#endif /* _CHACHA20_POLY1305_H_ */
-diff --git a/nss/lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c b/nss/lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c
+diff --git a/lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c b/lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c
 new file mode 100644
 index 0000000..38cbf35
 --- /dev/null
-+++ b/nss/lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c
++++ b/lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c
 @@ -0,0 +1,623 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +/* This implementation of poly1305 is by Andrew Moon
 + * (https://github.com/floodyberry/poly1305-donna) and released as public
 + * domain. It implements SIMD vectorization based on the algorithm described in
 + * http://cr.yp.to/papers.html#neoncrypto. Unrolled to 2 powers, i.e. 64 byte
 + * block size. */
@@ skipping 604 matching lines @@
 +       /* pad */
 +       t0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
 +       t1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
 +       h0 += (t0 & 0xfffffffffff)    ; c = (h0 >> 44); h0 &= 0xfffffffffff; t0 = shr128_pair(t1, t0, 44);
 +       h1 += (t0 & 0xfffffffffff) + c; c = (h1 >> 44); h1 &= 0xfffffffffff; t1 = (t1 >> 24);
 +       h2 += (t1                ) + c;
 +
 +       U64TO8_LE(mac + 0, ((h0      ) | (h1 << 44)));
 +       U64TO8_LE(mac + 8, ((h1 >> 20) | (h2 << 24)));
 +}
-diff --git a/nss/lib/freebl/poly1305/poly1305.c b/nss/lib/freebl/poly1305/poly1305.c
+diff --git a/lib/freebl/poly1305/poly1305.c b/lib/freebl/poly1305/poly1305.c
 new file mode 100644
 index 0000000..d86048a
 --- /dev/null
-+++ b/nss/lib/freebl/poly1305/poly1305.c
++++ b/lib/freebl/poly1305/poly1305.c
 @@ -0,0 +1,254 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +/* This implementation of poly1305 is by Andrew Moon
 + * (https://github.com/floodyberry/poly1305-donna) and released as public
 + * domain. */
 +
 +#include <string.h>
@@ skipping 235 matching lines @@
 +       f0 = ((state->h0      ) | (state->h1 << 26)) + (uint64_t)U8TO32_LE(&state->key[0]);
 +       f1 = ((state->h1 >>  6) | (state->h2 << 20)) + (uint64_t)U8TO32_LE(&state->key[4]);
 +       f2 = ((state->h2 >> 12) | (state->h3 << 14)) + (uint64_t)U8TO32_LE(&state->key[8]);
 +       f3 = ((state->h3 >> 18) | (state->h4 <<  8)) + (uint64_t)U8TO32_LE(&state->key[12]);
 +
 +       U32TO8_LE(&mac[ 0], (uint32_t)f0); f1 += (f0 >> 32);
 +       U32TO8_LE(&mac[ 4], (uint32_t)f1); f2 += (f1 >> 32);
 +       U32TO8_LE(&mac[ 8], (uint32_t)f2); f3 += (f2 >> 32);
 +       U32TO8_LE(&mac[12], (uint32_t)f3);
 +}
-diff --git a/nss/lib/freebl/poly1305/poly1305.h b/nss/lib/freebl/poly1305/poly1305.h
+diff --git a/lib/freebl/poly1305/poly1305.h b/lib/freebl/poly1305/poly1305.h
 new file mode 100644
 index 0000000..4beb172
 --- /dev/null
-+++ b/nss/lib/freebl/poly1305/poly1305.h
++++ b/lib/freebl/poly1305/poly1305.h
 @@ -0,0 +1,31 @@
 +/*
 + * poly1305.h - header file for Poly1305 implementation.
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +#ifndef FREEBL_POLY1305_H_
 +#define FREEBL_POLY1305_H_
@@ skipping 12 matching lines @@
 +extern void Poly1305Update(poly1305_state* state,
 +                          const unsigned char *in,
 +                          size_t inLen);
 +
 +/* Poly1305Finish completes the poly1305 calculation and writes a 16 byte
 + * authentication tag to |mac|. */
 +extern void Poly1305Finish(poly1305_state* state,
 +                          unsigned char mac[16]);
 +
 +#endif  /* FREEBL_POLY1305_H_ */
-diff --git a/nss/lib/pk11wrap/pk11mech.c b/nss/lib/pk11wrap/pk11mech.c
-index b7a7296..edc7a9b 100644
---- a/nss/lib/pk11wrap/pk11mech.c
-+++ b/nss/lib/pk11wrap/pk11mech.c
+diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
+index 29e86e6..0ebb075 100644
+--- a/lib/pk11wrap/pk11mech.c
++++ b/lib/pk11wrap/pk11mech.c
 @@ -152,6 +152,8 @@ PK11_GetKeyMechanism(CK_KEY_TYPE type)
         return CKM_SEED_CBC;
      case CKK_CAMELLIA:
         return CKM_CAMELLIA_CBC;
 +    case CKK_NSS_CHACHA20:
 +       return CKM_NSS_CHACHA20_POLY1305;
      case CKK_AES:
         return CKM_AES_CBC;
      case CKK_DES:
 @@ -219,6 +221,8 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
      case CKM_CAMELLIA_CBC_PAD:
      case CKM_CAMELLIA_KEY_GEN:
         return CKK_CAMELLIA;
 +    case CKM_NSS_CHACHA20_POLY1305:
 +       return CKK_NSS_CHACHA20;
      case CKM_AES_ECB:
      case CKM_AES_CBC:
      case CKM_AES_CCM:
-@@ -429,6 +433,8 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size)
+@@ -431,6 +435,8 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size)
      case CKM_CAMELLIA_CBC_PAD:
      case CKM_CAMELLIA_KEY_GEN:
         return CKM_CAMELLIA_KEY_GEN;
 +    case CKM_NSS_CHACHA20_POLY1305:
 +       return CKM_NSS_CHACHA20_KEY_GEN;
      case CKM_AES_ECB:
      case CKM_AES_CBC:
      case CKM_AES_CCM:
-diff --git a/nss/lib/softoken/pkcs11.c b/nss/lib/softoken/pkcs11.c
-index bd7c4bd..716922f 100644
---- a/nss/lib/softoken/pkcs11.c
-+++ b/nss/lib/softoken/pkcs11.c
+diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
+index 97d6d3f..75c9e8e 100644
+--- a/lib/softoken/pkcs11.c
++++ b/lib/softoken/pkcs11.c
 @@ -370,6 +370,9 @@ static const struct mechanismList mechanisms[] = {
       {CKM_SEED_MAC,            {16, 16, CKF_SN_VR},            PR_TRUE},
       {CKM_SEED_MAC_GENERAL,    {16, 16, CKF_SN_VR},            PR_TRUE},
       {CKM_SEED_CBC_PAD,                {16, 16, CKF_EN_DE_WR_UN},      PR_TRUE},
 +     /* ------------------------- ChaCha20 Operations ---------------------- */
 +     {CKM_NSS_CHACHA20_KEY_GEN,        {32, 32, CKF_GENERATE},         PR_TRUE},
 +     {CKM_NSS_CHACHA20_POLY1305,{32, 32, CKF_EN_DE},           PR_TRUE},
       /* ------------------------- Hashing Operations ----------------------- */
       {CKM_MD2,                 {0,   0, CKF_DIGEST},           PR_FALSE},
       {CKM_MD2_HMAC,            {1, 128, CKF_SN_VR},            PR_TRUE},
-diff --git a/nss/lib/softoken/pkcs11c.c b/nss/lib/softoken/pkcs11c.c
-index fc050f3..955d4c9 100644
---- a/nss/lib/softoken/pkcs11c.c
-+++ b/nss/lib/softoken/pkcs11c.c
-@@ -663,6 +663,97 @@ sftk_RSADecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
+diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
+index 8755f24..992fba4 100644
+--- a/lib/softoken/pkcs11c.c
++++ b/lib/softoken/pkcs11c.c
+@@ -664,6 +664,97 @@ sftk_RSADecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
      return rv;
  }
  
 +static SFTKChaCha20Poly1305Info *
 +sftk_ChaCha20Poly1305_CreateContext(const unsigned char *key,
 +                                   unsigned int keyLen,
 +                                   const CK_NSS_AEAD_PARAMS* params)
 +{
 +    SFTKChaCha20Poly1305Info *ctx;
 +
@@ skipping 77 matching lines @@
 +    }
 +
 +    return ChaCha20Poly1305_Open(&ctx->freeblCtx, output, outputLen,
 +                                maxOutputLen, input, inputLen, ctx->nonce,
 +                                sizeof(ctx->nonce), ad, ctx->adLen);
 +}
 +
  /** NSC_CryptInit initializes an encryption/Decryption operation.
   *
   * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey.
-@@ -1056,6 +1147,35 @@ finish_des:
+@@ -1057,6 +1148,35 @@ finish_des:
         context->destroy = (SFTKDestroy) AES_DestroyContext;
         break;
  
 +    case CKM_NSS_CHACHA20_POLY1305:
 +       if (pMechanism->ulParameterLen != sizeof(CK_NSS_AEAD_PARAMS)) {
 +           crv = CKR_MECHANISM_PARAM_INVALID;
 +           break;
 +       }
 +       context->multi = PR_FALSE;
 +       if (key_type != CKK_NSS_CHACHA20) {
@@ skipping 15 matching lines @@
 +       }
 +       context->update = (SFTKCipher) (isEncrypt ?
 +                                       sftk_ChaCha20Poly1305_Encrypt :
 +                                       sftk_ChaCha20Poly1305_Decrypt);
 +       context->destroy = (SFTKDestroy) sftk_ChaCha20Poly1305_DestroyContext;
 +       break;
 +
      case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
         context->doPad = PR_TRUE;
         /* fall thru */
-@@ -3609,6 +3729,10 @@ nsc_SetupBulkKeyGen(CK_MECHANISM_TYPE mechanism, CK_KEY_TYPE *key_type,
+@@ -3654,6 +3774,10 @@ nsc_SetupBulkKeyGen(CK_MECHANISM_TYPE mechanism, CK_KEY_TYPE *key_type,
         *key_type = CKK_AES;
         if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
         break;
 +    case CKM_NSS_CHACHA20_KEY_GEN:
 +       *key_type = CKK_NSS_CHACHA20;
 +       if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
 +       break;
      default:
         PORT_Assert(0);
         crv = CKR_MECHANISM_INVALID;
-@@ -3854,6 +3978,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
+@@ -3900,6 +4024,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
      case CKM_SEED_KEY_GEN:
      case CKM_CAMELLIA_KEY_GEN:
      case CKM_AES_KEY_GEN:
 +    case CKM_NSS_CHACHA20_KEY_GEN:
  #if NSS_SOFTOKEN_DOES_RC5
      case CKM_RC5_KEY_GEN:
  #endif
-diff --git a/nss/lib/softoken/pkcs11i.h b/nss/lib/softoken/pkcs11i.h
-index 9a00273..175bb78 100644
---- a/nss/lib/softoken/pkcs11i.h
-+++ b/nss/lib/softoken/pkcs11i.h
+diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
+index 1023a00..4e8601b 100644
+--- a/lib/softoken/pkcs11i.h
++++ b/lib/softoken/pkcs11i.h
 @@ -14,6 +14,7 @@
  #include "pkcs11t.h"
  
  #include "sftkdbt.h" 
 +#include "chacha20poly1305.h"
  #include "hasht.h"
  
  /* 
 @@ -104,6 +105,7 @@ typedef struct SFTKHashSignInfoStr SFTKHashSignInfo;
  typedef struct SFTKOAEPEncryptInfoStr SFTKOAEPEncryptInfo;
@@ skipping 13 matching lines @@
 +    ChaCha20Poly1305Context freeblCtx;
 +    unsigned char nonce[8];
 +    unsigned char ad[16];
 +    unsigned char *adOverflow;
 +    unsigned int adLen;
 +};
 +
  /*
   * Template based on SECItems, suitable for passing as arrays
   */
-diff --git a/nss/lib/util/pkcs11n.h b/nss/lib/util/pkcs11n.h
-index a1a0ebb..d48cef6 100644
---- a/nss/lib/util/pkcs11n.h
-+++ b/nss/lib/util/pkcs11n.h
+diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
+index 5e13784..86a396f 100644
+--- a/lib/util/pkcs11n.h
++++ b/lib/util/pkcs11n.h
 @@ -51,6 +51,8 @@
  #define CKK_NSS_JPAKE_ROUND1       (CKK_NSS + 2)
  #define CKK_NSS_JPAKE_ROUND2       (CKK_NSS + 3)
  
 +#define CKK_NSS_CHACHA20           (CKK_NSS + 4)
 +
  /*
   * NSS-defined certificate types
   *
-@@ -214,6 +216,9 @@
- #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
- #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
+@@ -218,6 +220,9 @@
+ #define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE    (CKM_NSS + 25)
+ #define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH (CKM_NSS + 26)
  
-+#define CKM_NSS_CHACHA20_KEY_GEN                (CKM_NSS + 25)
-+#define CKM_NSS_CHACHA20_POLY1305               (CKM_NSS + 26)
++#define CKM_NSS_CHACHA20_KEY_GEN                (CKM_NSS + 27)
++#define CKM_NSS_CHACHA20_POLY1305               (CKM_NSS + 28)
 +
  /*
   * HISTORICAL:
   * Do not attempt to use these. They are only used by NETSCAPE's internal
-@@ -281,6 +286,14 @@ typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS {
+@@ -285,6 +290,14 @@ typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS {
      CK_ULONG ulHeaderLen;       /* in */
  } CK_NSS_MAC_CONSTANT_TIME_PARAMS;
  
 +typedef struct CK_NSS_AEAD_PARAMS {
 +    CK_BYTE_PTR  pIv;  /* This is the nonce. */
 +    CK_ULONG     ulIvLen;
 +    CK_BYTE_PTR  pAAD;
 +    CK_ULONG     ulAADLen;
 +    CK_ULONG     ulTagLen;
 +} CK_NSS_AEAD_PARAMS;
 +
  /*
   * NSS-defined return values
   *