Uprev NSS to 3.18 RTM

patches/nss-chacha20-poly1305.patch

-diff -r c3565a90b8c4 lib/freebl/blapi.h
---- a/lib/freebl/blapi.h        Fri Jan 03 20:59:10 2014 +0100
-+++ b/lib/freebl/blapi.h        Tue Jan 07 12:11:36 2014 -0800
-@@ -986,6 +986,38 @@
+diff --git a/nss/lib/freebl/blapi.h b/nss/lib/freebl/blapi.h
+index 8324714..682be76 100644
+--- a/nss/lib/freebl/blapi.h
++++ b/nss/lib/freebl/blapi.h
+@@ -986,6 +986,38 @@ Camellia_Decrypt(CamelliaContext *cx, unsigned char *output,
                  unsigned int *outputLen, unsigned int maxOutputLen,
                  const unsigned char *input, unsigned int inputLen);
  
 +/******************************************/
 +/*
 +** ChaCha20+Poly1305 AEAD
 +*/
 +
 +extern SECStatus
 +ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
@@ skipping 18 matching lines @@
 +extern SECStatus
 +ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx,
 +                     unsigned char *output, unsigned int *outputLen,
 +                     unsigned int maxOutputLen,
 +                     const unsigned char *input, unsigned int inputLen,
 +                     const unsigned char *nonce, unsigned int nonceLen,
 +                     const unsigned char *ad, unsigned int adLen);
  
  /******************************************/
  /*
-diff -r c3565a90b8c4 lib/freebl/blapit.h
---- a/lib/freebl/blapit.h       Fri Jan 03 20:59:10 2014 +0100
-+++ b/lib/freebl/blapit.h       Tue Jan 07 12:11:36 2014 -0800
-@@ -222,6 +222,7 @@
+diff --git a/nss/lib/freebl/blapit.h b/nss/lib/freebl/blapit.h
+index 8e172d4..5726dc7 100644
+--- a/nss/lib/freebl/blapit.h
++++ b/nss/lib/freebl/blapit.h
+@@ -222,6 +222,7 @@ struct SHA256ContextStr     ;
  struct SHA512ContextStr     ;
  struct AESKeyWrapContextStr ;
  struct SEEDContextStr       ;  
 +struct ChaCha20Poly1305ContextStr;
  
  typedef struct DESContextStr        DESContext;
  typedef struct RC2ContextStr        RC2Context;
-@@ -240,6 +241,7 @@
+@@ -240,6 +241,7 @@ typedef struct SHA512ContextStr     SHA512Context;
  typedef struct SHA512ContextStr     SHA384Context;
  typedef struct AESKeyWrapContextStr AESKeyWrapContext;
  typedef struct SEEDContextStr      SEEDContext;        
 +typedef struct ChaCha20Poly1305ContextStr ChaCha20Poly1305Context;     
  
  /***************************************************************************
  ** RSA Public and Private Key structures
-diff -r c3565a90b8c4 lib/freebl/chacha20/chacha20.c
---- /dev/null   Thu Jan 01 00:00:00 1970 +0000
-+++ b/lib/freebl/chacha20/chacha20.c    Tue Jan 07 12:11:36 2014 -0800
+diff --git a/nss/lib/freebl/chacha20/chacha20.c b/nss/lib/freebl/chacha20/chacha20.c
+new file mode 100644
+index 0000000..ca0b1ff
+--- /dev/null
++++ b/nss/lib/freebl/chacha20/chacha20.c
 @@ -0,0 +1,108 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +/* Adopted from the public domain code in NaCl by djb. */
 +
 +#include <string.h>
 +#include <stdio.h>
 +
@@ skipping 89 matching lines @@
 +       out += 64;
 +    }
 +
 +    if (inLen > 0) {
 +       ChaChaCore(block, input, 20);
 +       for (i = 0; i < inLen; i++) {
 +           out[i] = in[i] ^ block[i];
 +       }
 +    }
 +}
-diff -r c3565a90b8c4 lib/freebl/chacha20/chacha20.h
---- /dev/null   Thu Jan 01 00:00:00 1970 +0000
-+++ b/lib/freebl/chacha20/chacha20.h    Tue Jan 07 12:11:36 2014 -0800
+diff --git a/nss/lib/freebl/chacha20/chacha20.h b/nss/lib/freebl/chacha20/chacha20.h
+new file mode 100644
+index 0000000..6336ba7
+--- /dev/null
++++ b/nss/lib/freebl/chacha20/chacha20.h
 @@ -0,0 +1,22 @@
 +/*
 + * chacha20.h - header file for ChaCha20 implementation.
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +#ifndef FREEBL_CHACHA20_H_
 +#define FREEBL_CHACHA20_H_
 +
 +#include <stdint.h>
 +
 +/* ChaCha20XOR encrypts |inLen| bytes from |in| with the given key and
 + * nonce and writes the result to |out|, which may be equal to |in|. The
 + * initial block counter is specified by |counter|. */
 +extern void ChaCha20XOR(unsigned char *out,
 +                       const unsigned char *in, unsigned int inLen,
 +                       const unsigned char key[32],
 +                       const unsigned char nonce[8],
 +                       uint64_t counter);
 +
 +#endif  /* FREEBL_CHACHA20_H_ */
-diff -r c3565a90b8c4 lib/freebl/chacha20/chacha20_vec.c
---- /dev/null   Thu Jan 01 00:00:00 1970 +0000
-+++ b/lib/freebl/chacha20/chacha20_vec.c        Tue Jan 07 12:11:36 2014 -0800
+diff --git a/nss/lib/freebl/chacha20/chacha20_vec.c b/nss/lib/freebl/chacha20/chacha20_vec.c
+new file mode 100644
+index 0000000..c3573b3
+--- /dev/null
++++ b/nss/lib/freebl/chacha20/chacha20_vec.c
 @@ -0,0 +1,281 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +/* This implementation is by Ted Krovetz and was submitted to SUPERCOP and
 + * marked as public domain. It was been altered to allow for non-aligned inputs
 + * and to allow the block counter to be passed in specifically. */
 +
 +#include <string.h>
@@ skipping 262 matching lines @@
 +           }
 +       } else {
 +           buf[0] = REVV_BE(v0 + s0);
 +       }
 +
 +       for (i=inlen & ~15; i<inlen; i++) {
 +           ((char *)op)[i] = ((char *)ip)[i] ^ ((char *)buf)[i];
 +       }
 +    }
 +}
-diff -r c3565a90b8c4 lib/freebl/chacha20poly1305.c
---- /dev/null   Thu Jan 01 00:00:00 1970 +0000
-+++ b/lib/freebl/chacha20poly1305.c     Tue Jan 07 12:11:36 2014 -0800
+diff --git a/nss/lib/freebl/chacha20poly1305.c b/nss/lib/freebl/chacha20poly1305.c
+new file mode 100644
+index 0000000..6fa5c4b
+--- /dev/null
++++ b/nss/lib/freebl/chacha20poly1305.c
 @@ -0,0 +1,169 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +#ifdef FREEBL_NO_DEPEND
 +#include "stubs.h"
 +#endif
 +
 +#include <string.h>
@@ skipping 150 matching lines @@
 +    Poly1305Do(tag, ad, adLen, input, inputLen - ctx->tagLen, block);
 +    if (NSS_SecureMemcmp(tag, &input[inputLen - ctx->tagLen], ctx->tagLen) != 0) {
 +       PORT_SetError(SEC_ERROR_BAD_DATA);
 +       return SECFailure;
 +    }
 +
 +    ChaCha20XOR(output, input, inputLen - ctx->tagLen, ctx->key, nonce, 1);
 +
 +    return SECSuccess;
 +}
-diff -r c3565a90b8c4 lib/freebl/chacha20poly1305.h
---- /dev/null   Thu Jan 01 00:00:00 1970 +0000
-+++ b/lib/freebl/chacha20poly1305.h     Tue Jan 07 12:11:36 2014 -0800
+diff --git a/nss/lib/freebl/chacha20poly1305.h b/nss/lib/freebl/chacha20poly1305.h
+new file mode 100644
+index 0000000..c77632a
+--- /dev/null
++++ b/nss/lib/freebl/chacha20poly1305.h
 @@ -0,0 +1,15 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +#ifndef _CHACHA20_POLY1305_H_
 +#define _CHACHA20_POLY1305_H_ 1
 +
 +/* ChaCha20Poly1305ContextStr saves the key and tag length for a
 + * ChaCha20+Poly1305 AEAD operation. */
 +struct ChaCha20Poly1305ContextStr {
 +    unsigned char key[32];
 +    unsigned char tagLen;
 +};
 +
 +#endif /* _CHACHA20_POLY1305_H_ */
-diff -r c3565a90b8c4 lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c
---- /dev/null   Thu Jan 01 00:00:00 1970 +0000
-+++ b/lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c  Tue Jan 07 12:11:36 2014 -0800
+diff --git a/nss/lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c b/nss/lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c
+new file mode 100644
+index 0000000..38cbf35
+--- /dev/null
++++ b/nss/lib/freebl/poly1305/poly1305-donna-x64-sse2-incremental-source.c
 @@ -0,0 +1,623 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +/* This implementation of poly1305 is by Andrew Moon
 + * (https://github.com/floodyberry/poly1305-donna) and released as public
 + * domain. It implements SIMD vectorization based on the algorithm described in
 + * http://cr.yp.to/papers.html#neoncrypto. Unrolled to 2 powers, i.e. 64 byte
 + * block size. */
@@ skipping 604 matching lines @@
 +       /* pad */
 +       t0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
 +       t1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
 +       h0 += (t0 & 0xfffffffffff)    ; c = (h0 >> 44); h0 &= 0xfffffffffff; t0 = shr128_pair(t1, t0, 44);
 +       h1 += (t0 & 0xfffffffffff) + c; c = (h1 >> 44); h1 &= 0xfffffffffff; t1 = (t1 >> 24);
 +       h2 += (t1                ) + c;
 +
 +       U64TO8_LE(mac + 0, ((h0      ) | (h1 << 44)));
 +       U64TO8_LE(mac + 8, ((h1 >> 20) | (h2 << 24)));
 +}
-diff -r c3565a90b8c4 lib/freebl/poly1305/poly1305.c
---- /dev/null   Thu Jan 01 00:00:00 1970 +0000
-+++ b/lib/freebl/poly1305/poly1305.c    Tue Jan 07 12:11:36 2014 -0800
+diff --git a/nss/lib/freebl/poly1305/poly1305.c b/nss/lib/freebl/poly1305/poly1305.c
+new file mode 100644
+index 0000000..d86048a
+--- /dev/null
++++ b/nss/lib/freebl/poly1305/poly1305.c
 @@ -0,0 +1,254 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +/* This implementation of poly1305 is by Andrew Moon
 + * (https://github.com/floodyberry/poly1305-donna) and released as public
 + * domain. */
 +
 +#include <string.h>
@@ skipping 235 matching lines @@
 +       f0 = ((state->h0      ) | (state->h1 << 26)) + (uint64_t)U8TO32_LE(&state->key[0]);
 +       f1 = ((state->h1 >>  6) | (state->h2 << 20)) + (uint64_t)U8TO32_LE(&state->key[4]);
 +       f2 = ((state->h2 >> 12) | (state->h3 << 14)) + (uint64_t)U8TO32_LE(&state->key[8]);
 +       f3 = ((state->h3 >> 18) | (state->h4 <<  8)) + (uint64_t)U8TO32_LE(&state->key[12]);
 +
 +       U32TO8_LE(&mac[ 0], (uint32_t)f0); f1 += (f0 >> 32);
 +       U32TO8_LE(&mac[ 4], (uint32_t)f1); f2 += (f1 >> 32);
 +       U32TO8_LE(&mac[ 8], (uint32_t)f2); f3 += (f2 >> 32);
 +       U32TO8_LE(&mac[12], (uint32_t)f3);
 +}
-diff -r c3565a90b8c4 lib/freebl/poly1305/poly1305.h
---- /dev/null   Thu Jan 01 00:00:00 1970 +0000
-+++ b/lib/freebl/poly1305/poly1305.h    Tue Jan 07 12:11:36 2014 -0800
+diff --git a/nss/lib/freebl/poly1305/poly1305.h b/nss/lib/freebl/poly1305/poly1305.h
+new file mode 100644
+index 0000000..4beb172
+--- /dev/null
++++ b/nss/lib/freebl/poly1305/poly1305.h
 @@ -0,0 +1,31 @@
 +/*
 + * poly1305.h - header file for Poly1305 implementation.
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +#ifndef FREEBL_POLY1305_H_
 +#define FREEBL_POLY1305_H_
@@ skipping 12 matching lines @@
 +extern void Poly1305Update(poly1305_state* state,
 +                          const unsigned char *in,
 +                          size_t inLen);
 +
 +/* Poly1305Finish completes the poly1305 calculation and writes a 16 byte
 + * authentication tag to |mac|. */
 +extern void Poly1305Finish(poly1305_state* state,
 +                          unsigned char mac[16]);
 +
 +#endif  /* FREEBL_POLY1305_H_ */
-diff -r c3565a90b8c4 lib/pk11wrap/pk11mech.c
---- a/lib/pk11wrap/pk11mech.c   Fri Jan 03 20:59:10 2014 +0100
-+++ b/lib/pk11wrap/pk11mech.c   Tue Jan 07 12:11:36 2014 -0800
-@@ -152,6 +152,8 @@
+diff --git a/nss/lib/pk11wrap/pk11mech.c b/nss/lib/pk11wrap/pk11mech.c
+index b7a7296..edc7a9b 100644
+--- a/nss/lib/pk11wrap/pk11mech.c
++++ b/nss/lib/pk11wrap/pk11mech.c
+@@ -152,6 +152,8 @@ PK11_GetKeyMechanism(CK_KEY_TYPE type)
         return CKM_SEED_CBC;
      case CKK_CAMELLIA:
         return CKM_CAMELLIA_CBC;
 +    case CKK_NSS_CHACHA20:
 +       return CKM_NSS_CHACHA20_POLY1305;
      case CKK_AES:
         return CKM_AES_CBC;
      case CKK_DES:
-@@ -219,6 +221,8 @@
+@@ -219,6 +221,8 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
      case CKM_CAMELLIA_CBC_PAD:
      case CKM_CAMELLIA_KEY_GEN:
         return CKK_CAMELLIA;
 +    case CKM_NSS_CHACHA20_POLY1305:
 +       return CKK_NSS_CHACHA20;
      case CKM_AES_ECB:
      case CKM_AES_CBC:
      case CKM_AES_CCM:
-@@ -429,6 +433,8 @@
+@@ -429,6 +433,8 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size)
      case CKM_CAMELLIA_CBC_PAD:
      case CKM_CAMELLIA_KEY_GEN:
         return CKM_CAMELLIA_KEY_GEN;
 +    case CKM_NSS_CHACHA20_POLY1305:
 +       return CKM_NSS_CHACHA20_KEY_GEN;
      case CKM_AES_ECB:
      case CKM_AES_CBC:
      case CKM_AES_CCM:
-diff -r c3565a90b8c4 lib/softoken/pkcs11.c
---- a/lib/softoken/pkcs11.c     Fri Jan 03 20:59:10 2014 +0100
-+++ b/lib/softoken/pkcs11.c     Tue Jan 07 12:11:36 2014 -0800
-@@ -368,6 +368,9 @@
+diff --git a/nss/lib/softoken/pkcs11.c b/nss/lib/softoken/pkcs11.c
+index bd7c4bd..716922f 100644
+--- a/nss/lib/softoken/pkcs11.c
++++ b/nss/lib/softoken/pkcs11.c
+@@ -370,6 +370,9 @@ static const struct mechanismList mechanisms[] = {
       {CKM_SEED_MAC,            {16, 16, CKF_SN_VR},            PR_TRUE},
       {CKM_SEED_MAC_GENERAL,    {16, 16, CKF_SN_VR},            PR_TRUE},
       {CKM_SEED_CBC_PAD,                {16, 16, CKF_EN_DE_WR_UN},      PR_TRUE},
 +     /* ------------------------- ChaCha20 Operations ---------------------- */
 +     {CKM_NSS_CHACHA20_KEY_GEN,        {32, 32, CKF_GENERATE},         PR_TRUE},
 +     {CKM_NSS_CHACHA20_POLY1305,{32, 32, CKF_EN_DE},           PR_TRUE},
       /* ------------------------- Hashing Operations ----------------------- */
       {CKM_MD2,                 {0,   0, CKF_DIGEST},           PR_FALSE},
       {CKM_MD2_HMAC,            {1, 128, CKF_SN_VR},            PR_TRUE},
-diff -r c3565a90b8c4 lib/softoken/pkcs11c.c
---- a/lib/softoken/pkcs11c.c    Fri Jan 03 20:59:10 2014 +0100
-+++ b/lib/softoken/pkcs11c.c    Tue Jan 07 12:11:36 2014 -0800
-@@ -632,6 +632,97 @@
+diff --git a/nss/lib/softoken/pkcs11c.c b/nss/lib/softoken/pkcs11c.c
+index fc050f3..955d4c9 100644
+--- a/nss/lib/softoken/pkcs11c.c
++++ b/nss/lib/softoken/pkcs11c.c
+@@ -663,6 +663,97 @@ sftk_RSADecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
      return rv;
  }
  
 +static SFTKChaCha20Poly1305Info *
 +sftk_ChaCha20Poly1305_CreateContext(const unsigned char *key,
 +                                   unsigned int keyLen,
 +                                   const CK_NSS_AEAD_PARAMS* params)
 +{
 +    SFTKChaCha20Poly1305Info *ctx;
 +
@@ skipping 77 matching lines @@
 +    }
 +
 +    return ChaCha20Poly1305_Open(&ctx->freeblCtx, output, outputLen,
 +                                maxOutputLen, input, inputLen, ctx->nonce,
 +                                sizeof(ctx->nonce), ad, ctx->adLen);
 +}
 +
  /** NSC_CryptInit initializes an encryption/Decryption operation.
   *
   * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey.
-@@ -1027,6 +1118,35 @@
+@@ -1056,6 +1147,35 @@ finish_des:
         context->destroy = (SFTKDestroy) AES_DestroyContext;
         break;
  
 +    case CKM_NSS_CHACHA20_POLY1305:
 +       if (pMechanism->ulParameterLen != sizeof(CK_NSS_AEAD_PARAMS)) {
 +           crv = CKR_MECHANISM_PARAM_INVALID;
 +           break;
 +       }
 +       context->multi = PR_FALSE;
 +       if (key_type != CKK_NSS_CHACHA20) {
@@ skipping 15 matching lines @@
 +       }
 +       context->update = (SFTKCipher) (isEncrypt ?
 +                                       sftk_ChaCha20Poly1305_Encrypt :
 +                                       sftk_ChaCha20Poly1305_Decrypt);
 +       context->destroy = (SFTKDestroy) sftk_ChaCha20Poly1305_DestroyContext;
 +       break;
 +
      case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
         context->doPad = PR_TRUE;
         /* fall thru */
-@@ -3601,6 +3721,10 @@
+@@ -3609,6 +3729,10 @@ nsc_SetupBulkKeyGen(CK_MECHANISM_TYPE mechanism, CK_KEY_TYPE *key_type,
         *key_type = CKK_AES;
         if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
         break;
 +    case CKM_NSS_CHACHA20_KEY_GEN:
 +       *key_type = CKK_NSS_CHACHA20;
 +       if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
 +       break;
      default:
         PORT_Assert(0);
         crv = CKR_MECHANISM_INVALID;
-@@ -3846,6 +3970,7 @@
+@@ -3854,6 +3978,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
      case CKM_SEED_KEY_GEN:
      case CKM_CAMELLIA_KEY_GEN:
      case CKM_AES_KEY_GEN:
 +    case CKM_NSS_CHACHA20_KEY_GEN:
  #if NSS_SOFTOKEN_DOES_RC5
      case CKM_RC5_KEY_GEN:
  #endif
-diff -r c3565a90b8c4 lib/softoken/pkcs11i.h
---- a/lib/softoken/pkcs11i.h    Fri Jan 03 20:59:10 2014 +0100
-+++ b/lib/softoken/pkcs11i.h    Tue Jan 07 12:11:36 2014 -0800
+diff --git a/nss/lib/softoken/pkcs11i.h b/nss/lib/softoken/pkcs11i.h
+index 9a00273..175bb78 100644
+--- a/nss/lib/softoken/pkcs11i.h
++++ b/nss/lib/softoken/pkcs11i.h
 @@ -14,6 +14,7 @@
  #include "pkcs11t.h"
  
  #include "sftkdbt.h" 
 +#include "chacha20poly1305.h"
  #include "hasht.h"
  
  /* 
-@@ -104,6 +105,7 @@
+@@ -104,6 +105,7 @@ typedef struct SFTKHashSignInfoStr SFTKHashSignInfo;
  typedef struct SFTKOAEPEncryptInfoStr SFTKOAEPEncryptInfo;
  typedef struct SFTKOAEPDecryptInfoStr SFTKOAEPDecryptInfo;
  typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo;
 +typedef struct SFTKChaCha20Poly1305InfoStr SFTKChaCha20Poly1305Info;
  typedef struct SFTKItemTemplateStr SFTKItemTemplate;
  
  /* define function pointer typdefs for pointer tables */
-@@ -399,6 +401,16 @@
+@@ -399,6 +401,16 @@ struct SFTKSSLMACInfoStr {
      unsigned int       keySize;
  };
  
 +/* SFTKChaCha20Poly1305Info saves the key, tag length, nonce, and additional
 + * data for a ChaCha20+Poly1305 AEAD operation. */
 +struct SFTKChaCha20Poly1305InfoStr {
 +    ChaCha20Poly1305Context freeblCtx;
 +    unsigned char nonce[8];
 +    unsigned char ad[16];
 +    unsigned char *adOverflow;
 +    unsigned int adLen;
 +};
 +
  /*
   * Template based on SECItems, suitable for passing as arrays
   */
-diff -r c3565a90b8c4 lib/util/pkcs11n.h
---- a/lib/util/pkcs11n.h        Fri Jan 03 20:59:10 2014 +0100
-+++ b/lib/util/pkcs11n.h        Tue Jan 07 12:11:36 2014 -0800
+diff --git a/nss/lib/util/pkcs11n.h b/nss/lib/util/pkcs11n.h
+index a1a0ebb..d48cef6 100644
+--- a/nss/lib/util/pkcs11n.h
++++ b/nss/lib/util/pkcs11n.h
 @@ -51,6 +51,8 @@
  #define CKK_NSS_JPAKE_ROUND1       (CKK_NSS + 2)
  #define CKK_NSS_JPAKE_ROUND2       (CKK_NSS + 3)
  
 +#define CKK_NSS_CHACHA20           (CKK_NSS + 4)
 +
  /*
   * NSS-defined certificate types
   *
 @@ -214,6 +216,9 @@
  #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
  #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
  
 +#define CKM_NSS_CHACHA20_KEY_GEN                (CKM_NSS + 25)
 +#define CKM_NSS_CHACHA20_POLY1305               (CKM_NSS + 26)
 +
  /*
   * HISTORICAL:
   * Do not attempt to use these. They are only used by NETSCAPE's internal
-@@ -281,6 +286,14 @@
+@@ -281,6 +286,14 @@ typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS {
      CK_ULONG ulHeaderLen;       /* in */
  } CK_NSS_MAC_CONSTANT_TIME_PARAMS;
  
 +typedef struct CK_NSS_AEAD_PARAMS {
 +    CK_BYTE_PTR  pIv;  /* This is the nonce. */
 +    CK_ULONG     ulIvLen;
 +    CK_BYTE_PTR  pAAD;
 +    CK_ULONG     ulAADLen;
 +    CK_ULONG     ulTagLen;
 +} CK_NSS_AEAD_PARAMS;
 +
  /*
   * NSS-defined return values
   *