Bug 695833: Update NSS to NSS_3_13_1_BETA2. Includes fixes for
authorWan-Teh Chang <wtc@google.com>
Sat, 22 Oct 2011 17:46:33 -0700
changeset 79111 85be1cf6dd9e111473a5525bd23415ed3b783ed8
parent 79110 5cfb2cfe8bebc3325e2e8796bd0fe09e35c7b1f2
child 79112 969648d5182542a4c7472a7e94a5d252f856a0b1
push id2862
push userwtc@google.com
push dateSun, 23 Oct 2011 00:46:53 +0000
treeherdermozilla-inbound@85be1cf6dd9e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs695833, 647706, 691997
milestone10.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 695833: Update NSS to NSS_3_13_1_BETA2. Includes fixes for bug 647706 and bug 691997. See individual bugs for code reviews.
security/coreconf/coreconf.dep
security/nss/TAG-INFO
security/nss/cmd/lib/secutil.c
security/nss/lib/cryptohi/seckey.c
security/nss/lib/cryptohi/secsign.c
security/nss/lib/cryptohi/secvfy.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/pk11wrap/pk11slot.c
security/nss/lib/pkcs12/p12local.c
security/nss/lib/softoken/rsawrapr.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/sslerrstrs.c
security/nss/lib/ssl/sslerrstrs.h
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslinit.c
security/nss/lib/ssl/sslsnce.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/ssl/sslutil.h
security/nss/lib/util/secalgid.c
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -37,8 +37,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_13_1_BETA1
+NSS_3_13_1_BETA2
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -3758,16 +3758,18 @@ SECU_StringToSignatureAlgTag(const char 
 	if (!PL_strcmp(alg, "MD2")) {
 	    hashAlgTag = SEC_OID_MD2;
 	} else if (!PL_strcmp(alg, "MD4")) {
 	    hashAlgTag = SEC_OID_MD4;
 	} else if (!PL_strcmp(alg, "MD5")) {
 	    hashAlgTag = SEC_OID_MD5;
 	} else if (!PL_strcmp(alg, "SHA1")) {
 	    hashAlgTag = SEC_OID_SHA1;
+	} else if (!PL_strcmp(alg, "SHA224")) {
+	    hashAlgTag = SEC_OID_SHA224;
 	} else if (!PL_strcmp(alg, "SHA256")) {
 	    hashAlgTag = SEC_OID_SHA256;
 	} else if (!PL_strcmp(alg, "SHA384")) {
 	    hashAlgTag = SEC_OID_SHA384;
 	} else if (!PL_strcmp(alg, "SHA512")) {
 	    hashAlgTag = SEC_OID_SHA512;
 	}
     }
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -545,16 +545,17 @@ seckey_GetKeyType (SECOidTag tag) {
 	break;
       case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
 	keyType = ecKey;
 	break;
       /* accommodate applications that hand us a signature type when they 
 	* should be handing us a cipher type */
       case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
 	keyType = rsaKey;
 	break;
       default:
 	keyType = nullKey;
     }
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -32,17 +32,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secsign.c,v 1.26 2011/07/24 13:48:12 wtc%google.com Exp $ */
+/* $Id: secsign.c,v 1.27 2011/10/22 14:35:42 wtc%google.com Exp $ */
 
 #include <stdio.h>
 #include "cryptohi.h"
 #include "sechash.h"
 #include "secder.h"
 #include "keyhi.h"
 #include "secoid.h"
 #include "secdig.h"
@@ -473,16 +473,18 @@ SEC_GetSignatureAlgorithmOidTag(KeyType 
 	switch (hashAlgTag) {
 	case SEC_OID_MD2:
 	    sigTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;	break;
 	case SEC_OID_MD5:
 	    sigTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;	break;
 	case SEC_OID_UNKNOWN:	/* default for RSA if not specified */
 	case SEC_OID_SHA1:
 	    sigTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;	break;
+	case SEC_OID_SHA224:
+	    sigTag = SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION;	break;
 	case SEC_OID_SHA256:
 	    sigTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;	break;
 	case SEC_OID_SHA384:
 	    sigTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;	break;
 	case SEC_OID_SHA512:
 	    sigTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;	break;
 	default:
 	    break;
@@ -497,16 +499,18 @@ SEC_GetSignatureAlgorithmOidTag(KeyType 
 	    break;
 	}
 	break;
     case ecKey:
 	switch (hashAlgTag) {
 	case SEC_OID_UNKNOWN:	/* default for ECDSA if not specified */
 	case SEC_OID_SHA1:
             sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE; break;
+	case SEC_OID_SHA224:
+            sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE; break;
 	case SEC_OID_SHA256:
             sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; break;
 	case SEC_OID_SHA384:
             sigTag = SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE; break;
 	case SEC_OID_SHA512:
             sigTag = SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE; break;
 	default:
 	break;
--- a/security/nss/lib/cryptohi/secvfy.c
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -32,17 +32,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secvfy.c,v 1.24 2010/06/23 02:13:56 wtc%google.com Exp $ */
+/* $Id: secvfy.c,v 1.25 2011/10/22 14:35:42 wtc%google.com Exp $ */
 
 #include <stdio.h>
 #include "cryptohi.h"
 #include "sechash.h"
 #include "keyhi.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "pk11func.h"
@@ -236,16 +236,20 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
       case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
         *hashalg = SEC_OID_SHA1;
 	break;
       case SEC_OID_PKCS1_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
         *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */
 	break;
 
+      case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
+      case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
+	*hashalg = SEC_OID_SHA224;
+	break;
       case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
 	*hashalg = SEC_OID_SHA256;
 	break;
       case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
       case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
 	*hashalg = SEC_OID_SHA384;
 	break;
@@ -271,19 +275,17 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
 	 * hash algorithm that is not reduced by the keysize of 
 	 * the EC algorithm. Note that key strength is in bytes and
 	 * algorithms are specified in bits. Never use an algorithm
 	 * weaker than sha1. */
 	len = SECKEY_PublicKeyStrength(key);
 	if (len < 28) { /* 28 bytes == 224 bits */
 	    *hashalg = SEC_OID_SHA1;
 	} else if (len < 32) { /* 32 bytes == 256 bits */
-	    /* SHA 224 not supported in NSS */
-	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	    return SECFailure;
+	    *hashalg = SEC_OID_SHA224;
 	} else if (len < 48) { /* 48 bytes == 384 bits */
 	    *hashalg = SEC_OID_SHA256;
 	} else if (len < 64) { /* 48 bytes == 512 bits */
 	    *hashalg = SEC_OID_SHA384;
 	} else {
 	    /* use the largest in this case */
 	    *hashalg = SEC_OID_SHA512;
 	}
@@ -318,16 +320,17 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
     /* get the "encryption" algorithm */ 
     switch (sigAlg) {
       case SEC_OID_PKCS1_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
       case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
       case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
+      case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
 	*encalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
 	break;
       case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
 	*encalg = SEC_OID_PKCS1_RSA_PSS_SIGNATURE;
 	break;
@@ -339,16 +342,17 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
 	break;
       case SEC_OID_MISSI_DSS:
       case SEC_OID_MISSI_KEA_DSS:
       case SEC_OID_MISSI_KEA_DSS_OLD:
       case SEC_OID_MISSI_DSS_OLD:
 	*encalg = SEC_OID_MISSI_DSS;
 	break;
       case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
+      case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
       case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
       case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
       case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
       case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
       case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
 	*encalg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
 	break;
       /* we don't implement MD4 hashes */
--- a/security/nss/lib/pk11wrap/pk11mech.c
+++ b/security/nss/lib/pk11wrap/pk11mech.c
@@ -558,16 +558,17 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE
     case CKM_CAST5_KEY_GEN:
 	return CKM_CAST5_KEY_GEN;
     case CKM_RSA_PKCS:
     case CKM_RSA_9796:
     case CKM_RSA_X_509:
     case CKM_MD2_RSA_PKCS:
     case CKM_MD5_RSA_PKCS:
     case CKM_SHA1_RSA_PKCS:
+    case CKM_SHA224_RSA_PKCS:
     case CKM_SHA256_RSA_PKCS:
     case CKM_SHA384_RSA_PKCS:
     case CKM_SHA512_RSA_PKCS:
     case CKM_KEY_WRAP_SET_OAEP:
     case CKM_RSA_PKCS_KEY_PAIR_GEN:
 	return CKM_RSA_PKCS_KEY_PAIR_GEN;
     case CKM_RSA_X9_31_KEY_PAIR_GEN:
 	return CKM_RSA_X9_31_KEY_PAIR_GEN;
@@ -591,16 +592,18 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE
     case CKM_SSL3_KEY_AND_MAC_DERIVE:
     case CKM_SSL3_SHA1_MAC:
     case CKM_SSL3_MD5_MAC:
     case CKM_TLS_MASTER_KEY_DERIVE:
     case CKM_TLS_KEY_AND_MAC_DERIVE:
 	return CKM_SSL3_PRE_MASTER_KEY_GEN;
     case CKM_SHA_1_HMAC:
     case CKM_SHA_1_HMAC_GENERAL:
+    case CKM_SHA224_HMAC:
+    case CKM_SHA224_HMAC_GENERAL:
     case CKM_SHA256_HMAC:
     case CKM_SHA256_HMAC_GENERAL:
     case CKM_SHA384_HMAC:
     case CKM_SHA384_HMAC_GENERAL:
     case CKM_SHA512_HMAC:
     case CKM_SHA512_HMAC_GENERAL:
     case CKM_MD2_HMAC:
     case CKM_MD2_HMAC_GENERAL:
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -54,30 +54,31 @@
 
 /*************************************************************
  * local static and global data
  *************************************************************/
 
 /*
  * This array helps parsing between names, mechanisms, and flags.
  * to make the config files understand more entries, add them
- * to this table. (NOTE: we need function to export this table and it's size)
+ * to this table. (NOTE: we need function to export this table and its size)
  */
 PK11DefaultArrayEntry PK11_DefaultArray[] = {
 	{ "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
 	{ "DSA", SECMOD_DSA_FLAG, CKM_DSA },
 	{ "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
 	{ "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
 	{ "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
 	{ "DES", SECMOD_DES_FLAG, CKM_DES_CBC },
 	{ "AES", SECMOD_AES_FLAG, CKM_AES_CBC },
 	{ "Camellia", SECMOD_CAMELLIA_FLAG, CKM_CAMELLIA_CBC },
 	{ "SEED", SECMOD_SEED_FLAG, CKM_SEED_CBC },
 	{ "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC },
 	{ "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 },
+/*	{ "SHA224", SECMOD_SHA256_FLAG, CKM_SHA224 }, */
 	{ "SHA256", SECMOD_SHA256_FLAG, CKM_SHA256 },
 /*	{ "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */
 	{ "SHA512", SECMOD_SHA512_FLAG, CKM_SHA512 },
 	{ "MD5", SECMOD_MD5_FLAG, CKM_MD5 },
 	{ "MD2", SECMOD_MD2_FLAG, CKM_MD2 },
 	{ "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN },
 	{ "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE },
 	{ "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 },
@@ -852,16 +853,17 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type)
     case CKM_DES3_CBC:
 	return &pk11_desSlotList;
     case CKM_RC4:
 	return &pk11_rc4SlotList;
     case CKM_RC5_CBC:
 	return &pk11_rc5SlotList;
     case CKM_SHA_1:
 	return &pk11_sha1SlotList;
+    case CKM_SHA224:
     case CKM_SHA256:
 	return &pk11_sha256SlotList;
     case CKM_SHA384:
     case CKM_SHA512:
 	return &pk11_sha512SlotList;
     case CKM_MD5:
 	return &pk11_md5SlotList;
     case CKM_MD2:
@@ -2019,16 +2021,17 @@ PK11_GetBestSlotMultiple(CK_MECHANISM_TY
 
     PORT_SetError(0);
 
 
     listNeedLogin = PR_FALSE;
     for (i=0; i < mech_count; i++) {
 	if ((type[i] != CKM_FAKE_RANDOM) && 
 	    (type[i] != CKM_SHA_1) &&
+	    (type[i] != CKM_SHA224) &&
 	    (type[i] != CKM_SHA256) &&
 	    (type[i] != CKM_SHA384) &&
 	    (type[i] != CKM_SHA512) &&
 	    (type[i] != CKM_MD5) && 
 	    (type[i] != CKM_MD2)) {
 	    listNeedLogin = PR_TRUE;
 	    break;
 	}
--- a/security/nss/lib/pkcs12/p12local.c
+++ b/security/nss/lib/pkcs12/p12local.c
@@ -57,16 +57,18 @@ sec_pkcs12_algtag_to_mech(SECOidTag algt
 {
     switch (algtag) {
     case SEC_OID_MD2:
 	return CKM_MD2_HMAC;
     case SEC_OID_MD5:
 	return CKM_MD5_HMAC;
     case SEC_OID_SHA1:
 	return CKM_SHA_1_HMAC;
+    case SEC_OID_SHA224:
+	return CKM_SHA224_HMAC;
     case SEC_OID_SHA256:
 	return CKM_SHA256_HMAC;
     case SEC_OID_SHA384:
 	return CKM_SHA384_HMAC;
     case SEC_OID_SHA512:
 	return CKM_SHA512_HMAC;
     default:
 	break;
--- a/security/nss/lib/softoken/rsawrapr.c
+++ b/security/nss/lib/softoken/rsawrapr.c
@@ -33,17 +33,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: rsawrapr.c,v 1.18 2011/10/04 22:05:53 wtc%google.com Exp $ */
+/* $Id: rsawrapr.c,v 1.19 2011/10/22 14:35:43 wtc%google.com Exp $ */
 
 #include "blapi.h"
 #include "softoken.h"
 #include "sechash.h"
 
 #include "lowkeyi.h"
 #include "secerr.h"
 
@@ -1164,21 +1164,23 @@ emsa_pss_verify(const unsigned char *mHa
 
     PORT_Free(H_);
     return rv;
 }
 
 static HASH_HashType
 GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
 {
-    /* TODO(wtc): add SHA-224. */
     switch (mech) {
         case CKM_SHA_1:
         case CKG_MGF1_SHA1:
 	    return HASH_AlgSHA1;
+        case CKM_SHA224:
+        case CKG_MGF1_SHA224:
+	    return HASH_AlgSHA224;
         case CKM_SHA256:
         case CKG_MGF1_SHA256:
 	    return HASH_AlgSHA256;
         case CKM_SHA384:
         case CKG_MGF1_SHA384:
 	    return HASH_AlgSHA384;
         case CKM_SHA512:
         case CKG_MGF1_SHA512:
--- a/security/nss/lib/ssl/ssl3ecc.c
+++ b/security/nss/lib/ssl/ssl3ecc.c
@@ -35,17 +35,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /* ECC code moved here from ssl3con.c */
-/* $Id: ssl3ecc.c,v 1.24 2010/03/15 08:03:14 nelson%bolyard.com Exp $ */
+/* $Id: ssl3ecc.c,v 1.25 2011/10/22 14:35:44 wtc%google.com Exp $ */
 
 #include "nss.h"
 #include "cert.h"
 #include "ssl.h"
 #include "cryptohi.h"	/* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
 #include "secitem.h"
@@ -963,16 +963,17 @@ ssl3_FilterECCipherSuitesByServerCerts(s
 	SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature);
 
 	switch (sigTag) {
 	case SEC_OID_PKCS1_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
 	    ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
 	    break;
 	case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
 	case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
 	case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
--- a/security/nss/lib/ssl/sslerrstrs.c
+++ b/security/nss/lib/ssl/sslerrstrs.c
@@ -33,17 +33,16 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 #include "prerror.h"
 #include "sslerr.h"
 #include "prinit.h"
 #include "nssutil.h"
 #include "ssl.h"
-#include "sslerrstrs.h"
 
 #define ER3(name, value, str) {#name, str},
 
 static const struct PRErrorMessage ssltext[] = {
 #include "SSLerrs.h"
     {0,0}
 };
 
@@ -54,13 +53,14 @@ static const struct PRErrorTable ssl_et 
 
 static PRStatus
 ssl_InitializePRErrorTableOnce(void) {
     return PR_ErrorInstallTable(&ssl_et);
 }
 
 static PRCallOnceType once;
 
-PRStatus
+SECStatus
 ssl_InitializePRErrorTable(void)
 {
-    return PR_CallOnce(&once, ssl_InitializePRErrorTableOnce);
+    return (PR_SUCCESS == PR_CallOnce(&once, ssl_InitializePRErrorTableOnce))
+		? SECSuccess : SECFailure;
 }
deleted file mode 100644
--- a/security/nss/lib/ssl/sslerrstrs.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * This file contains prototypes for the public SSL functions.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id: sslerrstrs.h,v 1.1 2011/08/17 14:41:02 emaldona%redhat.com Exp $ */
-
-#ifndef __sslerrstrs_h_
-#define __sslerrstrs_h_
-
-#include "prtypes.h"
-
-SEC_BEGIN_PROTOS
-
-extern PRStatus 
-ssl_InitializePRErrorTable(void);
-
-SEC_END_PROTOS
-
-#endif /* __sslerrstrs_h_ */
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -34,17 +34,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslimpl.h,v 1.83 2011/10/01 03:59:54 bsmith%mozilla.com Exp $ */
+/* $Id: sslimpl.h,v 1.84 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
 
 #ifndef __sslimpl_h_
 #define __sslimpl_h_
 
 #ifdef DEBUG
 #undef NDEBUG
 #else
 #undef NDEBUG
@@ -1146,16 +1146,20 @@ extern const char * const      ssl3_ciph
 extern sslSessionIDLookupFunc  ssl_sid_lookup;
 extern sslSessionIDCacheFunc   ssl_sid_cache;
 extern sslSessionIDUncacheFunc ssl_sid_uncache;
 
 /************************************************************************/
 
 SEC_BEGIN_PROTOS
 
+/* Internal initialization and installation of the SSL error tables */
+extern SECStatus ssl_Init(void);
+extern SECStatus ssl_InitializePRErrorTable(void);
+
 /* Implementation of ops for default (non socks, non secure) case */
 extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
 extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
 extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
 extern int ssl_DefListen(sslSocket *ss, int backlog);
 extern int ssl_DefShutdown(sslSocket *ss, int how);
 extern int ssl_DefClose(sslSocket *ss);
 extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
--- a/security/nss/lib/ssl/sslinit.c
+++ b/security/nss/lib/ssl/sslinit.c
@@ -31,30 +31,31 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslinit.c,v 1.1 2011/08/17 14:41:05 emaldona%redhat.com Exp $ */
+/* $Id: sslinit.c,v 1.2 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
 
 #include "prtypes.h"
 #include "prinit.h"
 #include "seccomon.h"
 #include "secerr.h"
 #include "ssl.h"
-#include "sslerrstrs.h"
+#include "sslimpl.h"
 
 static int ssl_inited = 0;
 
 SECStatus
 ssl_Init(void)
 {
     if (!ssl_inited) {
-	if (ssl_InitializePRErrorTable() == PR_FAILURE) {
-	   return (SEC_ERROR_NO_MEMORY);
+	if (ssl_InitializePRErrorTable() != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return (SECFailure);
 	}
 	ssl_inited = 1;
     }
     return SECSuccess;
 }
--- a/security/nss/lib/ssl/sslsnce.c
+++ b/security/nss/lib/ssl/sslsnce.c
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsnce.c,v 1.58 2011/10/01 00:11:02 wtc%google.com Exp $ */
+/* $Id: sslsnce.c,v 1.59 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
 
 /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server 
  * cache sids!
  *
  * About record locking among different server processes:
  *
  * All processes that are part of the same conceptual server (serving on 
  * the same address and port) MUST share a common SSL session cache. 
@@ -78,17 +78,16 @@
 #include "seccomon.h"
 
 #if defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS)
 
 #include "cert.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
-#include "sslutil.h"
 #include "pk11func.h"
 #include "base64.h"
 #include "keyhi.h"
 #include "blapi.h"
 
 #include <stdio.h>
 
 #if defined(XP_UNIX) || defined(XP_BEOS)
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -35,24 +35,23 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsock.c,v 1.74 2011/10/06 22:42:34 wtc%google.com Exp $ */
+/* $Id: sslsock.c,v 1.75 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
-#include "sslutil.h"
 #include "nspr.h"
 #include "private/pprio.h"
 #include "blapi.h"
 #include "nss.h"
 
 #define SET_ERROR_CODE   /* reminder */
 
 struct cipherPolicyStr {
deleted file mode 100644
--- a/security/nss/lib/ssl/sslutil.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * This file contains prototypes for the public SSL functions.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id: sslutil.h,v 1.1 2011/08/17 14:41:20 emaldona%redhat.com Exp $ */
-
-#ifndef __sslutil_h_
-#define __sslutil_h_
-
-#include "prtypes.h"
-
-SEC_BEGIN_PROTOS
-
-extern PRStatus SSL_InitializePRErrorTable(void);
-extern SECStatus ssl_Init(void);
-
-SEC_END_PROTOS
-
-#endif /* __sslutil_h_ */
--- a/security/nss/lib/util/secalgid.c
+++ b/security/nss/lib/util/secalgid.c
@@ -65,24 +65,26 @@ SECOID_SetAlgorithmID(PRArenaPool *arena
     if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
 	return SECFailure;
 
     switch (which) {
       case SEC_OID_MD2:
       case SEC_OID_MD4:
       case SEC_OID_MD5:
       case SEC_OID_SHA1:
+      case SEC_OID_SHA224:
       case SEC_OID_SHA256:
       case SEC_OID_SHA384:
       case SEC_OID_SHA512:
       case SEC_OID_PKCS1_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
 	add_null_param = PR_TRUE;
 	break;
       default:
 	add_null_param = PR_FALSE;
 	break;