Bug 1107731 - Upgrade Mozilla 37 to use NSS 3.18. Landing BETA6. r=wtc
authorKai Engert <kaie@kuix.de>
Fri, 16 Jan 2015 11:40:18 +0100
changeset 224152 90b2075e691f67aefc1f232cacb6ce38f33c40d2
parent 224151 1dc205923d11883eb5ad4a79685a1b7075bed77d
child 224153 836b7ff0d7e25bb298ec3d8aef26a32ba05790cc
push id54143
push userkaie@kuix.de
push dateFri, 16 Jan 2015 10:40:29 +0000
treeherdermozilla-inbound@90b2075e691f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswtc
bugs1107731
milestone38.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1107731 - Upgrade Mozilla 37 to use NSS 3.18. Landing BETA6. r=wtc
security/nss/TAG-INFO
security/nss/cmd/pp/pp.c
security/nss/coreconf/coreconf.dep
security/nss/doc/Makefile
security/nss/external_tests/ssl_gtest/ssl_gtest.cc
security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
security/nss/lib/certdb/certt.h
security/nss/lib/freebl/ecl/README
security/nss/lib/freebl/mpi/README
security/nss/lib/freebl/mpi/utils/README
security/nss/lib/libpkix/include/pkix_revchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
security/nss/lib/libpkix/pkix/top/pkix_build.c
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/softoken/fipstokn.c
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ext.c
security/nss/pkg/solaris/common_files/copyright
security/nss/tests/libpkix/sample_apps/README
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_18_BETA5
+NSS_3_18_BETA6
--- a/security/nss/cmd/pp/pp.c
+++ b/security/nss/cmd/pp/pp.c
@@ -26,18 +26,17 @@ static void Usage(char *progName)
 	    progName);
     fprintf(stderr, "Pretty prints a file containing ASN.1 data in DER or ascii format.\n");
     fprintf(stderr, "%-14s Specify input and display type: %s (sk),\n",
 	    "-t type", SEC_CT_PRIVATE_KEY);
     fprintf(stderr, "%-14s %s (pk), %s (c), %s (cr),\n", "", SEC_CT_PUBLIC_KEY,
 	    SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
     fprintf(stderr, "%-14s %s (ci), %s (p7), %s or %s (n).\n", "", SEC_CT_CERTIFICATE_ID,
             SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
-    fprintf(stderr, "%-14s (Use either the long type name or the shortcut.)\n", "", SEC_CT_CERTIFICATE_ID,
-            SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
+    fprintf(stderr, "%-14s (Use either the long type name or the shortcut.)\n", "");
     fprintf(stderr, "%-14s Input is in ascii encoded form (RFC1113)\n",
 	    "-a");
     fprintf(stderr, "%-14s Define an input file to use (default is stdin)\n",
 	    "-i input");
     fprintf(stderr, "%-14s Define an output file to use (default is stdout)\n",
 	    "-o output");
     fprintf(stderr, "%-14s Don't wrap long output lines\n",
 	    "-w");
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/doc/Makefile
+++ b/security/nss/doc/Makefile
@@ -34,29 +34,16 @@ date.xml:
 
 version.xml:
 	echo -n ${VERSION} > $@
 
 .PHONY : $(MANPAGES)
 .PHONY : $(HTMLPAGES)
 .PHONY : $(TXTPAGES)
 
-#------------------------------------------
-# Package a tar ball for building in fedora
-# Include the makefile and .xml files only
-# man pages will be created at build time
-#------------------------------------------
-
-tarball:
-	rm -rf $(name); \
-	mkdir -p $(name)/nroff; \
-	cp Makefile $(name); \
-	cp *.xml $(name); \
-	tar cvjf $(name)-$(date).tar.bz2 $(name)
-
 #--------------------------------------------------------
 # manpages
 #--------------------------------------------------------
 
 nroff/%.1 : %.xml
 	$(COMPILE.1) $<
 	
 MANPAGES = \
--- a/security/nss/external_tests/ssl_gtest/ssl_gtest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_gtest.cc
@@ -2,31 +2,32 @@
 #include "nss.h"
 #include "ssl.h"
 
 #include "test_io.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
+std::string g_working_dir_path;
+
 int main(int argc, char **argv) {
   // Start the tests
   ::testing::InitGoogleTest(&argc, argv);
-  std::string path = ".";
+  g_working_dir_path = ".";
 
   for (int i = 0; i < argc; i++) {
     if (!strcmp(argv[i], "-d")) {
-      path = argv[i + 1];
+      g_working_dir_path = argv[i + 1];
       ++i;
     }
   }
 
-  NSS_Initialize(path.c_str(), "", "", SECMOD_DB, NSS_INIT_READONLY);
+  NSS_Initialize(g_working_dir_path.c_str(), "", "", SECMOD_DB, NSS_INIT_READONLY);
   NSS_SetDomesticPolicy();
-
   int rv = RUN_ALL_TESTS();
 
   NSS_Shutdown();
 
   nss_test::Poller::Shutdown();
 
   return rv;
 }
--- a/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
@@ -11,16 +11,18 @@
 
 #include "test_io.h"
 #include "tls_parser.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 #include "gtest_utils.h"
 
+extern std::string g_working_dir_path;
+
 namespace nss_test {
 
 #define LOG(a) std::cerr << name_ << ": " << a << std::endl;
 
 // Inspector that parses out DTLS records and passes
 // them on.
 class TlsRecordInspector : public Inspector {
  public:
@@ -206,17 +208,20 @@ class TlsAgent : public PollTarget {
 
   TlsAgent(const std::string& name, Role role, Mode mode)
       : name_(name),
         mode_(mode),
         pr_fd_(nullptr),
         adapter_(nullptr),
         ssl_fd_(nullptr),
         role_(role),
-        state_(INIT) {}
+        state_(INIT) {
+      memset(&info_, 0, sizeof(info_));
+      memset(&csinfo_, 0, sizeof(csinfo_));
+  }
 
   ~TlsAgent() {
     if (pr_fd_) {
       PR_Close(pr_fd_);
     }
 
     if (ssl_fd_) {
       PR_Close(ssl_fd_);
@@ -282,26 +287,46 @@ class TlsAgent : public PollTarget {
       if (!priv) return false;  // Leak cert.
 
       SECStatus rv = SSL_ConfigSecureServer(ssl_fd_, cert, priv, kt_rsa);
       EXPECT_EQ(SECSuccess, rv);
       if (rv != SECSuccess) return false;  // Leak cert and key.
 
       SECKEY_DestroyPrivateKey(priv);
       CERT_DestroyCertificate(cert);
+    } else {
+      SECStatus rv = SSL_SetURL(ssl_fd_, "server");
+      EXPECT_EQ(SECSuccess, rv);
+      if (rv != SECSuccess) return false;
     }
 
     SECStatus rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook,
                                            reinterpret_cast<void*>(this));
     EXPECT_EQ(SECSuccess, rv);
     if (rv != SECSuccess) return false;
 
     return true;
   }
 
+  void SetSessionTicketsEnabled(bool en) {
+    ASSERT_TRUE(EnsureTlsSetup());
+
+    SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS,
+                                  en ? PR_TRUE : PR_FALSE);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+
+  void SetSessionCacheEnabled(bool en) {
+    ASSERT_TRUE(EnsureTlsSetup());
+
+    SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE,
+                                  en ? PR_FALSE : PR_TRUE);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+
   void SetVersionRange(uint16_t minver, uint16_t maxver) {
     SSLVersionRange range = {minver, maxver};
     ASSERT_EQ(SECSuccess, SSL_VersionRangeSet(ssl_fd_, &range));
   }
 
   State state() const { return state_; }
 
   const char* state_str() const { return state_str(state()); }
@@ -369,16 +394,21 @@ class TlsAgent : public PollTarget {
       case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
       default:
         LOG("Handshake failed with error " << err);
         SetState(ERROR);
         return;
     }
   }
 
+  std::vector<uint8_t> GetSessionId() {
+    return std::vector<uint8_t>(info_.sessionID,
+                                info_.sessionID + info_.sessionIDLength);
+  }
+
  private:
   const static char* states[];
 
   void SetState(State state) {
     if (state_ == state) return;
 
     LOG("Changing state from " << state_str(state_) << " to "
                                << state_str(state));
@@ -421,17 +451,29 @@ class TlsConnectTestBase : public ::test
         client_(new TlsAgent("client", TlsAgent::CLIENT, mode_)),
         server_(new TlsAgent("server", TlsAgent::SERVER, mode_)) {}
 
   ~TlsConnectTestBase() {
     delete client_;
     delete server_;
   }
 
-  void SetUp() { Init(); }
+  void SetUp() {
+    // Configure a fresh session cache.
+    SSL_ConfigServerSessionIDCache(1024, 0, 0, g_working_dir_path.c_str());
+
+    Init();
+  }
+
+  void TearDown() {
+    client_ = nullptr;
+    server_ = nullptr;
+
+    SSL_ShutdownServerSessionIDCache();
+  }
 
   void Init() {
     ASSERT_TRUE(client_->Init());
     ASSERT_TRUE(server_->Init());
 
     client_->SetPeer(server_);
     server_->SetPeer(client_);
   }
@@ -466,27 +508,36 @@ class TlsConnectTestBase : public ::test
     bool ret = client_->cipher_suite(&cipher_suite1);
     ASSERT_TRUE(ret);
     ret = server_->cipher_suite(&cipher_suite2);
     ASSERT_TRUE(ret);
     ASSERT_EQ(cipher_suite1, cipher_suite2);
 
     std::cerr << "Connected with cipher suite " << client_->cipher_suite_name()
               << std::endl;
+
+    // Check and store session ids.
+    std::vector<uint8_t> sid_c1 = client_->GetSessionId();
+    ASSERT_EQ(32, sid_c1.size());
+    std::vector<uint8_t> sid_s1 = server_->GetSessionId();
+    ASSERT_EQ(32, sid_s1.size());
+    ASSERT_EQ(sid_c1, sid_s1);
+    session_id_ = sid_c1;
   }
 
   void EnableSomeECDHECiphers() {
     client_->EnableSomeECDHECiphers();
     server_->EnableSomeECDHECiphers();
   }
 
  protected:
   Mode mode_;
   TlsAgent* client_;
   TlsAgent* server_;
+  std::vector<uint8_t> session_id_;
 };
 
 class TlsConnectTest : public TlsConnectTestBase {
  public:
   TlsConnectTest() : TlsConnectTestBase(STREAM) {}
 };
 
 class DtlsConnectTest : public TlsConnectTestBase {
@@ -511,16 +562,36 @@ TEST_P(TlsConnectGeneric, Connect) {
   // Check that we negotiated the expected version.
   if (mode_ == STREAM) {
     client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_0);
   } else {
     client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_1);
   }
 }
 
+TEST_P(TlsConnectGeneric, ConnectResumed) {
+  Connect();
+  std::vector<uint8_t> old_sid = session_id_;
+
+  Reset();
+  Connect();
+  ASSERT_EQ(old_sid, session_id_) << "Session was not resumed when it should have been";
+}
+
+TEST_P(TlsConnectGeneric, ConnectNotResumed) {
+  Connect();
+  std::vector<uint8_t> old_sid = session_id_;
+
+  Reset();
+  client_->SetSessionCacheEnabled(false);
+  Connect();
+
+  ASSERT_NE(old_sid, session_id_) << "Session was resumed when it should not have been";
+}
+
 TEST_P(TlsConnectGeneric, ConnectTLS_1_1_Only) {
   EnsureTlsSetup();
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_1);
 
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_1);
 
@@ -556,16 +627,17 @@ TEST_F(TlsConnectTest, ConnectECDHETwice
   ASSERT_TRUE(dhe1.Parse(i1->buffer().data(), i1->buffer().len()));
 
   // Restart
   Reset();
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
   server_->SetInspector(i2);
   EnableSomeECDHECiphers();
+  client_->SetSessionCacheEnabled(false);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
   TlsServerKeyExchangeECDHE dhe2;
   ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
 
   // Make sure they are the same.
   ASSERT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len());
@@ -589,16 +661,17 @@ TEST_F(TlsConnectTest, ConnectECDHETwice
   // Restart
   Reset();
   EnableSomeECDHECiphers();
   rv = SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
   ASSERT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
   server_->SetInspector(i2);
+  client_->SetSessionCacheEnabled(false);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
   TlsServerKeyExchangeECDHE dhe2;
   ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
 
   // Make sure they are different.
   ASSERT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) &&
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -1172,26 +1172,26 @@ typedef struct {
      *     is not yet aware of the latest revocation methods
      *     (or does not want to use them).
      */ 
     PRUint64 *cert_rev_flags_per_method;
 
     /*
      * How many preferred methods are specified?
      * This is equivalent to the size of the array that 
-     *      preferred_revocation_methods points to.
+     *      preferred_methods points to.
      * It's allowed to set this value to zero,
      *      then NSS will decide which methods to prefer.
      */
     PRUint32 number_of_preferred_methods;
 
     /* Array that may specify an optional order of preferred methods.
      * Each array entry shall contain a method identifier as defined
      *   by CERTRevocationMethodIndex.
-     * The entry at index [0] specifies the method with highest preferrence.
+     * The entry at index [0] specifies the method with highest preference.
      * These methods will be tested first for locally available information.
      * Methods allowed for downloading will be attempted in the same order.
      */
     CERTRevocationMethodIndex *preferred_methods;
 
     /*
      * An integer which defines certain aspects of revocation checking
      * (independent of individual methods) by having individual
--- a/security/nss/lib/freebl/ecl/README
+++ b/security/nss/lib/freebl/ecl/README
@@ -1,44 +1,11 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the elliptic curve math library.
-
-The Initial Developer of the Original Code is Sun Microsystems, Inc.
-Portions created by Sun Microsystems, Inc. are Copyright (C) 2003
-Sun Microsystems, Inc. All Rights Reserved.
-
-Contributor(s):
-    Stephen Fung <fungstep@hotmail.com> and
-    Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
  
 The ECL exposes routines for constructing and converting curve
 parameters for internal use.
 
 
 HEADER FILES
 ============
 
--- a/security/nss/lib/freebl/mpi/README
+++ b/security/nss/lib/freebl/mpi/README
@@ -1,44 +1,11 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1997-2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 About the MPI Library
 ---------------------
 
 The files 'mpi.h' and 'mpi.c' define a simple, arbitrary precision
 signed integer arithmetic package.  The implementation is not the most
 efficient possible, but the code is small and should be fairly easily
 portable to just about any machine that supports an ANSI C compiler,
--- a/security/nss/lib/freebl/mpi/utils/README
+++ b/security/nss/lib/freebl/mpi/utils/README
@@ -1,44 +1,11 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 Additional MPI utilities
 ------------------------
 
 The files 'mpprime.h' and 'mpprime.c' define some useful extensions to
 the MPI library for dealing with prime numbers (in particular, testing
 for divisbility, and the Rabin-Miller probabilistic primality test).
 
--- a/security/nss/lib/libpkix/include/pkix_revchecker.h
+++ b/security/nss/lib/libpkix/include/pkix_revchecker.h
@@ -112,17 +112,17 @@ PKIX_RevocationChecker_Create(
  *      Address of ProcessingParams used to initialize the checker.
  *      Must be non-NULL.
  *  "methodType"
  *      Type of the method. Currently only two types are
  *      supported: crl and ocsp. (See PKIX_RevocationMethodType enum).
  *  "methodFlags"
  *      Set of flags for the method.
  *  "methodPriority"
- *      Method priority. (0 corresponds to a highest priority)
+ *      Method priority. (0 corresponds to the highest priority)
  *  "verificationFn"
  *      User call back function that will perform validation of fetched
  *      revocation information(new crl or ocsp response)
  *  "isLeafMethod"
  *      Boolean flag that if set to true indicates that the method should
  *      should be used for leaf cert revocation test(false for chain set
  *      methods).
  *  "plContext"
@@ -138,17 +138,17 @@ PKIX_RevocationChecker_Create(
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_RevocationChecker_CreateAndAddMethod(
     PKIX_RevocationChecker *revChecker,
     PKIX_ProcessingParams *params,
     PKIX_RevocationMethodType methodType,
     PKIX_UInt32 methodFlags,
-    PKIX_UInt32 mathodPriority,
+    PKIX_UInt32 methodPriority,
     PKIX_PL_VerifyCallback verificationFn,
     PKIX_Boolean isLeafMethod,
     void *plContext);
 
 /*
  * FUNCTION: PKIX_RevocationChecker_Check
  * DESCRIPTION:
  *
--- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
@@ -132,32 +132,38 @@ pkix_RevocationChecker_RegisterSelf(void
         entry.comparator = NULL;
         entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
 
         systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
 
         PKIX_RETURN(REVOCATIONCHECKER);
 }
 
-/* Sort methods by theirs priorities */
+/* Sort methods by their priorities (lower priority = higher preference) */
 static PKIX_Error *
 pkix_RevocationChecker_SortComparator(
         PKIX_PL_Object *obj1,
         PKIX_PL_Object *obj2,
         PKIX_Int32 *pResult,
         void *plContext)
 {
     pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
     
     PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
     
     method1 = (pkix_RevocationMethod *)obj1;
     method2 = (pkix_RevocationMethod *)obj2;
     
-    *pResult = (method1->priority > method2->priority);
+    if (method1->priority < method2->priority) {
+      *pResult = -1;
+    } else if (method1->priority > method2->priority) {
+      *pResult = 1;
+    } else {
+      *pResult = 0;
+    }
     
     PKIX_RETURN(BUILD);
 }
 
 
 /* --Public-Functions--------------------------------------------- */
 
 
--- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
@@ -43,18 +43,19 @@ pkix_ExternalRevocationCheckFn(PKIX_PL_C
                                pkix_RevocationMethod *checkerObject,
                                PKIX_ProcessingParams *procParams,
                                PKIX_UInt32 methodFlags,
                                PKIX_RevocationStatus *pRevStatus,
                                PKIX_UInt32 *reasonCode,
                                void **pNBIOContext, void *plContext);
 
 /* Revocation method structure assosiates revocation types with
- * a set of flags on the method, a priority of the method, and
- * method local/external checker functions. */
+ * a set of flags on the method, a priority of the method (0
+ * corresponds to the highest priority), and method local/external
+ * checker functions. */
 struct pkix_RevocationMethodStruct {
     PKIX_RevocationMethodType methodType;
     PKIX_UInt32 flags;
     PKIX_UInt32 priority;
     pkix_LocalRevocationCheckFn (*localRevChecker);
     pkix_ExternalRevocationCheckFn (*externalRevChecker);
 };
 
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -655,19 +655,21 @@ pkix_ForwardBuilderState_IsIOPending(
 
 /* --Private-BuildChain-Functions------------------------------------------- */
 
 /*
  * FUNCTION: pkix_Build_SortCertComparator
  * DESCRIPTION:
  *
  *  This Function takes two Certificates cast in "obj1" and "obj2",
- *  compares their validity NotAfter dates and returns the result at
- *  "pResult". The comparison key(s) can be expanded by using other
- *  data in the Certificate in the future.
+ *  compares them to determine which is a more preferable certificate
+ *  for chain building. This Function is suitable for use as a
+ *  comparator callback for pkix_List_BubbleSort, setting "*pResult" to
+ *  > 0 if "obj1" is less desirable than "obj2" and < 0 if "obj1"
+ *  is more desirable than "obj2".
  *
  * PARAMETERS:
  *  "obj1"
  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
  *      Must be non-NULL.
  *  "obj2"
  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
  *      Must be non-NULL.
@@ -686,24 +688,24 @@ static PKIX_Error *
 pkix_Build_SortCertComparator(
         PKIX_PL_Object *obj1,
         PKIX_PL_Object *obj2,
         PKIX_Int32 *pResult,
         void *plContext)
 {
         PKIX_PL_Date *date1 = NULL;
         PKIX_PL_Date *date2 = NULL;
-        PKIX_Boolean result = PKIX_FALSE;
+        PKIX_Int32 result = 0;
 
         PKIX_ENTER(BUILD, "pkix_Build_SortCertComparator");
         PKIX_NULLCHECK_THREE(obj1, obj2, pResult);
 
         /*
          * For sorting candidate certificates, we use NotAfter date as the
-         * sorted key for now (can be expanded if desired in the future).
+         * comparison key for now (can be expanded if desired in the future).
          *
          * In PKIX_BuildChain, the List of CertStores was reordered so that
          * trusted CertStores are ahead of untrusted CertStores. That sort, or
          * this one, could be taken out if it is determined that it doesn't help
          * performance, or in some way hinders the solution of choosing desired
          * candidates.
          */
 
@@ -722,17 +724,22 @@ pkix_Build_SortCertComparator(
         
         PKIX_CHECK(PKIX_PL_Object_Compare
                 ((PKIX_PL_Object *)date1,
                 (PKIX_PL_Object *)date2,
                 &result,
                 plContext),
                 PKIX_OBJECTCOMPARATORFAILED);
 
-        *pResult = !result;
+        /*
+         * Invert the result, so that if date1 is greater than date2,
+         * obj1 is sorted before obj2. This is because pkix_List_BubbleSort
+         * sorts in ascending order.
+         */
+        *pResult = -result;
 
 cleanup:
 
         PKIX_DECREF(date1);
         PKIX_DECREF(date2);
 
         PKIX_RETURN(BUILD);
 }
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -288,31 +288,28 @@ pk11_fastCert(PK11SlotInfo *slot, CK_OBJ
  */
 CERTCertificate *
 PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
 						CK_ATTRIBUTE *privateLabel)
 {
     char * nickname = NULL;
     CERTCertificate *cert = NULL;
     CERTCertTrust *trust;
-    PRBool isFortezzaRootCA = PR_FALSE;
-    PRBool swapNickname = PR_FALSE;
 
     cert = pk11_fastCert(slot,certID,privateLabel, &nickname);
     if (cert == NULL) 
     	goto loser;
-	
+
     if (nickname) {
 	if (cert->nickname != NULL) {
 	    cert->dbnickname = cert->nickname;
 	} 
 	cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
 	PORT_Free(nickname);
 	nickname = NULL;
-	swapNickname = PR_TRUE;
     }
 
     /* remember where this cert came from.... If we have just looked
      * it up from the database and it already has a slot, don't add a new
      * one. */
     if (cert->slot == NULL) {
 	cert->slot = PK11_ReferenceSlot(slot);
 	cert->pkcs11ID = certID;
@@ -338,17 +335,16 @@ PK11_MakeCertFromHandle(PK11SlotInfo *sl
 	    if (pk11_isID0(slot,certID) && 
 		cert->isRoot) {
 		trustflags |= CERTDB_TRUSTED_CA;
 		/* is the slot a fortezza card? allow the user or
 		 * admin to turn on objectSigning, but don't turn
 		 * full trust on explicitly */
 		if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
 		    trust->objectSigningFlags |= CERTDB_VALID_CA;
-		    isFortezzaRootCA = PR_TRUE;
 		}
 	    }
 	    if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
 		trust->sslFlags |= trustflags;
 	    }
 	    if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) {
 		trust->emailFlags |= trustflags;
 	    }
--- a/security/nss/lib/pk11wrap/pk11mech.c
+++ b/security/nss/lib/pk11wrap/pk11mech.c
@@ -1373,36 +1373,35 @@ SECItem *
 pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen) 
 { 
     CK_RC2_CBC_PARAMS *rc2_params;
     CK_RC2_PARAMS *rc2_ecb_params;
     SECItem *mech;
     SECItem iv;
     SECStatus rv;
 
-
     mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
     if (mech == NULL) return NULL;
 
     rv = SECSuccess;
     mech->type = siBuffer;
+    mech->data = NULL;
+    mech->len = 0;
     switch (type) {
     case CKM_RC4:
     case CKM_SEED_ECB:
     case CKM_CAMELLIA_ECB:
     case CKM_AES_ECB:
     case CKM_DES_ECB:
     case CKM_DES3_ECB:
     case CKM_IDEA_ECB:
     case CKM_CDMF_ECB:
     case CKM_CAST_ECB:
     case CKM_CAST3_ECB:
     case CKM_CAST5_ECB:
-	mech->data = NULL;
-	mech->len = 0;
 	break;
     case CKM_RC2_ECB:
 	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
 	if (rc2_ecb_params == NULL) {
 	    rv = SECFailure;
 	    break;
 	}
 	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
@@ -1440,18 +1439,16 @@ pk11_GenerateNewParamWithKeyLen(CK_MECHA
 	rv = pk11_GenIV(type,&iv);
 	if (rv != SECSuccess) {
 	    break;
 	}
         PORT_Free(mech);
 	return PK11_ParamFromIV(type,&iv);
     default:
 	if (pk11_lookup(type)->iv == 0) {
-	    mech->data = NULL;
-	    mech->len = 0;
 	    break;
 	}
     case CKM_SEED_CBC:
     case CKM_CAMELLIA_CBC:
     case CKM_AES_CBC:
     case CKM_DES_CBC:
     case CKM_DES3_CBC:
     case CKM_IDEA_CBC:
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -715,23 +715,32 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, 
 }
 
 
 /* FC_CreateObject creates a new object. */
  CK_RV FC_CreateObject(CK_SESSION_HANDLE hSession,
 		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
 					CK_OBJECT_HANDLE_PTR phObject) {
     CK_OBJECT_CLASS * classptr;
+    CK_RV rv = CKR_OK;
 
-    SFTK_FIPSCHECK();
     CHECK_FORK();
 
     classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate,ulCount,CKA_CLASS);
     if (classptr == NULL) return CKR_TEMPLATE_INCOMPLETE;
 
+    if (*classptr == CKO_NETSCAPE_NEWSLOT || *classptr == CKO_NETSCAPE_DELSLOT) {
+        if (sftk_fatalError)
+            return CKR_DEVICE_ERROR;
+    } else {
+        rv = sftk_fipsCheck();
+        if (rv != CKR_OK)
+            return rv;
+    }
+
     /* FIPS can't create keys from raw key material */
     if (SFTK_IS_NONPUBLIC_KEY_OBJECT(*classptr)) {
 	rv = CKR_ATTRIBUTE_VALUE_INVALID;
     } else {
 	rv = NSC_CreateObject(hSession,pTemplate,ulCount,phObject);
     }
     if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(*classptr)) {
 	sftk_AuditCreateObject(hSession,pTemplate,ulCount,phObject,rv);
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -8739,21 +8739,21 @@ ssl3_SendServerHello(sslSocket *ss)
 static SECStatus
 ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
 				SSL3SignatureAndHashAlgorithm* out)
 {
     TLSSignatureAlgorithm sigAlg;
     unsigned int i, j;
     /* hashPreference expresses our preferences for hash algorithms, most
      * preferable first. */
-    static const PRUint8 hashPreference[] = {
-	tls_hash_sha256,
-	tls_hash_sha384,
-	tls_hash_sha512,
-	tls_hash_sha1,
+    static const SECOidTag hashPreference[] = {
+        SEC_OID_SHA256,
+        SEC_OID_SHA384,
+        SEC_OID_SHA512,
+        SEC_OID_SHA1,
     };
 
     switch (ss->ssl3.hs.kea_def->kea) {
     case kea_rsa:
     case kea_rsa_export:
     case kea_rsa_export_1024:
     case kea_dh_rsa:
     case kea_dh_rsa_export:
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -2253,17 +2253,17 @@ ssl3_HandleUseSRTPXtn(sslSocket * ss, PR
  * from a client.
  * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
 static SECStatus
 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
 {
     SECStatus rv;
     SECItem algorithms;
     const unsigned char *b;
-    unsigned int numAlgorithms, i;
+    unsigned int numAlgorithms, i, j;
 
     /* Ignore this extension if we aren't doing TLS 1.2 or greater. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
         return SECSuccess;
     }
 
     /* Keep track of negotiated extensions. */
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
@@ -2289,30 +2289,31 @@ ssl3_ServerHandleSigAlgsXtn(sslSocket * 
     ss->ssl3.hs.clientSigAndHash =
             PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms);
     if (!ss->ssl3.hs.clientSigAndHash) {
         return SECFailure;
     }
     ss->ssl3.hs.numClientSigAndHash = 0;
 
     b = algorithms.data;
-    for (i = 0; i < numAlgorithms; i++) {
+    for (i = j = 0; i < numAlgorithms; i++) {
         unsigned char tls_hash = *(b++);
         unsigned char tls_sig = *(b++);
         SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash);
 
         if (hash == SEC_OID_UNKNOWN) {
             /* We ignore formats that we don't understand. */
             continue;
         }
         /* tls_sig support will be checked later in
          * ssl3_PickSignatureHashAlgorithm. */
-        ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash;
-        ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig;
-        ss->ssl3.hs.numClientSigAndHash++;
+        ss->ssl3.hs.clientSigAndHash[j].hashAlg = hash;
+        ss->ssl3.hs.clientSigAndHash[j].sigAlg = tls_sig;
+        ++j;
+        ++ss->ssl3.hs.numClientSigAndHash;
     }
 
     if (!ss->ssl3.hs.numClientSigAndHash) {
         /* We didn't understand any of the client's requested signature
          * formats. We'll use the defaults. */
         PORT_Free(ss->ssl3.hs.clientSigAndHash);
         ss->ssl3.hs.clientSigAndHash = NULL;
     }
--- a/security/nss/pkg/solaris/common_files/copyright
+++ b/security/nss/pkg/solaris/common_files/copyright
@@ -1,38 +1,6 @@
 Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 Use is subject to license terms.
 
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this package are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this package except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the Netscape Portable Runtime (NSPR).
-
-The Initial Developer of the Original Code is
-Netscape Communications Corporation.
-Portions created by the Initial Developer are Copyright (C) 1998-2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
--- a/security/nss/tests/libpkix/sample_apps/README
+++ b/security/nss/tests/libpkix/sample_apps/README
@@ -1,44 +1,11 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 This directory contains both sample applications and performance evaluation
 applications.
 
 SAMPLE APPLICATIONS
 
 Currently, there are two performance applications: libpkix_buildThreads and
 nss_threads. And three sample applications: dumpcert, dumpcrl and