Bug 487712, Pick up NSS_HEAD_20090409 to fix WINCE
authorKai Engert <kaie@kuix.de>
Fri, 10 Apr 2009 02:00:56 +0200
changeset 27145 c88e42c8297094cf3ae86ad073c8b6833aadced1
parent 27144 231e1b2519a26672a6313a67ab13ce58d934a0b1
child 27146 71f2a7fd20980dd8de730c08d0079f21643f78ca
push idunknown
push userunknown
push dateunknown
bugs487712
milestone1.9.2a1pre
Bug 487712, Pick up NSS_HEAD_20090409 to fix WINCE Got r=nelson and r=rrelyea in today's NSS conference call. CLOSED TREE
security/coreconf/coreconf.dep
security/nss/cmd/modutil/pk11jar.html
security/nss/cmd/pk12util/pk12util.c
security/nss/lib/base/nssbaset.h
security/nss/lib/ckfw/capi/staticobj.c
security/nss/lib/freebl/Makefile
security/nss/lib/softoken/legacydb/pcertdb.c
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/sftkmod.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/nssutil.h
security/nss/lib/util/pkcs11.h
security/nss/lib/util/secasn1d.c
security/nss/lib/util/secport.h
security/nss/tests/memleak/ignored
security/nss/trademarks.txt
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -38,9 +38,8 @@
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
 
-
--- a/security/nss/cmd/modutil/pk11jar.html
+++ b/security/nss/cmd/modutil/pk11jar.html
@@ -188,17 +188,16 @@ NSPR changes, you will have to add some 
 <li>OS2 (x86)
 <li>OSF (alpha)
 <li>ReliantUNIX (mips)
 <li>SCO (x86)
 <li>SOLARIS (sparc)
 <li>SONY (mips)
 <li>SUNOS (sparc)
 <li>UnixWare (x86)
-<li>WIN16 (x86)
 <li>WIN95 (x86)
 <li>WINNT (x86)
 </ul>
 </code>
 Examples of valid platform strings: <code>IRIX:6.2:mips, Solaris:5.5.1:sparc,
 Linux:2.0.32:x86, WIN95::x86</code>.
 </dl>
 
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -107,17 +107,18 @@ p12u_DestroyContext(p12uContext **ppCtx,
     if((*ppCtx)->file != NULL) {
 	PR_Close((*ppCtx)->file);
     }
 
     if((*ppCtx)->filename != NULL) {
 	if(removeFile) {
 	    PR_Delete((*ppCtx)->filename);
 	}
-	PR_Free((*ppCtx)->filename);
+	PL_strfree((*ppCtx)->filename);
+	(*ppCtx)->filename = NULL;
     }
 
     PR_Free(*ppCtx);
     *ppCtx = NULL;
 }
 
 static p12uContext *
 p12u_InitContext(PRBool fileImport, char *filename)
@@ -129,17 +130,17 @@ p12u_InitContext(PRBool fileImport, char
 
     p12cxt = PORT_ZNew(p12uContext);
     if(!p12cxt) {
 	return NULL;
     }
 
     p12cxt->error = PR_FALSE;
     p12cxt->errorValue = 0;
-    p12cxt->filename = strdup(filename);
+    p12cxt->filename = PL_strdup(filename);
 
     if(!p12u_OpenFile(p12cxt, fileImport)) {
 	p12u_DestroyContext(&p12cxt, PR_FALSE);
 	return NULL;
     }
 
     return p12cxt;
 }
@@ -578,17 +579,17 @@ p12u_WriteToExportFile(void *arg, const 
 	p12cxt->error = PR_TRUE;
 	return;
     }
 
     writeLen = PR_Write(p12cxt->file, (unsigned char *)buf, (int32)len);
 
     if(writeLen != (int)len) {
 	PR_Close(p12cxt->file);
-	PR_Free(p12cxt->filename);
+	PL_strfree(p12cxt->filename);
 	p12cxt->filename = NULL;
 	p12cxt->file = NULL;
 	p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE;
 	p12cxt->error = PR_TRUE;
     }
 }
 
 
@@ -664,18 +665,19 @@ P12U_ExportPKCS12Object(char *nn, char *
 
     if(SEC_PKCS12AddPasswordIntegrity(p12ecx, pwitem, SEC_OID_SHA1)
        != SECSuccess) {
         SECU_PrintError(progName,"PKCS12 add password integrity failed");
         pk12uErrno = PK12UERR_PK12ADDPWDINTEG;
         goto loser;
     }
 
-    for (node = CERT_LIST_HEAD(certlist);!CERT_LIST_END(node,certlist);node=CERT_LIST_NEXT(node))
-    {
+    for (node = CERT_LIST_HEAD(certlist);
+         !CERT_LIST_END(node,certlist);
+	 node=CERT_LIST_NEXT(node)) {
         CERTCertificate* cert = node->cert;
         if (!cert->slot) {
             SECU_PrintError(progName,"cert does not have a slot");
             pk12uErrno = PK12UERR_FINDCERTBYNN;
             goto loser;
         }
     
         keySafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx);
@@ -739,18 +741,17 @@ PRIntn
 P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot,
 			secuPWData *slotPw, secuPWData *p12FilePw)
 {
     SEC_PKCS12DecoderContext *p12dcx = NULL;
     SECItem uniPwitem = { 0 };
     SECStatus rv = SECFailure;
     const SEC_PKCS12DecoderItem *dip;
 
-    p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw,
-                             p12FilePw);
+    p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
     /* did the blob authenticate properly? */
     if(p12dcx == NULL) {
 	SECU_PrintError(progName,"PKCS12 decode not verified");
 	pk12uErrno = PK12UERR_DECODEVERIFY;
         goto loser;
     }
     rv = SEC_PKCS12DecoderIterateInit(p12dcx);
     if(rv != SECSuccess) {
@@ -1005,32 +1006,32 @@ main(int argc, char **argv)
 
     import_file = (pk12util.options[opt_List].activated) ?
                     SECU_GetOptionArg(&pk12util, opt_List) :
                     SECU_GetOptionArg(&pk12util, opt_Import);
     export_file = SECU_GetOptionArg(&pk12util, opt_Export);
 
     if (pk12util.options[opt_P12FilePWFile].activated) {
 	p12FilePw.source = PW_FROMFILE;
-	p12FilePw.data = PL_strdup(pk12util.options[opt_P12FilePWFile].arg);
+	p12FilePw.data = PORT_Strdup(pk12util.options[opt_P12FilePWFile].arg);
     }
 
     if (pk12util.options[opt_P12FilePW].activated) {
 	p12FilePw.source = PW_PLAINTEXT;
-	p12FilePw.data = PL_strdup(pk12util.options[opt_P12FilePW].arg);
+	p12FilePw.data = PORT_Strdup(pk12util.options[opt_P12FilePW].arg);
     }
 
     if (pk12util.options[opt_SlotPWFile].activated) {
 	slotPw.source = PW_FROMFILE;
-	slotPw.data = PL_strdup(pk12util.options[opt_SlotPWFile].arg);
+	slotPw.data = PORT_Strdup(pk12util.options[opt_SlotPWFile].arg);
     }
 
     if (pk12util.options[opt_SlotPW].activated) {
 	slotPw.source = PW_PLAINTEXT;
-	slotPw.data = PL_strdup(pk12util.options[opt_SlotPW].arg);
+	slotPw.data = PORT_Strdup(pk12util.options[opt_SlotPW].arg);
     }
 
     if (pk12util.options[opt_CertDir].activated) {
 	SECU_ConfigDirectory(pk12util.options[opt_CertDir].arg);
     }
     if (pk12util.options[opt_DBPrefix].activated) {
     	dbprefix = pk12util.options[opt_DBPrefix].arg;
     }
@@ -1089,18 +1090,17 @@ main(int argc, char **argv)
 		pk12uErrno = PK12UERR_INVALIDALGORITHM;
 		goto done;
 	    }
 	}
     }
 	   
 
     if (pk12util.options[opt_Import].activated) {
-	P12U_ImportPKCS12Object(import_file, slot,  &slotPw,
-					   &p12FilePw);
+	P12U_ImportPKCS12Object(import_file, slot,  &slotPw, &p12FilePw);
 
     } else if (pk12util.options[opt_Export].activated) {
 	P12U_ExportPKCS12Object(pk12util.options[opt_Nickname].arg,
 			export_file, slot, cipher, certCipher, 
 			&slotPw, &p12FilePw);
         
     } else if (pk12util.options[opt_List].activated) {
 	P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw);
@@ -1110,14 +1110,15 @@ main(int argc, char **argv)
 	pk12uErrno = PK12UERR_USAGE;
     }
 
 done:
     if (slotPw.data != NULL)
 	PORT_ZFree(slotPw.data, PL_strlen(slotPw.data));
     if (p12FilePw.data != NULL)
 	PORT_ZFree(p12FilePw.data, PL_strlen(p12FilePw.data));
-    if (slot) PK11_FreeSlot(slot);
+    if (slot) 
+    	PK11_FreeSlot(slot);
     if (NSS_Shutdown() != SECSuccess) {
 	pk12uErrno = 1;
     }
     return pk12uErrno;
 }
--- a/security/nss/lib/base/nssbaset.h
+++ b/security/nss/lib/base/nssbaset.h
@@ -33,17 +33,17 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifndef NSSBASET_H
 #define NSSBASET_H
 
 #ifdef DEBUG
-static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile: nssbaset.h,v $ $Revision: 1.7 $ $Date: 2008/10/05 20:59:16 $";
+static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile: nssbaset.h,v $ $Revision: 1.8 $ $Date: 2009/04/07 23:52:05 $";
 #endif /* DEBUG */
 
 /*
  * nssbaset.h
  *
  * This file contains the most low-level, fundamental public types.
  */
 
@@ -51,18 +51,17 @@ static const char NSSBASET_CVS_ID[] = "@
 #include "nssilock.h"
 
 /*
  * NSS_EXTERN, NSS_IMPLEMENT, NSS_EXTERN_DATA, NSS_IMPLEMENT_DATA
  *
  * NSS has its own versions of these NSPR macros, in a form which
  * does not confuse ctags and other related utilities.  NSPR 
  * defines these macros to take the type as an argument, because
- * of a requirement to support win16 dlls.  We do not have that
- * requirement, so we can drop that restriction.
+ * of certain OS requirements on platforms not supported by NSS.
  */
 
 #define DUMMY	/* dummy */
 #define NSS_EXTERN         extern
 #define NSS_EXTERN_DATA    extern
 #define NSS_IMPLEMENT      
 #define NSS_IMPLEMENT_DATA 
 
--- a/security/nss/lib/ckfw/capi/staticobj.c
+++ b/security/nss/lib/ckfw/capi/staticobj.c
@@ -32,17 +32,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.2 $ $Date: 2008/10/05 20:59:19 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.2 $ $Date: 2008/10/05 20:59:19 $";
+static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.3 $ $Date: 2009/04/09 02:28:50 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.3 $ $Date: 2009/04/09 02:28:50 $";
 #endif /* DEBUG */
 
 #ifndef CKCAPI_H
 #include "ckcapi.h"
 #endif /* CKCAPI_H */
 
 static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
 static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
@@ -63,12 +63,15 @@ static const NSSItem nss_ckcapi_items_1 
   { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Mozilla CAPI Access", (PRUint32)20 }
 };
 
 ckcapiInternalObject nss_ckcapi_data[] = {
-  { ckcapiRaw, { 5, nss_ckcapi_types_1, nss_ckcapi_items_1} , {NULL} },
+  { ckcapiRaw,
+    { 5, nss_ckcapi_types_1, nss_ckcapi_items_1} ,
+  },
+
 };
 
 const PRUint32 nss_ckcapi_nObjects = 1;
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -85,17 +85,17 @@ ifneq (,$(filter-out WIN%,$(OS_TARGET)))
 endif
 endif
 
 ifeq ($(OS_TARGET),OSF1)
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD
     MPI_SRCS += mpvalpha.c
 endif
 
-ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))  #omits WIN16 and WINCE
+ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))  #omits WINCE
 ifndef USE_64
 # 32-bit Windows
 ifdef NS_USE_GCC
 # Ideally, we want to use assembler
 #     ASFILES  = mpi_x86.s
 #     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE \
 #                -DMP_ASSEMBLY_DIV_2DX1D
 # but we haven't figured out how to make it work, so we are not
--- a/security/nss/lib/softoken/legacydb/pcertdb.c
+++ b/security/nss/lib/softoken/legacydb/pcertdb.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Permanent Certificate database handling code 
  *
- * $Id: pcertdb.c,v 1.7 2009/02/03 05:34:44 julien.pierre.boogz%sun.com Exp $
+ * $Id: pcertdb.c,v 1.9 2009/04/09 02:00:33 nelson%bolyard.com Exp $
  */
 #include "lowkeyti.h"
 #include "pcert.h"
 #include "mcom_db.h"
 #include "pcert.h"
 #include "secitem.h"
 #include "secder.h"
 
@@ -756,24 +756,27 @@ DecodeDBCertEntry(certDBEntryCert *entry
 	PORT_SetError(SEC_ERROR_BAD_DATABASE);
 	goto loser;
     }
     
     /* is database entry correct length? */
     entry->derCert.len = ( ( dbentry->data[lenoff] << 8 ) |
 			  dbentry->data[lenoff+1] );
     nnlen = ( ( dbentry->data[lenoff+2] << 8 ) | dbentry->data[lenoff+3] );
-    if ( ( entry->derCert.len + nnlen + headerlen )
-	!= dbentry->len) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
+    lenoff = dbentry->len - ( entry->derCert.len + nnlen + headerlen );
+    if ( lenoff ) {
+	if ( lenoff < 0 || (lenoff & 0xffff) != 0 ) {
+	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	    goto loser;
+	}
+	/* The cert size exceeded 64KB.  Reconstruct the correct length. */
+	entry->derCert.len += lenoff;
     }
     
     /* copy the dercert */
-
     entry->derCert.data = pkcs11_copyStaticData(&dbentry->data[headerlen],
 	entry->derCert.len,entry->derCertSpace,sizeof(entry->derCertSpace));
     if ( entry->derCert.data == NULL ) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	goto loser;
     }
 
     /* copy the nickname */
@@ -1170,60 +1173,60 @@ EncodeDBCrlEntry(certDBEntryRevocation *
 
 loser:
     return(SECFailure);
 }
 
 static SECStatus
 DecodeDBCrlEntry(certDBEntryRevocation *entry, SECItem *dbentry)
 {
-    unsigned int nnlen;
-    
+    unsigned int urlLen;
+    int lenDiff;
+
     /* is record long enough for header? */
     if ( dbentry->len < DB_CRL_ENTRY_HEADER_LEN ) {
 	PORT_SetError(SEC_ERROR_BAD_DATABASE);
 	goto loser;
     }
     
     /* is database entry correct length? */
     entry->derCrl.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
-    if ( ( entry->derCrl.len + nnlen + DB_CRL_ENTRY_HEADER_LEN )
-	!= dbentry->len) {
-      /* CRL entry is greater than 64 K. Hack to make this continue to work */
-      if (dbentry->len >= (0xffff - DB_CRL_ENTRY_HEADER_LEN) - nnlen) {
-          entry->derCrl.len = 
-                      (dbentry->len - DB_CRL_ENTRY_HEADER_LEN) - nnlen;
-      } else {
-          PORT_SetError(SEC_ERROR_BAD_DATABASE);
-          goto loser;
-      }    
-    }
-    
-    /* copy the dercert */
+    urlLen =            ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
+    lenDiff = dbentry->len - 
+			(entry->derCrl.len + urlLen + DB_CRL_ENTRY_HEADER_LEN);
+    if (lenDiff) {
+    	if (lenDiff < 0 || (lenDiff & 0xffff) != 0) {
+	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	    goto loser;
+	}    
+	/* CRL entry is greater than 64 K. Hack to make this continue to work */
+	entry->derCrl.len += lenDiff;
+    }
+    
+    /* copy the der CRL */
     entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
 							 entry->derCrl.len);
     if ( entry->derCrl.data == NULL ) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	goto loser;
     }
     PORT_Memcpy(entry->derCrl.data, &dbentry->data[DB_CRL_ENTRY_HEADER_LEN],
 	      entry->derCrl.len);
 
     /* copy the url */
     entry->url = NULL;
-    if (nnlen != 0) {
-	entry->url = (char *)PORT_ArenaAlloc(entry->common.arena, nnlen);
+    if (urlLen != 0) {
+	entry->url = (char *)PORT_ArenaAlloc(entry->common.arena, urlLen);
 	if ( entry->url == NULL ) {
 	    PORT_SetError(SEC_ERROR_NO_MEMORY);
 	    goto loser;
 	}
 	PORT_Memcpy(entry->url,
 	      &dbentry->data[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
-	      nnlen);
+	      urlLen);
     }
     
     return(SECSuccess);
 loser:
     return(SECFailure);
 }
 
 /*
@@ -1495,30 +1498,37 @@ EncodeDBNicknameKey(char *nickname, PRAr
 loser:
     return(SECFailure);
 }
 
 static SECStatus
 DecodeDBNicknameEntry(certDBEntryNickname *entry, SECItem *dbentry,
                       char *nickname)
 {
+    int lenDiff;
+
     /* is record long enough for header? */
     if ( dbentry->len < DB_NICKNAME_ENTRY_HEADER_LEN ) {
 	PORT_SetError(SEC_ERROR_BAD_DATABASE);
 	goto loser;
     }
     
     /* is database entry correct length? */
     entry->subjectName.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    if (( entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN ) !=
-	dbentry->len ){
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
+    lenDiff = dbentry->len - 
+	      (entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN);
+    if (lenDiff) {
+	if (lenDiff < 0 || (lenDiff & 0xffff) != 0 ) { 
+	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	    goto loser;
+	}
+	/* The entry size exceeded 64KB.  Reconstruct the correct length. */
+	entry->subjectName.len += lenDiff;
+    }
+
     /* copy the certkey */
     entry->subjectName.data =
 	(unsigned char *)PORT_ArenaAlloc(entry->common.arena,
 					 entry->subjectName.len);
     if ( entry->subjectName.data == NULL ) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	goto loser;
     }
@@ -1823,32 +1833,41 @@ loser:
 }
 
 /*
  * Decode a database SMIME record
  */
 static SECStatus
 DecodeDBSMimeEntry(certDBEntrySMime *entry, SECItem *dbentry, char *emailAddr)
 {
+    int lenDiff;
+
     /* is record long enough for header? */
     if ( dbentry->len < DB_SMIME_ENTRY_HEADER_LEN ) {
 	PORT_SetError(SEC_ERROR_BAD_DATABASE);
 	goto loser;
     }
     
     /* is database entry correct length? */
-    entry->subjectName.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    entry->smimeOptions.len = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
-    entry->optionsDate.len = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
-    if (( entry->subjectName.len + entry->smimeOptions.len +
-	 entry->optionsDate.len + DB_SMIME_ENTRY_HEADER_LEN ) != dbentry->len){
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
+    entry->subjectName.len  = (( dbentry->data[0] << 8 ) | dbentry->data[1] );
+    entry->smimeOptions.len = (( dbentry->data[2] << 8 ) | dbentry->data[3] );
+    entry->optionsDate.len  = (( dbentry->data[4] << 8 ) | dbentry->data[5] );
+    lenDiff = dbentry->len - (entry->subjectName.len + 
+                              entry->smimeOptions.len + 
+			      entry->optionsDate.len + 
+			      DB_SMIME_ENTRY_HEADER_LEN);
+    if (lenDiff) {
+	if (lenDiff < 0 || (lenDiff & 0xffff) != 0 ) { 
+	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	    goto loser;
+	}
+	/* The entry size exceeded 64KB.  Reconstruct the correct length. */
+	entry->subjectName.len += lenDiff;
+    }
+
     /* copy the subject name */
     entry->subjectName.data =
 	(unsigned char *)PORT_ArenaAlloc(entry->common.arena,
 					 entry->subjectName.len);
     if ( entry->subjectName.data == NULL ) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	goto loser;
     }
@@ -4218,50 +4237,53 @@ SECStatus
 nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
 		      certDBEntryType type,
 		      SECStatus (* callback)(SECItem *data, SECItem *key,
 					    certDBEntryType type, void *pdata),
 		      void *udata )
 {
     DBT data;
     DBT key;
-    SECStatus rv;
+    SECStatus rv = SECSuccess;
     int ret;
     SECItem dataitem;
     SECItem keyitem;
     unsigned char *buf;
     unsigned char *keybuf;
     
     ret = certdb_Seq(handle->permCertDB, &key, &data, R_FIRST);
-
     if ( ret ) {
 	return(SECFailure);
     }
-    
+    /* here, ret is zero and rv is SECSuccess.  
+     * Below here, ret is a count of successful calls to the callback function.
+     */
     do {
 	buf = (unsigned char *)data.data;
 	
 	if ( buf[1] == (unsigned char)type ) {
 	    dataitem.len = data.size;
 	    dataitem.data = buf;
             dataitem.type = siBuffer;
 	    keyitem.len = key.size - SEC_DB_KEY_HEADER_LEN;
 	    keybuf = (unsigned char *)key.data;
 	    keyitem.data = &keybuf[SEC_DB_KEY_HEADER_LEN];
             keyitem.type = siBuffer;
 	    /* type should equal keybuf[0].  */
 
 	    rv = (* callback)(&dataitem, &keyitem, type, udata);
-	    if ( rv != SECSuccess ) {
-		return(rv);
+	    if ( rv == SECSuccess ) {
+		++ret;
 	    }
 	}
     } while ( certdb_Seq(handle->permCertDB, &key, &data, R_NEXT) == 0 );
-
-    return(SECSuccess);
+    /* If any callbacks succeeded, or no calls to callbacks were made, 
+     * then report success.  Otherwise, report failure.
+     */
+    return (ret ? SECSuccess : rv);
 }
 /*
  * Decode a certificate and enter it into the temporary certificate database.
  * Deal with nicknames correctly
  *
  * This is the private entry point.
  */
 static NSSLOWCERTCertificate *
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -1713,17 +1713,19 @@ sdb_init(char *dbname, char *table, sdbD
     if (sqlerr != SQLITE_OK) {
 	error = sdb_mapSQLError(type, sqlerr); 
 	goto loser;
     }
     /* sql created the file, but it doesn't set appropriate modes for
      * a database */
     if (create) {
 	/* NO NSPR call for this? :( */
+#ifndef WINCE
 	chmod (dbname, 0600);
+#endif
     }
 
     if (flags != SDB_RDONLY) {
 	sqlerr = sqlite3_exec(sqlDB, BEGIN_CMD, NULL, 0, NULL);
 	if (sqlerr != SQLITE_OK) {
 	    error = sdb_mapSQLError(type, sqlerr);
 	    goto loser;
 	}
--- a/security/nss/lib/softoken/sftkmod.c
+++ b/security/nss/lib/softoken/sftkmod.c
@@ -192,16 +192,17 @@ char *sftk_getOldSecmodName(const char *
     return file;
 }
 
 #ifdef XP_UNIX
 #include <unistd.h>
 #endif
 #include <fcntl.h>
 
+#ifndef WINCE
 /* same as fopen, except it doesn't use umask, but explicit */
 FILE *
 lfopen(const char *name, const char *mode, int flags)
 {
     int fd;
     FILE *file;
 
     fd = open(name, flags, 0600);
@@ -210,16 +211,17 @@ lfopen(const char *name, const char *mod
     }
     file = fdopen(fd, mode);
     if (!file) {
 	close(fd);
     }
     /* file inherits fd */
     return file;
 }
+#endif
 
 #define MAX_LINE_LENGTH 2048
 #define SFTK_DEFAULT_INTERNAL_INIT1 "library= name=\"NSS Internal PKCS #11 Module\" parameters="
 #define SFTK_DEFAULT_INTERNAL_INIT2 " NSS=\"Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={"
 #define SFTK_DEFAULT_INTERNAL_INIT3 " askpw=any timeout=30})\""
 
 /*
  * Read all the existing modules in out of the file.
@@ -554,17 +556,21 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
 
     dbname2 = strdup(dbname);
     if (dbname2 == NULL) goto loser;
     dbname2[strlen(dbname)-1]++;
 
     /* do we really want to use streams here */
     fd = fopen(dbname, "r");
     if (fd == NULL) goto loser;
+#ifdef WINCE
+    fd2 = fopen(dbname2, "w+");
+#else
     fd2 = lfopen(dbname2, "w+", O_CREAT|O_RDWR|O_TRUNC);
+#endif
     if (fd2 == NULL) goto loser;
 
     name = sftk_argGetParamValue("name",args);
     if (name) {
 	name_len = PORT_Strlen(name);
     }
     lib = sftk_argGetParamValue("library",args);
     if (lib) {
@@ -663,17 +669,21 @@ sftkdb_AddSecmodDB(SDBType dbType, const
     /* can't write to a read only module */
     if (!rw) {
 	return SECFailure;
     }
 
     /* remove the previous version if it exists */
     (void) sftkdb_DeleteSecmodDB(dbType, appName, filename, dbname, module, rw);
 
+#ifdef WINCE
+    fd = fopen(dbname, "a+");
+#else
     fd = lfopen(dbname, "a+", O_CREAT|O_RDWR|O_APPEND);
+#endif
     if (fd == NULL) {
 	return SECFailure;
     }
     module = sftk_argStrip(module);
     while (*module) {
 	int count;
 	char *keyEnd = PORT_Strchr(module,'=');
 	char *value;
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -35,17 +35,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsock.c,v 1.56 2008/12/17 06:09:19 nelson%bolyard.com Exp $ */
+/* $Id: sslsock.c,v 1.57 2009/04/09 01:46:22 nelson%bolyard.com Exp $ */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "nspr.h"
 #include "private/pprio.h"
@@ -1553,18 +1553,23 @@ SSL_SetSockPeerID(PRFileDesc *fd, char *
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
 	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCacheIndex",
 		 SSL_GETPID(), fd));
 	return SECFailure;
     }
 
-    ss->peerID = PORT_Strdup(peerID);
-    return SECSuccess;
+    if (ss->peerID) {
+    	PORT_Free(ss->peerID);
+	ss->peerID = NULL;
+    }
+    if (peerID)
+	ss->peerID = PORT_Strdup(peerID);
+    return (ss->peerID || !peerID) ? SECSuccess : SECFailure;
 }
 
 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ)
 
 static PRInt16 PR_CALLBACK
 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
 {
     sslSocket *ss;
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -35,17 +35,19 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifndef __nssutil_h_
 #define __nssutil_h_
 
+#ifndef RC_INVOKED
 #include "seccomon.h"
+#endif
 
 /*
  * NSS utilities's major version, minor version, patch level, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>][ <Beta>]"
  */
--- a/security/nss/lib/util/pkcs11.h
+++ b/security/nss/lib/util/pkcs11.h
@@ -69,42 +69,32 @@ extern "C" {
  *
  * #pragma pack(push, cryptoki, 1)
  *
  * and using the following preprocessor directive after including
  * pkcs11.h or pkcs11t.h:
  *
  * #pragma pack(pop, cryptoki)
  *
- * In a Win16 environment, this might be done by using the
- * following preprocessor directive before including pkcs11.h
- * or pkcs11t.h:
- *
- * #pragma pack(1)
- *
  * In a UNIX environment, you're on your own here.  You might
  * not need to do anything.
  *
  *
  * Now for the macros:
  *
  *
  * 1. CK_PTR: The indirection string for making a pointer to an
  * object.  It can be used like this:
  *
  * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
  *
  * In a Win32 environment, it might be defined by
  *
  * #define CK_PTR *
  *
- * In a Win16 environment, it might be defined by
- *
- * #define CK_PTR far *
- *
  * In a UNIX environment, it might be defined by
  *
  * #define CK_PTR *
  *
  *
  * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
  * an exportable PKCS #11 library function definition out of a
  * return type and a function name.  It should be used in the
@@ -119,22 +109,16 @@ extern "C" {
  * }
  *
  * For defining a function in a Win32 PKCS #11 .dll, it might be
  * defined by
  *
  * #define CK_DEFINE_FUNCTION(returnType, name) \
  *   returnType __declspec(dllexport) name
  *
- * For defining a function in a Win16 PKCS #11 .dll, it might be
- * defined by
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
  * In a UNIX environment, it might be defined by
  *
  * #define CK_DEFINE_FUNCTION(returnType, name) \
  *   returnType name
  *
  *
  * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
  * an importable PKCS #11 library function declaration out of a
@@ -146,22 +130,16 @@ extern "C" {
  * );
  *
  * For declaring a function in a Win32 PKCS #11 .dll, it might
  * be defined by
  *
  * #define CK_DECLARE_FUNCTION(returnType, name) \
  *   returnType __declspec(dllimport) name
  *
- * For declaring a function in a Win16 PKCS #11 .dll, it might
- * be defined by
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
  * In a UNIX environment, it might be defined by
  *
  * #define CK_DECLARE_FUNCTION(returnType, name) \
  *   returnType name
  *
  *
  * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
  * which makes a PKCS #11 API function pointer declaration or
@@ -182,22 +160,16 @@ extern "C" {
  * funcPtrType funcPtr;
  *
  * For accessing functions in a Win32 PKCS #11 .dll, in might be
  * defined by
  *
  * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
  *   returnType __declspec(dllimport) (* name)
  *
- * For accessing functions in a Win16 PKCS #11 .dll, it might be
- * defined by
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __export _far _pascal (* name)
- *
  * In a UNIX environment, it might be defined by
  *
  * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
  *   returnType (* name)
  *
  *
  * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
  * a function pointer type for an application callback out of
@@ -213,21 +185,16 @@ extern "C" {
  * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
  * myCallbackType myCallback;
  *
  * In a Win32 environment, it might be defined by
  *
  * #define CK_CALLBACK_FUNCTION(returnType, name) \
  *   returnType (* name)
  *
- * In a Win16 environment, it might be defined by
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType _far _pascal (* name)
- *
  * In a UNIX environment, it might be defined by
  *
  * #define CK_CALLBACK_FUNCTION(returnType, name) \
  *   returnType (* name)
  *
  *
  * 6. NULL_PTR: This macro is the value of a NULL pointer.
  *
--- a/security/nss/lib/util/secasn1d.c
+++ b/security/nss/lib/util/secasn1d.c
@@ -33,17 +33,17 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Support for DEcoding ASN.1 data based on BER/DER (Basic/Distinguished
  * Encoding Rules).
  *
- * $Id: secasn1d.c,v 1.38 2007/10/12 01:44:51 julien.pierre.boogz%sun.com Exp $
+ * $Id: secasn1d.c,v 1.39 2009/04/07 23:52:10 julien.pierre.boogz%sun.com Exp $
  */
 
 /* #define DEBUG_ASN1D_STATES 1 */
 
 #ifdef DEBUG_ASN1D_STATES
 #include <stdio.h>
 #define PR_Assert sec_asn1d_Assert
 #endif
@@ -2081,21 +2081,17 @@ sec_asn1d_concat_substrings (sec_asn1d_s
 		state->top->status = decodeError;
 		return;
 	    }
 	    item_len += substring->len;
 	    substring = substring->next;
 	}
 
 	if (is_bit_string) {
-#ifdef XP_WIN16		/* win16 compiler gets an internal error otherwise */
-	    alloc_len = (((long)item_len + 7) / 8);
-#else
 	    alloc_len = ((item_len + 7) >> 3);
-#endif
 	} else {
 	    /*
 	     * Add 2 for the end-of-contents octets of an indefinite-length
 	     * ANY that is *not* also an INNER.  Because we zero-allocate
 	     * below, all we need to do is increase the length here.
 	     */
 	    if (state->underlying_kind == SEC_ASN1_ANY && state->indefinite)
 		item_len += 2; 
--- a/security/nss/lib/util/secport.h
+++ b/security/nss/lib/util/secport.h
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * secport.h - portability interfaces for security libraries
  *
- * $Id: secport.h,v 1.19 2009/02/27 00:15:03 nelson%bolyard.com Exp $
+ * $Id: secport.h,v 1.21 2009/04/08 01:07:00 julien.pierre.boogz%sun.com Exp $
  */
 
 #ifndef _SECPORT_H_
 #define _SECPORT_H_
 
 #include "utilrename.h"
 
 /*
@@ -52,20 +52,16 @@
 #ifdef _WINDOWS
 # ifndef XP_WIN
 # define XP_WIN
 # endif
 #if defined(_WIN32) || defined(WIN32)
 # ifndef XP_WIN32
 # define XP_WIN32
 # endif
-#else
-# ifndef XP_WIN16
-# define XP_WIN16
-# endif
 #endif
 #endif
 
 #ifdef __BEOS__
 # ifndef XP_BEOS
 # define XP_BEOS
 # endif
 #endif
--- a/security/nss/tests/memleak/ignored
+++ b/security/nss/tests/memleak/ignored
@@ -36,11 +36,11 @@
 **/PR_FormatTime/__strftime_std/**
 
 #463208
 **/sqlite3UnixFullPathname/_getcwd/**
 
 #463631
 vfychain/main/PL_CreateOptState/**
 
-#486928
-selfserv/main/PORT_Strdup_Util/PORT_Alloc_Util/**
+#486298
+selfserv/main/PORT_Strdup_Util**
 
--- a/security/nss/trademarks.txt
+++ b/security/nss/trademarks.txt
@@ -108,17 +108,16 @@ Telex
 Thawte
 UCS-4           Universal Coded Character Set
 UNIX
 URI             Uniform Resource Identifier
 URL             Uniform Resource Locator
 UTF-8           Unicode Transformation Format
 Unisys
 Verisign
-WIN16           Windows
 WIN32           Windows
 WINNT           Windows NT
 Windows
 WordPerfect
 X.121
 X.25
 X.400
 X.509