Bug 504080: Update NSS from NSS_3_12_4_FIPS1_WITH_CKBI_1_75 to
authorWan-Teh Chang <wtc@google.com>
Tue, 28 Jul 2009 17:01:39 -0700
changeset 30806 aa1d4674a5ccd7ed64565fe2e24da3f0b8c69de8
parent 30805 26a7e8eca2514d68256e4b6ce12a9f71acaeae32
child 30807 37403bc90c4ab0c88ee3f9a8b95aeb8f5ca0ae6f
push id8249
push userwtc@google.com
push dateWed, 29 Jul 2009 00:01:58 +0000
treeherdermozilla-central@aa1d4674a5cc [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs504080
milestone1.9.2a1pre
Bug 504080: Update NSS from NSS_3_12_4_FIPS1_WITH_CKBI_1_75 to NSS_3_12_4_FIPS4 in mozilla-central. r=kaie.
dbm/include/mcom_db.h
dbm/src/db.c
dbm/src/hash.c
dbm/src/mktemp.c
security/coreconf/HP-UX.mk
security/coreconf/Linux.mk
security/coreconf/Linux2.1.mk
security/coreconf/Linux2.2.mk
security/coreconf/Linux2.4.mk
security/coreconf/Linux2.5.mk
security/coreconf/Linux2.6.mk
security/coreconf/OS2.mk
security/coreconf/OpenVMS.mk
security/coreconf/OpenVMSV7.1-2.mk
security/coreconf/SunOS5.mk
security/coreconf/WINCE.mk
security/coreconf/arch.mk
security/coreconf/config.mk
security/coreconf/coreconf.dep
security/coreconf/nsinstall/nsinstall.c
security/coreconf/rules.mk
security/coreconf/ruleset.mk
security/nss/cmd/bltest/blapitest.c
security/nss/cmd/certutil/certext.c
security/nss/cmd/certutil/keystuff.c
security/nss/cmd/fipstest/fipstest.c
security/nss/cmd/lib/config.mk
security/nss/cmd/lib/secpwd.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/lib/wincemain.c
security/nss/cmd/pk11mode/pk11mode.c
security/nss/cmd/pk12util/pk12util.c
security/nss/cmd/platlibs.mk
security/nss/cmd/sdrtest/sdrtest.c
security/nss/cmd/shlibsign/sign.sh
security/nss/cmd/tests/baddbdir.c
security/nss/cmd/tests/manifest.mn
security/nss/cmd/zlib/README
security/nss/cmd/zlib/example.c
security/nss/cmd/zlib/minigzip.c
security/nss/cmd/zlib/zconf.h
security/nss/cmd/zlib/zutil.h
security/nss/lib/certdb/cert.h
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certdb.h
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/crl.c
security/nss/lib/certdb/stanpcertdb.c
security/nss/lib/certhigh/certvfypkix.c
security/nss/lib/certhigh/ocsp.c
security/nss/lib/ckfw/Makefile
security/nss/lib/ckfw/builtins/config.mk
security/nss/lib/ckfw/capi/config.mk
security/nss/lib/ckfw/sessobj.c
security/nss/lib/cryptohi/seckey.c
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/des.c
security/nss/lib/freebl/drbg.c
security/nss/lib/freebl/mpi/mpi_x86_os2.s
security/nss/lib/freebl/nsslowhash.c
security/nss/lib/freebl/nsslowhash.h
security/nss/lib/freebl/stubs.c
security/nss/lib/freebl/unix_rand.c
security/nss/lib/freebl/win_rand.c
security/nss/lib/jar/jarver.c
security/nss/lib/libpkix/include/pkix_errorstrings.h
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.c
security/nss/lib/nss/config.mk
security/nss/lib/nss/nss.h
security/nss/lib/nss/nssinit.c
security/nss/lib/pk11wrap/pk11auth.c
security/nss/lib/pk11wrap/pk11sdr.h
security/nss/lib/pk11wrap/pk11skey.c
security/nss/lib/pk11wrap/pk11slot.c
security/nss/lib/pk11wrap/pk11util.c
security/nss/lib/pkcs12/p12d.c
security/nss/lib/smime/config.mk
security/nss/lib/softoken/config.mk
security/nss/lib/softoken/fipstest.c
security/nss/lib/softoken/legacydb/config.mk
security/nss/lib/softoken/pk11pars.h
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11u.c
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/sftkdb.c
security/nss/lib/softoken/sftkmod.c
security/nss/lib/softoken/sftkpars.c
security/nss/lib/softoken/sftkpwd.c
security/nss/lib/softoken/softkver.h
security/nss/lib/sqlite/config.mk
security/nss/lib/ssl/config.mk
security/nss/lib/ssl/sslmutex.c
security/nss/lib/ssl/sslmutex.h
security/nss/lib/ssl/sslsnce.c
security/nss/lib/util/config.mk
security/nss/lib/util/nssutil.h
security/nss/pkg/solaris/SUNWtlsd/prototype
security/nss/tests/chains/chains.sh
security/nss/tests/dbtests/dbtests.sh
security/nss/tests/libpkix/certs/PayPalEE.cert
security/nss/tests/libpkix/certs/PayPalICA.cert
--- a/dbm/include/mcom_db.h
+++ b/dbm/include/mcom_db.h
@@ -387,21 +387,18 @@ typedef struct {
 }
 #define	P_16_COPY(a, b) {						\
 	((char *)&(b))[0] = ((char *)&(a))[1];				\
 	((char *)&(b))[1] = ((char *)&(a))[0];				\
 }
 #endif
 
 PR_BEGIN_EXTERN_C
-#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__)
+
 extern DB *
-#else
-PR_EXTERN(DB *)
-#endif
 dbopen (const char *, int, int, DBTYPE, const void *);
 
 /* set or unset a global lock flag to disable the
  * opening of any DBM file
  */
 void dbSetOrClearDBLock(DBLockFlagEnum type);
 
 #ifdef __DBINTERFACE_PRIVATE
--- a/dbm/src/db.c
+++ b/dbm/src/db.c
@@ -59,21 +59,17 @@ void
 dbSetOrClearDBLock(DBLockFlagEnum type)
 {
 	if(type == LockOutDatabase)
 		all_databases_locked_closed = 1;
 	else
 		all_databases_locked_closed = 0;
 }
 
-#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__)
 DB *
-#else
-PR_IMPLEMENT(DB *)
-#endif
 dbopen(const char *fname, int flags,int mode, DBTYPE type, const void *openinfo)
 {
 
 	/* lock out all file databases.  Let in-memory databases through
 	 */
 	if(all_databases_locked_closed && fname)
 	  {
 		errno = EINVAL;
--- a/dbm/src/hash.c
+++ b/dbm/src/hash.c
@@ -334,17 +334,17 @@ init_hash(HTAB *hashp, const char *file,
 	memset(hashp->SPARES, 0, sizeof(hashp->SPARES));
 	memset(hashp->BITMAPS, 0, sizeof (hashp->BITMAPS));
 
 	/* Fix bucket size to be optimal for file system */
 	if (file != NULL) {
 		if (stat(file, &statbuf))
 			return (NULL);
 
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(VMS) && !defined(XP_OS2)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2)
 #if defined(__QNX__) && !defined(__QNXNTO__)
 		hashp->BSIZE = 512; /* preferred blk size on qnx4 */
 #else
 		hashp->BSIZE = statbuf.st_blksize;
 #endif
 
 		/* new code added by Lou to reduce block
 		 * size down below MAX_BSIZE
--- a/dbm/src/mktemp.c
+++ b/dbm/src/mktemp.c
@@ -73,21 +73,23 @@ mkstemp(char *path)
 int
 mkstempflags(char *path, int extraFlags)
 {
 	int fd;
 
 	return (_gettemp(path, &fd, extraFlags) ? fd : -1);
 }
 
+#ifdef WINCE /* otherwise, use the one in libc */
 char *
 mktemp(char *path)
 {
 	return(_gettemp(path, (int *)NULL, 0) ? path : (char *)NULL);
 }
+#endif
 
 /* NB: This routine modifies its input string, and does not always restore it.
 ** returns 1 on success, 0 on failure.
 */
 static int 
 _gettemp(char *path, register int *doopen, int extraFlags)
 {    
 #if !defined(_WINDOWS) || defined(_WIN32)
--- a/security/coreconf/HP-UX.mk
+++ b/security/coreconf/HP-UX.mk
@@ -71,23 +71,23 @@ ifeq ($(DEFAULT_IMPL_STRATEGY),_PTH)
 endif
 
 ifdef PTHREADS_USER
 	OS_CFLAGS	+= -D_POSIX_C_SOURCE=199506L
 endif
 
 LDFLAGS			= -z -Wl,+s
 
-MKSHLIB			= $(LD) $(DSO_LDOPTS)
+MKSHLIB			= $(LD) $(DSO_LDOPTS) $(RPATH)
 ifdef MAPFILE
 MKSHLIB += -c $(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
          sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,+e ,' > $@
 
 DSO_LDOPTS		= -b +h $(notdir $@)
-ifeq ($(OS_TEST),ia64)
-	DSO_LDOPTS	+= +b '$$ORIGIN'
+ifeq ($(USE_64), 1)
+RPATH   = +b '$$ORIGIN'
 endif
 DSO_LDFLAGS		=
 
 # +Z generates position independent code for use in shared libraries.
 DSO_CFLAGS = +Z
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -47,109 +47,75 @@ ifeq ($(USE_PTHREADS),1)
 endif
 
 CC			= gcc
 CCC			= g++
 RANLIB			= ranlib
 
 DEFAULT_COMPILER = gcc
 
-ifeq ($(OS_TEST),m68k)
-	OS_REL_CFLAGS	= -DLINUX1_2 -D_XOPEN_SOURCE
-	CPU_ARCH	= m68k
-else
 ifeq ($(OS_TEST),ppc64)
 	OS_REL_CFLAGS	= -DLINUX1_2 -D_XOPEN_SOURCE
 	CPU_ARCH	= ppc
 ifeq ($(USE_64),1)
 	ARCHFLAG	= -m64
 endif
 else
-ifeq ($(OS_TEST),ppc)
-	OS_REL_CFLAGS	= -DLINUX1_2 -D_XOPEN_SOURCE
-	CPU_ARCH	= ppc
-else
 ifeq ($(OS_TEST),alpha)
         OS_REL_CFLAGS   = -D_ALPHA_ -DLINUX1_2 -D_XOPEN_SOURCE
 	CPU_ARCH	= alpha
 else
-ifeq ($(OS_TEST),ia64)
-	OS_REL_CFLAGS	= -DLINUX1_2 -D_XOPEN_SOURCE
-	CPU_ARCH	= ia64
-else
 ifeq ($(OS_TEST),x86_64)
 ifeq ($(USE_64),1)
 	OS_REL_CFLAGS	= -DLINUX1_2 -D_XOPEN_SOURCE
 	CPU_ARCH	= x86_64
 else
 	OS_REL_CFLAGS	= -DLINUX1_2 -Di386 -D_XOPEN_SOURCE
 	CPU_ARCH	= x86
 	ARCHFLAG	= -m32
 endif
 else
-ifeq ($(OS_TEST),sparc)
-	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
-	CPU_ARCH        = sparc
-else
 ifeq ($(OS_TEST),sparc64)
 	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
 	CPU_ARCH        = sparc
 else
 ifeq (,$(filter-out arm% sa110,$(OS_TEST)))
 	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
 	CPU_ARCH        = arm
 else
-ifeq ($(OS_TEST),parisc)
-	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
-	CPU_ARCH        = hppa
-else
-ifeq ($(OS_TEST),parisc64)
+ifeq (,$(filter-out parisc%,$(OS_TEST)))
 	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
 	CPU_ARCH        = hppa
 else
-ifeq ($(OS_TEST),s390)
-	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
-	CPU_ARCH        = s390
-else
-ifeq ($(OS_TEST),s390x)
-	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
-	CPU_ARCH        = s390x
-else
-ifeq ($(OS_TEST),mips)
-	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
-	CPU_ARCH        = mips
-else
 ifeq (,$(filter-out i%86,$(OS_TEST)))
 	OS_REL_CFLAGS	= -DLINUX1_2 -Di386 -D_XOPEN_SOURCE
 	CPU_ARCH	= x86
 else
+ifeq ($(OS_TEST),sh4a)
+	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
+	CPU_ARCH        = sh4
+else
+# $(OS_TEST) == m68k, ppc, ia64, sparc, s390, s390x, mips, sh3, sh4
 	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
 	CPU_ARCH	= $(OS_TEST)
 endif
 endif
 endif
 endif
 endif
 endif
 endif
 endif
-endif
-endif
-endif
-endif
-endif
-endif
-endif
 
 
 LIBC_TAG		= _glibc
 
 ifeq ($(OS_RELEASE),2.0)
 	OS_REL_CFLAGS	+= -DLINUX2_0
-	MKSHLIB		= $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
+	MKSHLIB		= $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
 	ifdef MAPFILE
 		MKSHLIB += -Wl,--version-script,$(MAPFILE)
 	endif
 	PROCESS_MAP_FILE = grep -v ';-' $< | \
          sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 endif
 
 ifdef BUILD_OPT
@@ -177,14 +143,25 @@ DSO_CFLAGS		= -fPIC
 DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,-z,defs
 DSO_LDFLAGS		=
 LDFLAGS			+= $(ARCHFLAG)
 
 # INCLUDES += -I/usr/include -Y/usr/include/linux
 G++INCLUDES		= -I/usr/include/g++
 
 #
-# Always set CPU_TAG on Linux, OpenVMS, WINCE.
+# Always set CPU_TAG on Linux, WINCE.
 #
 CPU_TAG = _$(CPU_ARCH)
 
 USE_SYSTEM_ZLIB = 1
 ZLIB_LIBS = -lz
+
+# The -rpath '$$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+ifeq ($(BUILD_SUN_PKG), 1)
+ifeq ($(USE_64), 1)
+RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/private/lib64:/opt/sun/private/lib'
+else
+RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/private/lib'
+endif
+endif
+
--- a/security/coreconf/Linux2.1.mk
+++ b/security/coreconf/Linux2.1.mk
@@ -33,16 +33,16 @@
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 include $(CORE_DEPTH)/coreconf/Linux.mk
 ifeq ($(OS_RELEASE),2.1)
         OS_REL_CFLAGS   += -DLINUX2_1
-        MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
+        MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
 	ifdef MAPFILE
 		MKSHLIB += -Wl,--version-script,$(MAPFILE)
 	endif
 	PROCESS_MAP_FILE = grep -v ';-' $< | \
        	 sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 endif
 
--- a/security/coreconf/Linux2.2.mk
+++ b/security/coreconf/Linux2.2.mk
@@ -33,16 +33,16 @@
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 include $(CORE_DEPTH)/coreconf/Linux.mk
 
 OS_REL_CFLAGS   += -DLINUX2_1
-MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
+MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
 
 ifdef MAPFILE
 	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';-' $< | \
         sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
--- a/security/coreconf/Linux2.4.mk
+++ b/security/coreconf/Linux2.4.mk
@@ -33,16 +33,16 @@
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 include $(CORE_DEPTH)/coreconf/Linux.mk
 
 OS_REL_CFLAGS   += -DLINUX2_1
-MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
+MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
 
 ifdef MAPFILE
 	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';-' $< | \
         sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
--- a/security/coreconf/Linux2.5.mk
+++ b/security/coreconf/Linux2.5.mk
@@ -33,16 +33,16 @@
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 include $(CORE_DEPTH)/coreconf/Linux.mk
 
 OS_REL_CFLAGS   += -DLINUX2_1
-MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
+MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
 
 ifdef MAPFILE
 	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';-' $< | \
         sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
--- a/security/coreconf/Linux2.6.mk
+++ b/security/coreconf/Linux2.6.mk
@@ -33,16 +33,16 @@
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 include $(CORE_DEPTH)/coreconf/Linux.mk
 
 OS_REL_CFLAGS   += -DLINUX2_1
-MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
+MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
 
 ifdef MAPFILE
 	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';-' $< | \
         sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
--- a/security/coreconf/OS2.mk
+++ b/security/coreconf/OS2.mk
@@ -92,17 +92,17 @@ PROCESS_MAP_FILE = \
 	echo DATA    PRELOAD MOVEABLE MULTIPLE NONSHARED >> $@; \
 	echo EXPORTS >> $@; \
 	grep -v ';+' $< | grep -v ';-' | \
 	sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,\([\t ]*\),\1_,' | \
 	awk 'BEGIN {ord=1;} { print($$0 " @" ord " RESIDENTNAME"); ord++;}' >> $@
 
 endif   #NO_SHARED_LIB
 
-OS_CFLAGS          = -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-switch -Zomf -DDEBUG -DTRACING -g
+OS_CFLAGS          = -Wall -Wno-unused -Wpointer-arith -Wcast-align -Wno-switch -Zomf -DDEBUG -DTRACING -g
 
 ifdef BUILD_OPT
 ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 	OPTIMIZER += -Os -s
 else
 	OPTIMIZER += -O2 -s
 endif
 DEFINES 		+= -UDEBUG -U_DEBUG -DNDEBUG
deleted file mode 100755
--- a/security/coreconf/OpenVMS.mk
+++ /dev/null
@@ -1,75 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is mozilla.org Code.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-# Config stuff for Compaq OpenVMS
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-CC			= cc
-CCC			= cxx
-
-RANLIB			= /gnu/bin/true
-
-CPU_ARCH		:= $(shell uname -Wh)
-
-OS_CFLAGS		= -DVMS
-OS_CXXFLAGS		= -DVMS
-
-#
-# XCFLAGS are the only CFLAGS that are used during a link operation. Defining
-# OPTIMIZER in XCFLAGS means that each compilation line gets OPTIMIZER
-# included twice, but at least we get OPTIMIZER included in the link
-# operations; and OpenVMS needs it!
-#
-XCFLAGS                        += $(OPTIMIZER)
-
-DSO_LDOPTS	= -shared -auto_symvec
-MKSHLIB		= $(CC) $(OPTIMIZER) $(LDFLAGS) $(DSO_LDOPTS)
-
-ifdef MAPFILE
-# Add LD options to restrict exported symbols to those in the map file
-endif
-# Change PROCESS to put the mapfile in the correct format for this platform
-PROCESS_MAP_FILE = cp $< $@
-
-
-#
-# Always set CPU_TAG on Linux, OpenVMS, WINCE.
-#
-CPU_TAG = _$(CPU_ARCH)
deleted file mode 100755
--- a/security/coreconf/OpenVMSV7.1-2.mk
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is mozilla.org Code.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-# Config stuff for Compaq OpenVMS
-#
-
-include $(CORE_DEPTH)/coreconf/OpenVMS.mk
--- a/security/coreconf/SunOS5.mk
+++ b/security/coreconf/SunOS5.mk
@@ -108,17 +108,17 @@ INCLUDES   += -I/usr/dt/include -I/usr/o
 
 RANLIB      = echo
 CPU_ARCH    = sparc
 OS_DEFINES += -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT
 
 # Purify doesn't like -MDupdate
 NOMD_OS_CFLAGS += $(DSO_CFLAGS) $(OS_DEFINES) $(SOL_CFLAGS)
 
-MKSHLIB  = $(CC) $(DSO_LDOPTS)
+MKSHLIB  = $(CC) $(DSO_LDOPTS) $(RPATH)
 ifdef NS_USE_GCC
 ifeq (GNU,$(findstring GNU,$(shell `$(CC) -print-prog-name=ld` -v 2>&1)))
 	GCC_USE_GNU_LD = 1
 endif
 endif
 ifdef MAPFILE
 ifdef NS_USE_GCC
 ifdef GCC_USE_GNU_LD
@@ -161,8 +161,20 @@ DSO_LDOPTS += -z combreloc -z defs -z ig
 ifdef NS_USE_GCC
 	DSO_CFLAGS += -fPIC
 else
 	DSO_CFLAGS += -KPIC
 endif
 
 NOSUCHFILE   = /solaris-rm-f-sucks
 
+ifeq ($(BUILD_SUN_PKG), 1)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+ifeq ($(USE_64), 1)
+RPATH = -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
+else
+RPATH = -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps'
+endif
+else
+RPATH = -R '$$ORIGIN'
+endif
+
--- a/security/coreconf/WINCE.mk
+++ b/security/coreconf/WINCE.mk
@@ -78,16 +78,18 @@ MAKE_OBJDIR  = mkdir
 MAKE_OBJDIR += $(OBJDIR)
 RC           = rc.exe
 GARBAGE     += $(OBJDIR)/vc20.pdb $(OBJDIR)/vc40.pdb
 XP_DEFINE   += -DXP_PC
 LIB_SUFFIX   = lib
 DLL_SUFFIX   = dll
 OS_DLLFLAGS  += -DLL
 
+EXTRA_EXE_LD_FLAGS += -ENTRY:mainWCRTStartup
+
 ifdef BUILD_OPT
 #   OS_CFLAGS  += -MD
     OPTIMIZER  += -O2
     DEFINES    += -UDEBUG -U_DEBUG -DNDEBUG
     DLLFLAGS   += -OUT:"$@"
 else
     #
     # Define USE_DEBUG_RTL if you want to use the debug runtime library
@@ -201,12 +203,12 @@ endif
 # override the TARGETS defined in ruleset.mk, adding IMPORT_LIBRARY
 #
 ifndef TARGETS
     TARGETS = $(LIBRARY) $(SHARED_LIBRARY) $(IMPORT_LIBRARY) $(PROGRAM)
 endif
 
 
 #
-# Always set CPU_TAG on Linux, OpenVMS, WINCE.
+# Always set CPU_TAG on Linux, WINCE.
 #
 CPU_TAG = _$(CPU_ARCH)
 
--- a/security/coreconf/arch.mk
+++ b/security/coreconf/arch.mk
@@ -160,21 +160,16 @@ endif
 #
 # For OS/2
 #
 ifeq ($(OS_ARCH),OS_2)
     OS_ARCH = OS2
     OS_RELEASE := $(shell uname -v)
 endif
 
-ifneq (,$(findstring OpenVMS,$(OS_ARCH)))
-    OS_ARCH = OpenVMS
-    OS_RELEASE := $(shell uname -v)
-endif
-
 #######################################################################
 # Master "Core Components" macros for getting the OS target           #
 #######################################################################
 
 #
 # Note: OS_TARGET should be specified on the command line for gmake.
 # When OS_TARGET=WIN95 is specified, then a Windows 95 target is built.
 # The difference between the Win95 target and the WinNT target is that
--- a/security/coreconf/config.mk
+++ b/security/coreconf/config.mk
@@ -58,17 +58,17 @@ endif
 #       (dependent upon <architecture> tags)                          #
 #                                                                     #
 #       We are moving towards just having a $(OS_TARGET).mk file      #
 #       as opposed to multiple $(OS_TARGET)$(OS_RELEASE).mk files,    #
 #       one for each OS release.                                      #
 #######################################################################
 
 TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \
-              OpenVMS AIX RISCOS WINNT WIN95 WINCE
+              AIX RISCOS WINNT WIN95 WINCE
 
 ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
 else
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk
 endif
 
 #######################################################################
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -39,8 +39,9 @@
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
 
 /* NSS 3.12.4 Beta */
+
--- a/security/coreconf/nsinstall/nsinstall.c
+++ b/security/coreconf/nsinstall/nsinstall.c
@@ -53,17 +53,17 @@ typedef unsigned int mode_t;
 #include <utime.h>
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
 #include "pathsub.h"
 
 #define HAVE_LCHOWN
 
-#if defined(AIX) || defined(BSDI) || defined(HPUX) || defined(LINUX) || defined(SUNOS4) || defined(SCO) || defined(UNIXWARE) || defined(VMS) || defined(NTO) || defined(DARWIN) || defined(BEOS) || defined(__riscos__)
+#if defined(AIX) || defined(BSDI) || defined(HPUX) || defined(LINUX) || defined(SUNOS4) || defined(SCO) || defined(UNIXWARE) || defined(NTO) || defined(DARWIN) || defined(BEOS) || defined(__riscos__)
 #undef HAVE_LCHOWN
 #endif
 
 #define HAVE_FCHMOD
 
 #if defined(BEOS)
 #undef HAVE_FCHMOD
 #endif
@@ -402,51 +402,36 @@ retry:
 		if (wc < 0)
 		    fail("cannot write to %s", toname);
 	    }
 	    if (cc < 0)
 		fail("cannot read from %s", name);
 
 	    if (ftruncate(tofd, sb.st_size) < 0)
 		fail("cannot truncate %s", toname);
-	    /*
-	    ** On OpenVMS we can't chmod() until the file is closed, and we
-	    ** have to utime() last since fchown/chmod alter the timestamps.
-	    */
-#ifndef VMS
 	    if (dotimes) {
 		utb.actime = sb.st_atime;
 		utb.modtime = sb.st_mtime;
 		if (utime(toname, &utb) < 0)
 		    fail("cannot set times of %s", toname);
 	    }
 #ifdef HAVE_FCHMOD
 	    if (fchmod(tofd, mode) < 0)
 #else
 	    if (chmod(toname, mode) < 0)
 #endif
 		fail("cannot change mode of %s", toname);
-#endif
+
 	    if ((owner || group) && fchown(tofd, uid, gid) < 0)
 		fail("cannot change owner of %s", toname);
 
 	    /* Must check for delayed (NFS) write errors on close. */
 	    if (close(tofd) < 0)
 		fail("close reports write error on %s", toname);
 	    close(fromfd);
-#ifdef VMS
-	    if (chmod(toname, mode) < 0)
-		fail("cannot change mode of %s", toname);
-	    if (dotimes) {
-		utb.actime = sb.st_atime;
-		utb.modtime = sb.st_mtime;
-		if (utime(toname, &utb) < 0)
-		    fail("cannot set times of %s", toname);
-	    }
-#endif
 	}
 
 	free(toname);
     }
 
     free(cwd);
     free(todir);
     return 0;
--- a/security/coreconf/rules.mk
+++ b/security/coreconf/rules.mk
@@ -268,17 +268,17 @@ endif
 alltags:
 	rm -f TAGS
 	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs etags -a
 	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs ctags -a
 
 $(PROGRAM): $(OBJS) $(EXTRA_LIBS)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
-	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
+	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)) $(EXTRA_EXE_LD_FLAGS)
 ifdef MT
 	if test -f $@.manifest; then \
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $(OBJS) $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
@@ -368,17 +368,17 @@ endif
 	@$(MAKE_OBJDIR)
 	$(PROCESS_MAP_FILE)
 
 
 $(OBJDIR)/$(PROG_PREFIX)%$(PROG_SUFFIX): $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $< -Fe$@ -link \
-	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
+	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(EXTRA_EXE_LD_FLAGS)
 ifdef MT
 	if test -f $@.manifest; then \
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $< \
@@ -873,17 +873,17 @@ endif
 
 
 
 
 ################################################################################
 
 -include $(DEPENDENCIES)
 
-ifneq (,$(filter-out OpenVMS OS2 WIN%,$(OS_TARGET)))
+ifneq (,$(filter-out OS2 WIN%,$(OS_TARGET)))
 # Can't use sed because of its 4000-char line length limit, so resort to perl
 PERL_DEPENDENCIES_PROGRAM =                                                   \
 	    open(MD, "< $(DEPENDENCIES)");                                    \
 	    while (<MD>) {                                                    \
 		if (m@ \.*/*$< @) {                                           \
 		    $$found = 1;                                              \
 		    last;                                                     \
 		}                                                             \
--- a/security/coreconf/ruleset.mk
+++ b/security/coreconf/ruleset.mk
@@ -205,22 +205,18 @@ ifdef JDIRS
     ALL_TRASH += $(addprefix $(JAVA_DESTPATH)/,$(JDIRS))
 endif
 else # !JAVA_DESTPATH
     ALL_TRASH += $(wildcard $(PACKAGE)/*.class) $(JDIRS)
 endif
 
 endif #NS_USE_JDK
 
-#
-# If this is an "official" build, try to build everything.
-# I.e., don't exit on errors.
-#
-
-ifdef BUILD_OFFICIAL
+ifdef NSS_BUILD_CONTINUE_ON_ERROR
+# Try to build everything. I.e., don't exit on errors.
     EXIT_ON_ERROR		= +e
     CLICK_STOPWATCH		= date
 else
     EXIT_ON_ERROR		= -e
     CLICK_STOPWATCH		= true
 endif
 
 ifdef REQUIRES
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -3241,17 +3241,17 @@ static secuCommandFlag bltest_options[] 
 
 int main(int argc, char **argv)
 {
     char *infileName, *outfileName, *keyfileName, *ivfileName;
     SECStatus rv = SECFailure;
 
     double              totalTime;
     PRIntervalTime      time1, time2;
-    PRFileDesc          *outfile;           
+    PRFileDesc          *outfile = NULL;
     bltestCipherInfo    *cipherInfoListHead, *cipherInfo;
     bltestIOMode        ioMode;
     int                 bufsize, exponent, curThrdNum;
 #ifdef NSS_ENABLE_ECC
     char		*curveName = NULL;
 #endif
     int			 i, commandsEntered;
     int			 inoff, outoff;
--- a/security/nss/cmd/certutil/certext.c
+++ b/security/nss/cmd/certutil/certext.c
@@ -1725,17 +1725,17 @@ AddExtensions(void *extHandle, const cha
             rv = AddCrlDistPoint(extHandle);
             if (rv) {
 		errstring = "CRLDistPoints";
                 break;
 	    }
         }
 
         if (extList[ext_NSCertType].activated) {
-            rv = AddNscpCertType(extHandle, extList[ext_extKeyUsage].arg);
+            rv = AddNscpCertType(extHandle, extList[ext_NSCertType].arg);
             if (rv) {
 		errstring = "NSCertType";
                 break;
 	    }
         }
 
         if (extList[ext_authInfoAcc].activated ||
             extList[ext_subjInfoAcc].activated) {
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -42,18 +42,20 @@
 #if defined(XP_UNIX)
 #include <unistd.h>
 #include <sys/time.h>
 #include <termios.h>
 #endif
 
 #if defined(XP_WIN) || defined (XP_PC)
 #include <time.h>
+#ifndef WINCE
 #include <conio.h>
 #endif
+#endif
 
 #if defined(__sun) && !defined(SVR4)
 extern int fclose(FILE*);
 extern int fprintf(FILE *, char *, ...);
 extern int isatty(int);
 extern char *sys_errlist[];
 #define strerror(errno) sys_errlist[errno]
 #endif
@@ -107,34 +109,32 @@ UpdateRNG(void)
     FPS "\n");
     FPS "Continue typing until the progress meter is full:\n\n");
     FPS meter);
     FPS "\r|");
 
     /* turn off echo on stdin & return on 1 char instead of NL */
     fd = fileno(stdin);
 
-#if defined(XP_UNIX) && !defined(VMS)
+#if defined(XP_UNIX)
     tcgetattr(fd, &tio);
     orig_lflag = tio.c_lflag;
     orig_cc_min = tio.c_cc[VMIN];
     orig_cc_time = tio.c_cc[VTIME];
     tio.c_lflag &= ~ECHO;
     tio.c_lflag &= ~ICANON;
     tio.c_cc[VMIN] = 1;
     tio.c_cc[VTIME] = 0;
     tcsetattr(fd, TCSAFLUSH, &tio);
 #endif
 
     /* Get random noise from keyboard strokes */
     count = 0;
     while (count < sizeof randbuf) {
-#ifdef VMS
-	c = GENERIC_GETCHAR_NOECHO();
-#elif XP_UNIX
+#if defined(XP_UNIX) || defined(WINCE)
 	c = getc(stdin);
 #else
 	c = getch();
 #endif
 	if (c == EOF) {
 	    rv = -1;
 	    break;
 	}
@@ -144,30 +144,25 @@ UpdateRNG(void)
 	    FPS "*");
 	}
     }
     PK11_RandomUpdate(randbuf, sizeof randbuf);
     memset(randbuf, 0, sizeof randbuf);
 
     FPS "\n\n");
     FPS "Finished.  Press enter to continue: ");
-#if defined(VMS)
-    while((c = GENERIC_GETCHAR_NO_ECHO()) != '\r' && c != EOF)
-	;
-#else
     while ((c = getc(stdin)) != '\n' && c != EOF)
 	;
-#endif
     if (c == EOF) 
 	rv = -1;
     FPS "\n");
 
 #undef FPS
 
-#if defined(XP_UNIX) && !defined(VMS)
+#if defined(XP_UNIX)
     /* set back termio the way it was */
     tio.c_lflag = orig_lflag;
     tio.c_cc[VMIN] = orig_cc_min;
     tio.c_cc[VTIME] = orig_cc_time;
     tcsetattr(fd, TCSAFLUSH, &tio);
 #endif
     return rv;
 }
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -3514,26 +3514,31 @@ hmac_calc(unsigned char *hmac_computed,
  *
  * reqfn is the pathname of the input REQUEST file.
  *
  * The output RESPONSE file is written to stdout.
  */
 void hmac_test(char *reqfn) 
 {
     unsigned int i, j;
-    size_t bufSize =      288;    /* MAX buffer size */
+    size_t bufSize =      400;    /* MAX buffer size */
     char *buf = NULL;  /* holds one line from the input REQUEST file.*/
     unsigned int keyLen;          /* Key Length */  
-    unsigned char key[140];       /* key MAX size = 140 */
+    unsigned char key[200];       /* key MAX size = 184 */
     unsigned int msgLen = 128;    /* the length of the input  */
                                   /*  Message is always 128 Bytes */
     unsigned char *msg = NULL;    /* holds the message to digest.*/
     unsigned int HMACLen;         /* the length of the HMAC Bytes  */
+    unsigned int TLen;            /* the length of the requested */
+                                  /* truncated HMAC Bytes */
     unsigned char HMAC[HASH_LENGTH_MAX];  /* computed HMAC */
+    unsigned char expectedHMAC[HASH_LENGTH_MAX]; /* for .fax files that have */ 
+                                                 /* supplied known answer */
     HASH_HashType hash_alg;       /* HMAC type */
+    
 
     FILE *req = NULL;  /* input stream from the REQUEST file */
     FILE *resp;        /* output stream to the RESPONSE file */
 
     buf = PORT_ZAlloc(bufSize);
     if (buf == NULL) {
         goto loser;
     }      
@@ -3541,16 +3546,38 @@ void hmac_test(char *reqfn)
     memset(msg, 0, msgLen);
     if (msg == NULL) {
         goto loser;
     } 
 
     req = fopen(reqfn, "r");
     resp = stdout;
     while (fgets(buf, bufSize, req) != NULL) {
+        if (strncmp(buf, "Mac", 3) == 0) {
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            memset(expectedHMAC, 0, HASH_LENGTH_MAX);
+            for (j=0; isxdigit(buf[i]); i+=2,j++) { 
+                hex_to_byteval(&buf[i], &expectedHMAC[j]);
+            }
+            if (memcmp(HMAC, expectedHMAC, TLen) != 0) {
+                fprintf(stderr, "Generate failed:\n");
+                fputs(  "   expected=", stderr);
+                to_hex_str(buf, expectedHMAC, 
+                           TLen);
+                fputs(buf, stderr);
+                fputs("\n   generated=", stderr);
+                to_hex_str(buf, HMAC, 
+                           TLen);
+                fputs(buf, stderr);
+                fputc('\n', stderr);
+            }
+        }
 
         /* a comment or blank line */
         if (buf[0] == '#' || buf[0] == '\n') {
             fputs(buf, resp);
             continue;
         }
         /* [L = Length of the MAC and HASH_type */
         if (buf[0] == '[') {
@@ -3578,17 +3605,17 @@ void hmac_test(char *reqfn)
             }
         }
         /* Count = test iteration number*/
         if (strncmp(buf, "Count ", 5) == 0) {    
             /* count can just be put into resp file */
             fputs(buf, resp);
             /* zeroize the variables for the test with this data set */
             keyLen = 0; 
-            HMACLen = 0;
+            TLen = 0;
             memset(key, 0, sizeof key);     
             memset(msg, 0, sizeof msg);  
             memset(HMAC, 0, sizeof HMAC);
             continue;
         }
         /* KLen = Length of the Input Secret Key ... */
         if (strncmp(buf, "Klen", 4) == 0) {
             i = 4;
@@ -3611,17 +3638,17 @@ void hmac_test(char *reqfn)
            fputs(buf, resp);
         }
         /* TLen = Length of the calculated HMAC */
         if (strncmp(buf, "Tlen", 4) == 0) {
             i = 4;
             while (isspace(buf[i]) || buf[i] == '=') {
                 i++;
             }
-            HMACLen = atoi(&buf[i]); /* in bytes */
+            TLen = atoi(&buf[i]); /* in bytes */
             fputs(buf, resp);
             continue;
         }
         /* MSG = to HMAC always 128 bytes for these tests */
         if (strncmp(buf, "Msg", 3) == 0) {
             i = 3;
             while (isspace(buf[i]) || buf[i] == '=') {
                 i++;
@@ -3631,17 +3658,17 @@ void hmac_test(char *reqfn)
             }
            fputs(buf, resp);
            /* calculate the HMAC and output */ 
            if (hmac_calc(HMAC, HMACLen, key, keyLen,   
                          msg, msgLen, hash_alg) != SECSuccess) {
                goto loser;
            }
            fputs("MAC = ", resp);
-           to_hex_str(buf, HMAC, HMACLen);
+           to_hex_str(buf, HMAC, TLen);
            fputs(buf, resp);
            fputc('\n', resp);
            continue;
         }
     }
 loser:
     if (req) {
         fclose(req);
--- a/security/nss/cmd/lib/config.mk
+++ b/security/nss/cmd/lib/config.mk
@@ -40,8 +40,12 @@
 #  are specifed as dependencies within rules.mk.
 #
 
 TARGETS        = $(LIBRARY)
 SHARED_LIBRARY =
 IMPORT_LIBRARY =
 PROGRAM        =
 
+ifeq (WINCE,$(OS_ARCH))
+CSRCS += wincemain.c
+endif
+
--- a/security/nss/cmd/lib/secpwd.c
+++ b/security/nss/cmd/lib/secpwd.c
@@ -58,29 +58,29 @@
 #define QUIET_FGETS quiet_fgets
 static char * quiet_fgets (char *buf, int length, FILE *input);
 #else
 #define QUIET_FGETS fgets
 #endif
 
 static void echoOff(int fd)
 {
-#if defined(XP_UNIX) && !defined(VMS)
+#if defined(XP_UNIX)
     if (isatty(fd)) {
 	struct termios tio;
 	tcgetattr(fd, &tio);
 	tio.c_lflag &= ~ECHO;
 	tcsetattr(fd, TCSAFLUSH, &tio);
     }
 #endif
 }
 
 static void echoOn(int fd)
 {
-#if defined(XP_UNIX) && !defined(VMS)
+#if defined(XP_UNIX)
     if (isatty(fd)) {
 	struct termios tio;
 	tcgetattr(fd, &tio);
 	tio.c_lflag |= ECHO;
 	tcsetattr(fd, TCSAFLUSH, &tio);
     }
 #endif
 }
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -68,21 +68,17 @@
 #include "certdb.h"
 
 /* #include "secmod.h" */
 #include "pk11func.h"
 #include "secoid.h"
 
 static char consoleName[] =  {
 #ifdef XP_UNIX
-#ifdef VMS
-    "TT"
-#else
     "/dev/tty"
-#endif
 #else
 #ifdef XP_OS2
     "\\DEV\\CON"
 #else
     "CON:"
 #endif
 #endif
 };
@@ -3310,29 +3306,82 @@ SEC_PrintCertificateAndTrust(CERTCertifi
 	                     "Certificate Trust Flags", 1);
     }
 
     printf("\n");
 
     return(SECSuccess);
 }
 
+#if defined(DEBUG) || defined(FORCE_PR_ASSERT)
+/* Returns true iff a[i].flag has a duplicate in a[i+1 : count-1]  */
+static PRBool HasShortDuplicate(int i, secuCommandFlag *a, int count)
+{
+	char target = a[i].flag;
+	int j;
+
+	/* duplicate '\0' flags are okay, they are used with long forms */
+	for (j = i+1; j < count; j++) {
+		if (a[j].flag && a[j].flag == target) {
+			return PR_TRUE;
+		}
+	}
+	return PR_FALSE;
+}
+
+/* Returns true iff a[i].longform has a duplicate in a[i+1 : count-1] */
+static PRBool HasLongDuplicate(int i, secuCommandFlag *a, int count)
+{
+	int j;	
+	char *target = a[i].longform;
+
+	if (!target)
+		return PR_FALSE;
+
+	for (j = i+1; j < count; j++) {
+		if (a[j].longform && strcmp(a[j].longform, target) == 0) {
+			return PR_TRUE;
+		}
+	}
+	return PR_FALSE;
+}
+
+/* Returns true iff a has no short or long form duplicates
+ */
+PRBool HasNoDuplicates(secuCommandFlag *a, int count)
+{
+    int i;
+
+	for (i = 0; i < count; i++) {
+		if (a[i].flag && HasShortDuplicate(i, a, count)) {
+			return PR_FALSE;
+		}
+		if (a[i].longform && HasLongDuplicate(i, a, count)) {
+			return PR_FALSE;
+		}
+	}
+	return PR_TRUE;
+}
+#endif
 
 SECStatus
 SECU_ParseCommandLine(int argc, char **argv, char *progName,
 		      const secuCommand *cmd)
 {
     PRBool found;
     PLOptState *optstate;
     PLOptStatus status;
     char *optstring;
     PLLongOpt *longopts = NULL;
     int i, j;
     int lcmd = 0, lopt = 0;
 
+    PR_ASSERT(HasNoDuplicates(cmd->commands, cmd->numCommands));
+    PR_ASSERT(HasNoDuplicates(cmd->options, cmd->numOptions));
+
     optstring = (char *)PORT_Alloc(cmd->numCommands + 2*cmd->numOptions+1);
     if (optstring == NULL)
         return SECFailure;
     
     j = 0;
     for (i=0; i<cmd->numCommands; i++) {
 	if (cmd->commands[i].flag) /* single character option ? */
 	    optstring[j++] = cmd->commands[i].flag;
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/lib/wincemain.c
@@ -0,0 +1,65 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef WINCE
+#include <windows.h>
+
+int
+wmain(int argc, WCHAR **wargv)
+{
+    char **argv;
+    int i, ret;
+
+    argv = malloc(argc * sizeof(char*));
+
+    for (i = 0; i < argc; i++) {
+        int len = WideCharToMultiByte(CP_ACP, 0, wargv[i], -1, NULL, 0, 0, 0);
+        argv[i] = malloc(len * sizeof(char));
+        WideCharToMultiByte(CP_ACP, 0, wargv[i], -1, argv[i], len, 0, 0);
+    }
+
+    ret = main(argc, argv);
+
+    for (i = 0; i < argc; i++) {
+        free(argv[i]);
+    }
+    free(argv);
+
+    return ret;
+}
+
+#endif
+
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@@ -775,17 +775,17 @@ cleanup:
     }
     if (configDir) {
         free(configDir);
     }
     if (dbPrefix) {
         free(dbPrefix);
     }
     if (moduleSpec) {
-        free(moduleSpec);
+        PR_smprintf_free(moduleSpec);
     }
 
 #ifdef _WIN32
     FreeLibrary(hModule);
 #else
     disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(lib);
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -52,28 +52,32 @@ PRBool pk12_debugging = PR_FALSE;
 PRBool dumpRawFile;
 
 PRIntn pk12uErrno = 0;
 
 static void
 Usage(char *progName)
 {
 #define FPS PR_fprintf(PR_STDERR,
-    FPS "Usage:	 %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname] [-v]\n",
+    FPS "Usage:	 %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
+				 progName);
+    FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
+    FPS "\t\t [-v]\n");
+
+    FPS "Usage:	 %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
 				 progName);
     FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
-
-    FPS "Usage:	 %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname] [-r]\n",
-				 progName);
-    FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
+    FPS "\t\t [-v]\n");
 
-    FPS "Usage:	 %s -o exportfile -n certname [-d certdir] [-P dbprefix] [-v]\n", 
-        progName);
-    FPS "\t\t [-c key_cipher] [-C cert_cipher] [-m | --key_len keyLen] [-n | --cert_key_len certKeyLen]\n");
-    FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filefilepw]\n");
+    FPS "Usage:	 %s -o exportfile -n certname [-d certdir] [-P dbprefix]\n",
+		progName);
+    FPS "\t\t [-c key_cipher] [-C cert_cipher]\n"
+        "\t\t [-m | --key_len keyLen] [--cert_key_len certKeyLen] [-v]\n");
+    FPS "\t\t [-k slotpwfile | -K slotpw]\n"
+		"\t\t [-w p12filepwfile | -W p12filefilepw]\n");
 
     exit(PK12UERR_USAGE);
 }
 
 static PRBool
 p12u_OpenFile(p12uContext *p12cxt, PRBool fileRead)
 {
     if(!p12cxt || !p12cxt->filename) {
@@ -950,17 +954,17 @@ static secuCommandFlag pk12util_options[
     { /* opt_Raw   	       */ 'r', PR_FALSE, 0, PR_FALSE },
     { /* opt_P12FilePWFile     */ 'w', PR_TRUE,	 0, PR_FALSE },
     { /* opt_P12FilePW	       */ 'W', PR_TRUE,	 0, PR_FALSE },
     { /* opt_DBPrefix	       */ 'P', PR_TRUE,	 0, PR_FALSE },
     { /* opt_Debug	       */ 'v', PR_FALSE, 0, PR_FALSE },
     { /* opt_Cipher	       */ 'c', PR_TRUE,  0, PR_FALSE },
     { /* opt_CertCipher	       */ 'C', PR_TRUE,  0, PR_FALSE },
     { /* opt_KeyLength         */ 'm', PR_TRUE,  0, PR_FALSE, "key_len" },
-    { /* opt_CertKeyLength     */ 'n', PR_TRUE,  0, PR_FALSE, "cert_key_len" }
+    { /* opt_CertKeyLength     */ 0, PR_TRUE,  0, PR_FALSE, "cert_key_len" }
 };
 
 int
 main(int argc, char **argv)
 {
     secuPWData slotPw = { PW_NONE, NULL };
     secuPWData p12FilePw = { PW_NONE, NULL };
     PK11SlotInfo *slot;
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -46,22 +46,30 @@ else
 EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps'
 endif
 else
 EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib'
 endif
 endif
 
 ifeq ($(OS_ARCH), Linux)
+ifeq ($(BUILD_SUN_PKG), 1)
+ifeq ($(USE_64), 1)
+EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
+else
+EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
+endif
+else
 ifeq ($(USE_64), 1)
 EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
 else
 EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
 endif
 endif
+endif
 
 ifeq ($(OS_ARCH), HP-UX) 
 ifeq ($(OS_TEST), ia64)
 EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib'
 else
 # pa-risc
 ifeq ($(USE_64), 1)
 EXTRA_SHARED_LIBS += \
@@ -78,17 +86,17 @@ ifdef NSS_DISABLE_DBM
 DBMLIB = $(NULL)
 else
 DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) 
 endif
 
 ifdef USE_STATIC_LIBS
 
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
-ifeq ($(OS_ARCH), WINNT)
+ifeq (,$(filter-out WINNT WINCE,$(OS_ARCH))) 
 
 DEFINES += -DNSS_USE_STATIC_LIBS
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 
 PKIXLIB = \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
@@ -198,17 +206,17 @@ EXTRA_SHARED_LIBS += \
 endif
 
 ifeq ($(OS_TARGET), SunOS)
 OS_LIBS += -lbsm
 endif
 
 else # USE_STATIC_LIBS
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
-ifeq ($(OS_ARCH), WINNT)
+ifeq (,$(filter-out WINNT WINCE,$(OS_ARCH))) 
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
--- a/security/nss/cmd/sdrtest/sdrtest.c
+++ b/security/nss/cmd/sdrtest/sdrtest.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Test program for SDR (Secret Decoder Ring) functions.
  *
- * $Id: sdrtest.c,v 1.14 2008/03/10 20:16:44 rrelyea%redhat.com Exp $
+ * $Id: sdrtest.c,v 1.16 2009/07/08 21:37:43 julien.pierre.boogz%sun.com Exp $
  */
 
 #include "nspr.h"
 #include "string.h"
 #include "nss.h"
 #include "secutil.h"
 #include "cert.h"
 #include "pk11func.h"
@@ -108,17 +108,17 @@ readStdin(SECItem * result)
   int bufsize = 0;
   int cc;
   int wanted  = 8192;
 
   result->len = 0;
   result->data = NULL;
   do {
     if (bufsize < wanted) {
-      unsigned char * tmpData = (unsigned char *)realloc(result->data, wanted);
+      unsigned char * tmpData = (unsigned char *)PR_Realloc(result->data, wanted);
       if (!tmpData) {
 	if (verbose) PR_fprintf(pr_stderr, "Allocation of buffer failed\n");
 	return -1;
       }
       result->data = tmpData;
       bufsize = wanted;
     }
     cc = PR_Read(PR_STDIN, result->data + result->len, bufsize - result->len);
@@ -148,17 +148,17 @@ readInputFile(const char * filename, SEC
 
   s = PR_GetOpenFileInfo(file, &info);
   if (s != PR_SUCCESS) {
     if (verbose) PR_fprintf(pr_stderr, "File info operation failed\n");
     goto file_loser;
   }
 
   result->len = info.size;
-  result->data = (unsigned char *)malloc(result->len);
+  result->data = (unsigned char *)PR_Malloc(result->len);
   if (!result->data) {
     if (verbose) PR_fprintf(pr_stderr, "Allocation of buffer failed\n");
     goto file_loser;
   }
 
   count = PR_Read(file, result->data, result->len);
   if (count != result->len) {
     if (verbose) PR_fprintf(pr_stderr, "Read failed\n");
@@ -308,17 +308,17 @@ main (int argc, char **argv)
 	SECItem newResult = {0, 0, 0};
 	SECItem *ok = NSSBase64_DecodeBuffer(NULL, &newResult, 
 	                       (const char *)result.data, result.len);
 	if (!ok) {
 	  SECU_PrintError(program_name, "Base 64 decode failed");
 	  retval = -1;
 	  goto loser;
 	}
-	free(result.data);
+	SECITEM_ZfreeItem(&result, PR_FALSE);
 	result = *ok;
       }
     }
     else
     {
       SECItem keyid = { 0, 0, 0 };
       SECItem outBuf = { 0, 0, 0 };
       PK11SlotInfo *slot = NULL;
@@ -431,18 +431,18 @@ main (int argc, char **argv)
     if (text.len != data.len || memcmp(data.data, text.data, text.len) != 0)
     {
       if (verbose) PR_fprintf(pr_stderr, "Comparison failed\n");
       retval = -1;
       goto loser;
     }
 
 loser:
-    if (text.data) free(text.data);
-    if (result.data) free(result.data);
+    if (text.data) SECITEM_ZfreeItem(&text, PR_FALSE);
+    if (result.data) SECITEM_ZfreeItem(&result, PR_FALSE);
     if (NSS_Shutdown() != SECSuccess) {
        exit(1);
     }
 
 prdone:
     PR_Cleanup ();
     if (pwdata.data) {
 	PORT_Free(pwdata.data);
--- a/security/nss/cmd/shlibsign/sign.sh
+++ b/security/nss/cmd/shlibsign/sign.sh
@@ -16,34 +16,16 @@ WIN*)
             ARG4=${4}
         fi
         PATH=${ARG1}/lib:${ARG1}/bin:${ARG4}:${PATH}
     fi
     export PATH
     echo ${2}/shlibsign -v -i ${5}
     ${2}/shlibsign -v -i ${5}
     ;;
-OpenVMS)
-    temp="tmp$$.tmp"
-    temp2="tmp$$.tmp2"
-    cd ${1}/lib
-    vmsdir=`dcl show default`
-    ls *.so > $temp
-    sed -e "s/\([^\.]*\)\.so/\$ define\/job \1 ${vmsdir}\1.so/" $temp > $temp2
-    echo '$ define/job getipnodebyname xxx' >> $temp2
-    echo '$ define/job vms_null_dl_name sys$share:decc$shr' >> $temp2
-    dcl @$temp2
-    echo ${2}/shlibsign -v -i ${5}
-    ${2}/shlibsign -v -i ${5}
-    sed -e "s/\([^\.]*\)\.so/\$ deass\/job \1/" $temp > $temp2
-    echo '$ deass/job getipnodebyname' >> $temp2
-    echo '$ deass/job vms_null_dl_name' >> $temp2
-    dcl @$temp2
-    rm $temp $temp2
-    ;;
 *)
     LIBPATH=`(cd ${1}/lib; pwd)`:`(cd ${4}; pwd)`:$LIBPATH
     export LIBPATH
     SHLIB_PATH=${1}/lib:${4}:$SHLIB_PATH
     export SHLIB_PATH
     LD_LIBRARY_PATH=${1}/lib:${4}:$LD_LIBRARY_PATH
     export LD_LIBRARY_PATH
     DYLD_LIBRARY_PATH=${1}/lib:${4}:$DYLD_LIBRARY_PATH
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/tests/baddbdir.c
@@ -0,0 +1,68 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2009
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "nss.h"
+#include "secerr.h"
+
+/*
+ * Regression test for bug 495097.
+ *
+ * NSS_InitReadWrite("sql:<dbdir>") should fail with SEC_ERROR_BAD_DATABASE
+ * if the directory <dbdir> doesn't exist.
+ */
+
+int main()
+{
+    SECStatus status;
+    int error;
+
+    status = NSS_InitReadWrite("sql:/no/such/db/dir");
+    if (status == SECSuccess) {
+        fprintf(stderr, "NSS_InitReadWrite succeeded unexpectedly\n");
+        exit(1);
+    }
+    error = PORT_GetError();
+    if (error != SEC_ERROR_BAD_DATABASE) {
+        fprintf(stderr, "NSS_InitReadWrite failed with the wrong error code: "
+                "%d\n", error);
+        exit(1);
+    }
+    printf("PASS\n");
+    return 0;
+}
--- a/security/nss/cmd/tests/manifest.mn
+++ b/security/nss/cmd/tests/manifest.mn
@@ -36,16 +36,17 @@
 # ***** END LICENSE BLOCK *****
 
 CORE_DEPTH = ../../..
 
 # MODULE public and private header  directories are implicitly REQUIRED.
 MODULE = nss
 
 CSRCS = \
+	baddbdir.c \
 	conflict.c \
 	nonspr10.c \
 	remtest.c \
 	$(NULL)
 
 # The MODULE is always implicitly required.
 # Listing it here in REQUIRES makes it appear twice in the cc command line.
 REQUIRES = seccmd dbm
--- a/security/nss/cmd/zlib/README
+++ b/security/nss/cmd/zlib/README
@@ -12,17 +12,17 @@ All functions of the compression library
 of the library is given in the file example.c which also tests that the library
 is working correctly. Another example is given in the file minigzip.c. The
 compression library itself is composed of all source files except example.c and
 minigzip.c.
 
 To compile all files and run the test program, follow the instructions given at
 the top of Makefile. In short "make test; make install" should work for most
 machines. For Unix: "./configure; make test; make install". For MSDOS, use one
-of the special makefiles such as Makefile.msc. For VMS, use make_vms.com.
+of the special makefiles such as Makefile.msc. 
 
 Questions about zlib should be sent to <zlib@gzip.org>, or to Gilles Vollant
 <info@winimage.com> for the Windows DLL version. The zlib home page is
 http://www.zlib.org or http://www.gzip.org/zlib/ Before reporting a problem,
 please check this site to verify that you have the latest version of zlib;
 otherwise get the latest version and check whether the problem still exists or
 not.
 
--- a/security/nss/cmd/zlib/example.c
+++ b/security/nss/cmd/zlib/example.c
@@ -1,24 +1,24 @@
 /* example.c -- usage example of the zlib compression library
  * Copyright (C) 1995-2004 Jean-loup Gailly.
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
-/* @(#) $Id: example.c,v 1.5 2005/07/20 20:32:42 wtchang%redhat.com Exp $ */
+/* @(#) $Id: example.c,v 1.6 2009/06/05 02:22:16 nelson%bolyard.com Exp $ */
 
 #include <stdio.h>
 #include "zlib.h"
 
 #ifdef STDC
 #  include <string.h>
 #  include <stdlib.h>
 #endif
 
-#if defined(VMS) || defined(RISCOS)
+#if defined(RISCOS)
 #  define TESTFILE "foo-gz"
 #else
 #  define TESTFILE "foo.gz"
 #endif
 
 #define CHECK_ERR(err, msg) { \
     if (err != Z_OK) { \
         fprintf(stderr, "%s error: %d\n", msg, err); \
--- a/security/nss/cmd/zlib/minigzip.c
+++ b/security/nss/cmd/zlib/minigzip.c
@@ -8,17 +8,17 @@
  * only an example of using zlib and isn't meant to replace the
  * full-featured gzip. No attempt is made to deal with file systems
  * limiting names to 14 or 8+3 characters, etc... Error checking is
  * very limited. So use minigzip only for testing; use gzip for the
  * real thing. On MSDOS, use only on file names without extension
  * or in pipe mode.
  */
 
-/* @(#) $Id: minigzip.c,v 1.5 2005/07/20 20:32:42 wtchang%redhat.com Exp $ */
+/* @(#) $Id: minigzip.c,v 1.6 2009/06/05 02:22:16 nelson%bolyard.com Exp $ */
 
 #include <stdio.h>
 #include "zlib.h"
 
 #ifdef STDC
 #  include <string.h>
 #  include <stdlib.h>
 #endif
@@ -32,20 +32,16 @@
 #if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__)
 #  include <fcntl.h>
 #  include <io.h>
 #  define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY)
 #else
 #  define SET_BINARY_MODE(file)
 #endif
 
-#ifdef VMS
-#  define unlink delete
-#  define GZ_SUFFIX "-gz"
-#endif
 #ifdef RISCOS
 #  define unlink remove
 #  define GZ_SUFFIX "-gz"
 #  define fileno(file) file->__file
 #endif
 #if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os
 #  include <unix.h> /* for fileno */
 #endif
--- a/security/nss/cmd/zlib/zconf.h
+++ b/security/nss/cmd/zlib/zconf.h
@@ -1,14 +1,14 @@
 /* zconf.h -- configuration of the zlib compression library
  * Copyright (C) 1995-2005 Jean-loup Gailly.
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
-/* @(#) $Id: zconf.h,v 1.6 2005/07/20 20:32:42 wtchang%redhat.com Exp $ */
+/* @(#) $Id: zconf.h,v 1.7 2009/06/05 02:22:17 nelson%bolyard.com Exp $ */
 
 #ifndef ZCONF_H
 #define ZCONF_H
 
 /*
  * If you *really* need a unique prefix for all types and library functions,
  * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
  */
@@ -279,24 +279,16 @@ typedef uLong FAR uLongf;
    typedef void FAR   *voidpf;
    typedef void       *voidp;
 #else
    typedef Byte const *voidpc;
    typedef Byte FAR   *voidpf;
    typedef Byte       *voidp;
 #endif
 
-#if 0           /* HAVE_UNISTD_H -- this line is updated by ./configure */
-#  include <sys/types.h> /* for off_t */
-#  include <unistd.h>    /* for SEEK_* and off_t */
-#  ifdef VMS
-#    include <unixio.h>   /* for off_t */
-#  endif
-#  define z_off_t off_t
-#endif
 #ifndef SEEK_SET
 #  define SEEK_SET        0       /* Seek from beginning of file.  */
 #  define SEEK_CUR        1       /* Seek from current position.  */
 #  define SEEK_END        2       /* Set file pointer to EOF plus "offset" */
 #endif
 #ifndef z_off_t
 #  define z_off_t long
 #endif
--- a/security/nss/cmd/zlib/zutil.h
+++ b/security/nss/cmd/zlib/zutil.h
@@ -3,17 +3,17 @@
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
 /* WARNING: this file should *not* be used by applications. It is
    part of the implementation of the compression library and is
    subject to change. Applications should only use zlib.h.
  */
 
-/* @(#) $Id: zutil.h,v 1.7 2007/12/01 02:16:10 julien.pierre.boogz%sun.com Exp $ */
+/* @(#) $Id: zutil.h,v 1.8 2009/06/05 02:22:17 nelson%bolyard.com Exp $ */
 
 #ifndef ZUTIL_H
 #define ZUTIL_H
 
 #define ZLIB_INTERNAL
 #include "zlib.h"
 
 #ifdef STDC
@@ -100,17 +100,17 @@ extern const char * const z_errmsg[10]; 
 #    include <malloc.h>
 #  endif
 #endif
 
 #ifdef AMIGA
 #  define OS_CODE  0x01
 #endif
 
-#if defined(VAXC) || defined(VMS)
+#if defined(VAXC)
 #  define OS_CODE  0x02
 #  define F_OPEN(name, mode) \
      fopen((name), (mode), "mbc=60", "ctx=stm", "rfm=fix", "mrs=512")
 #endif
 
 #if defined(ATARI) || defined(atarist)
 #  define OS_CODE  0x05
 #endif
@@ -200,19 +200,16 @@ extern const char * const z_errmsg[10]; 
 #    if !defined(vsnprintf) && !defined(NO_vsnprintf)
 #      define vsnprintf _vsnprintf
 #    endif
 #  endif
 #  ifdef __SASC
 #    define NO_vsnprintf
 #  endif
 #endif
-#ifdef VMS
-#  define NO_vsnprintf
-#endif
 
 #if defined(pyr)
 #  define NO_MEMCPY
 #endif
 #if defined(SMALL_MEDIUM) && !defined(_MSC_VER) && !defined(__SC__)
  /* Use our own functions for small and medium model with MSC <= 5.0.
   * You may have to use the same strategy for Borland C (untested).
   * The __SC__ check is for Symantec.
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * cert.h - public data structures and prototypes for the certificate library
  *
- * $Id: cert.h,v 1.77 2009/04/17 22:46:27 julien.pierre.boogz%sun.com Exp $
+ * $Id: cert.h,v 1.78 2009/05/14 01:33:36 julien.pierre.boogz%sun.com Exp $
  */
 
 #ifndef _CERT_H_
 #define _CERT_H_
 
 #include "utilrename.h"
 #include "plarena.h"
 #include "plhash.h"
@@ -1605,35 +1605,35 @@ extern SECStatus
 CERT_EncodeNoticeReference(PLArenaPool *arena,
                            CERTNoticeReference *reference,
                            SECItem *dest);
 
 /*
  * Returns a pointer to a static structure.
  */
 extern const CERTRevocationFlags*
-CERT_GetPKIXVerifyNistRevocationPolicy();
+CERT_GetPKIXVerifyNistRevocationPolicy(void);
 
 /*
  * Returns a pointer to a static structure.
  */
 extern const CERTRevocationFlags*
-CERT_GetClassicOCSPEnabledSoftFailurePolicy();
+CERT_GetClassicOCSPEnabledSoftFailurePolicy(void);
 
 /*
  * Returns a pointer to a static structure.
  */
 extern const CERTRevocationFlags*
-CERT_GetClassicOCSPEnabledHardFailurePolicy();
+CERT_GetClassicOCSPEnabledHardFailurePolicy(void);
 
 /*
  * Returns a pointer to a static structure.
  */
 extern const CERTRevocationFlags*
-CERT_GetClassicOCSPDisabledPolicy();
+CERT_GetClassicOCSPDisabledPolicy(void);
 
 /*
  * Verify a Cert with libpkix
  *  paramsIn control the verification options. If a value isn't specified
  *   in paramsIn, it reverts to the application default.
  *  paramsOut specifies the parameters the caller would like to get back.
  *   the caller may pass NULL, in which case no parameters are returned.
  */
@@ -1657,13 +1657,13 @@ extern SECStatus CERT_PKIXSetDefaults(CE
 /* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate)
  * to use libpkix validation engine. The function should be called ones at
  * application initialization time.
  * Function is not thread safe.*/
 SECStatus CERT_SetUsePKIXForValidation(PRBool enable);
 
 /* The function return PR_TRUE if cert validation should use
  * libpkix cert validation engine. */
-PRBool CERT_GetUsePKIXForValidation();
+PRBool CERT_GetUsePKIXForValidation(void);
 
 SEC_END_PROTOS
 
 #endif /* _CERT_H_ */
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -34,17 +34,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Certificate handling code
  *
- * $Id: certdb.c,v 1.100 2009/03/23 02:18:19 nelson%bolyard.com Exp $
+ * $Id: certdb.c,v 1.101 2009/05/18 21:33:25 nelson%bolyard.com Exp $
  */
 
 #include "nssilock.h"
 #include "prmon.h"
 #include "prtime.h"
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
@@ -1734,29 +1734,29 @@ cert_GetDNSPatternsFromGeneralNames(CERT
             ** so must copy it.  
             */
             cn = (char *)PORT_ArenaAlloc(nickNames->arena, 
                                          currentInput->name.other.len + 1);
             if (!cn)
               return SECFailure;
             PORT_Memcpy(cn, currentInput->name.other.data, 
                             currentInput->name.other.len);
-            cn[currentInput->name.other.len + 1] = 0;
+            cn[currentInput->name.other.len] = 0;
             break;
         case certIPAddress:
             if (currentInput->name.other.len == 4) {
               addr.inet.family = PR_AF_INET;
               memcpy(&addr.inet.ip, currentInput->name.other.data, 
                                     currentInput->name.other.len);
             } else if (currentInput->name.other.len == 16) {
               addr.ipv6.family = PR_AF_INET6;
               memcpy(&addr.ipv6.ip, currentInput->name.other.data, 
                                     currentInput->name.other.len);
             }
-            if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf) == PR_FAILURE))
+            if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf)) == PR_FAILURE)
               return SECFailure;
             cn = PORT_ArenaStrdup(nickNames->arena, ipbuf);
             if (!cn)
               return SECFailure;
             break;
         default:
             break;
         }
--- a/security/nss/lib/certdb/certdb.h
+++ b/security/nss/lib/certdb/certdb.h
@@ -58,17 +58,17 @@ SEC_FindCrlByKey(CERTCertDBHandle *handl
 
 CERTSignedCrl *
 SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type);
 
 CERTSignedCrl *
 SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type);
 
 PRBool
-SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
+SEC_CertNicknameConflict(const char *nickname, SECItem *derSubject,
 			 CERTCertDBHandle *handle);
 CERTSignedCrl *
 SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type);
 
 SECStatus
 SEC_DeletePermCRL(CERTSignedCrl *crl);
 
 
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -31,17 +31,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /*
  * certt.h - public data structures for the certificate library
  *
- * $Id: certt.h,v 1.50 2009/04/24 19:18:32 nelson%bolyard.com Exp $
+ * $Id: certt.h,v 1.52 2009/05/29 18:10:38 alexei.volkov.bugs%sun.com Exp $
  */
 #ifndef _CERTT_H_
 #define _CERTT_H_
 
 #include "prclist.h"
 #include "pkcs11t.h"
 #include "seccomon.h"
 #include "secmodt.h"
@@ -935,22 +935,27 @@ typedef enum {
 				 * specified in value.scalar.time. A special 
 				 * value '0' indicates 'now'. default is '0' */
    cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
 				 * See CERT_REV_FLAG_* macros below
 				 * Set in value.pointer.revocation */
    cert_pi_certStores      = 10,/* Bitmask of Cert Store flags (see below)
 				 * Set in value.scalar.ui */
    cert_pi_trustAnchors    = 11,/* Specify the list of trusted roots to 
-				 * validate against. If the list in NULL all
-				 * default trusted roots are used.
+				 * validate against. 
+				 * The default set of trusted roots, these are
+				 * root CA certs from libnssckbi.so or CA
+				 * certs trusted by user, are used in any of
+				 * the following cases:
+				 *      * when the parameter is not set.
+				 *      * when the list of trust anchors is empty.
 				 * Specified in value.pointer.chain */
    cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
-				 * Default is off.
-                                     * Value is in value.scalar.b */
+				 * In NSS 3.12.1 or later. Default is off.
+				 * Value is in value.scalar.b */
    cert_pi_max                  /* SPECIAL: signifies maximum allowed value,
 				 *  can increase in future releases */
 } CERTValParamInType;
 
 /*
  * for all out parameters:
  *  out parameters are only returned if the caller asks for them in
  *  the CERTValOutParam array. Caller is responsible for the CERTValOutParam
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Moved from secpkcs7.c
  *
- * $Id: crl.c,v 1.66 2009/04/21 22:53:58 julien.pierre.boogz%sun.com Exp $
+ * $Id: crl.c,v 1.67 2009/05/13 22:47:28 julien.pierre.boogz%sun.com Exp $
  */
  
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "certdb.h"
@@ -3131,16 +3131,17 @@ static SECStatus addCRLToCache(CERTCertD
             /* all other reasons */
             default:
                 entry->unsupported = PR_TRUE;
                 break;
         }
         rv = SECFailure;
         /* no need to keep unused CRL around */
         SECITEM_ZfreeItem(entry->crl, PR_TRUE);
+        entry->crl = NULL;
     }
     return rv;
 }
 
 /* take ownership of CRL, and insert it into the named CRL cache
  * and indexed CRL cache
  */
 SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
@@ -3201,16 +3202,20 @@ SECStatus cert_CacheCRLByGeneralName(CER
                 PORT_Assert(SECSuccess == rv);
             }
             removed = PL_HashTableRemove(namedCRLCache.entries,
                                       (void*) oldEntry->canonicalizedName);
             PORT_Assert(removed);
             if (!removed)
             {
                 rv = SECFailure;
+		/* leak old entry since we couldn't remove it from the hash table */
+            }
+            else
+            {
                 rv2 = NamedCRLCacheEntry_Destroy(oldEntry);
                 PORT_Assert(SECSuccess == rv2);
             }
             if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                       (void*) newEntry->canonicalizedName,
                                       (void*) newEntry))
             {
                 PORT_Assert(0);
@@ -3244,17 +3249,21 @@ SECStatus cert_CacheCRLByGeneralName(CER
             else
             {
                 /* previous cache entry was bad, just replace it */
                 PRBool removed = PL_HashTableRemove(namedCRLCache.entries,
                                           (void*) oldEntry->canonicalizedName);
                 PORT_Assert(removed);
                 if (!removed)
                 {
+		    /* leak old entry since we couldn't remove it from the hash table */
                     rv = SECFailure;
+                }
+                else
+                {
                     rv2 = NamedCRLCacheEntry_Destroy(oldEntry);
                     PORT_Assert(SECSuccess == rv2);
                 }
                 if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                           (void*) newEntry->canonicalizedName,
                                           (void*) newEntry))
                 {
                     PORT_Assert(0);
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -58,17 +58,17 @@
 #include "pki3hack.h"
 #include "ckhelper.h"
 #include "base.h"
 #include "pkistore.h"
 #include "dev3hack.h"
 #include "dev.h"
 
 PRBool
-SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
+SEC_CertNicknameConflict(const char *nickname, SECItem *derSubject,
 			 CERTCertDBHandle *handle)
 {
     CERTCertificate *cert;
     PRBool conflict = PR_FALSE;
 
     cert=CERT_FindCertByNickname(handle, nickname);
 
     if (!cert) {
--- a/security/nss/lib/certhigh/certvfypkix.c
+++ b/security/nss/lib/certhigh/certvfypkix.c
@@ -1685,17 +1685,21 @@ cert_pkixSetParam(PKIX_ProcessingParams 
                 break;
             }
 
         }
         break;
 
         case cert_pi_trustAnchors:
             certList = param->value.pointer.chain;
-
+            if (!certList) {
+                PORT_SetError(errCode);
+                r = SECFailure;
+                break;
+            }
             error = PKIX_List_Create(&certListPkix, plContext);
             if (error != NULL) {
                 break;
             }
             for(node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
                 node = CERT_LIST_NEXT(node) ) {
                 error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert,
                                                       &certPkix, plContext);
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -34,17 +34,17 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.58 2009/03/21 01:40:35 nelson%bolyard.com Exp $
+ * $Id: ocsp.c,v 1.59 2009/06/10 22:59:09 julien.pierre.boogz%sun.com Exp $
  */
 
 #include "prerror.h"
 #include "prprf.h"
 #include "plarena.h"
 #include "prnetdb.h"
 
 #include "seccomon.h"
@@ -725,17 +725,17 @@ ocsp_FreshenCacheItemNextFetchAttemptTim
             OCSP_Global.minimumSecondsToNextFetchAttempt *
                 MICROSECONDS_PER_SECOND;
         OCSP_TRACE_TIME("no thisUpdate, "
                         "latestTimeWhenResponseIsConsideredFresh:", 
                         latestTimeWhenResponseIsConsideredFresh);
     }
   
     if (cacheItem->haveNextUpdate) {
-        OCSP_TRACE_TIME("have nextUpdate:", cacheItem->thisUpdate);
+        OCSP_TRACE_TIME("have nextUpdate:", cacheItem->nextUpdate);
     }
   
     if (cacheItem->haveNextUpdate &&
         cacheItem->nextUpdate < latestTimeWhenResponseIsConsideredFresh) {
         latestTimeWhenResponseIsConsideredFresh = cacheItem->nextUpdate;
         OCSP_TRACE_TIME("nextUpdate is smaller than latestFresh, setting "
                         "latestTimeWhenResponseIsConsideredFresh:", 
                         latestTimeWhenResponseIsConsideredFresh);
--- a/security/nss/lib/ckfw/Makefile
+++ b/security/nss/lib/ckfw/Makefile
@@ -29,24 +29,24 @@
 # under the terms of either the GPL or the LGPL, and not to allow others to
 # use your version of this file under the terms of the MPL, indicate your
 # decision by deleting the provisions above and replace them with the notice
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
-MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.16 $ $Date: 2008/12/03 18:44:24 $"
+MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.17 $ $Date: 2009/05/22 01:03:30 $"
 
 include manifest.mn
 include $(CORE_DEPTH)/coreconf/config.mk
 include config.mk
 include $(CORE_DEPTH)/coreconf/rules.mk
 
-ifdef MOZILLA_CLIENT
+ifdef NOTDEF # was ifdef MOZILLA_CLIENT
 NSS_BUILD_CAPI = 1
 endif
 
 # This'll need some help from a build person.
 
 # The generated files are checked in, and differ from what ckapi.perl
 # will produce.  ckapi.perl is currently newer than the targets, so
 # these rules are invoked, causing the wrong files to be generated.
--- a/security/nss/lib/ckfw/builtins/config.mk
+++ b/security/nss/lib/ckfw/builtins/config.mk
@@ -29,17 +29,17 @@
 # under the terms of either the GPL or the LGPL, and not to allow others to
 # use your version of this file under the terms of the MPL, indicate your
 # decision by deleting the provisions above and replace them with the notice
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
-CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.13 $ $Date: 2009/03/20 07:19:36 $"
+CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.14 $ $Date: 2009/06/11 00:55:34 $"
 
 #
 #  Override TARGETS variable so that only shared libraries
 #  are specifed as dependencies within rules.mk.
 #
 
 TARGETS        = $(SHARED_LIBRARY)
 LIBRARY        =
@@ -60,22 +60,8 @@ endif
 # To create a loadable module on Darwin, we must use -bundle.
 #
 ifeq ($(OS_TARGET),Darwin)
 ifndef USE_64
 DSO_LDOPTS = -bundle
 endif
 endif
 
-ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
-endif
-
-ifeq ($(OS_ARCH), HP-UX) 
-ifneq ($(OS_TEST), ia64)
-# pa-risc
-ifeq ($(USE_64), 1)
-MKSHLIB += +b '$$ORIGIN'
-endif
-endif
-endif
--- a/security/nss/lib/ckfw/capi/config.mk
+++ b/security/nss/lib/ckfw/capi/config.mk
@@ -29,17 +29,17 @@
 # under the terms of either the GPL or the LGPL, and not to allow others to
 # use your version of this file under the terms of the MPL, indicate your
 # decision by deleting the provisions above and replace them with the notice
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
-CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.2 $ $Date: 2009/03/20 07:19:45 $"
+CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.3 $ $Date: 2009/06/11 00:55:42 $"
 
 #
 #  Override TARGETS variable so that only shared libraries
 #  are specifed as dependencies within rules.mk.
 #
 
 TARGETS        = $(SHARED_LIBRARY)
 LIBRARY        =
@@ -60,14 +60,8 @@ endif
 # To create a loadable module on Darwin, we must use -bundle.
 #
 ifeq ($(OS_TARGET),Darwin)
 ifndef USE_64
 DSO_LDOPTS = -bundle
 endif
 endif
 
-ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
-endif
-
--- a/security/nss/lib/ckfw/sessobj.c
+++ b/security/nss/lib/ckfw/sessobj.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: sessobj.c,v $ $Revision: 1.14 $ $Date: 2009/02/09 07:55:53 $";
+static const char CVS_ID[] = "@(#) $RCSfile: sessobj.c,v $ $Revision: 1.15 $ $Date: 2009/06/05 00:22:04 $";
 #endif /* DEBUG */
 
 /*
  * sessobj.c
  *
  * This file contains an NSSCKMDObject implementation for session 
  * objects.  The framework uses this implementation to manage
  * session objects when a Module doesn't wish to be bothered.
@@ -701,28 +701,25 @@ nss_ckmdSessionObject_SetAttribute
    * It's new.
    */
 
   ra = (NSSItem *)nss_ZRealloc(obj->attributes, sizeof(NSSItem) * (obj->n + 1));
   if (!ra) {
     nss_ZFreeIf(n.data);
     return CKR_HOST_MEMORY;
   }
+  obj->attributes = ra;
 
-  rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, (obj->n + 1));
-  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == rt ) {
+  rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, 
+                                      sizeof(CK_ATTRIBUTE_TYPE) * (obj->n + 1));
+  if (!rt) {
     nss_ZFreeIf(n.data);
-    obj->attributes = (NSSItem *)nss_ZRealloc(ra, sizeof(NSSItem) * obj->n);
-    if (!obj->attributes) {
-      return CKR_GENERAL_ERROR;
-    }
     return CKR_HOST_MEMORY;
   }
 
-  obj->attributes = ra;
   obj->types = rt;
   obj->attributes[obj->n] = n;
   obj->types[obj->n] = attribute;
   obj->n++;
 
   return CKR_OK;
 }
 
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -253,21 +253,27 @@ SECKEYPrivateKey *
 SECKEY_CreateECPrivateKey(SECKEYECParams *param, SECKEYPublicKey **pubk, void *cx)
 {
     SECKEYPrivateKey *privk;
     PK11SlotInfo *slot = PK11_GetBestSlot(CKM_EC_KEY_PAIR_GEN,cx);
     if (!slot) {
 	return NULL;
     }
 
-    privk = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, param, 
-                                 pubk, PR_FALSE, PR_FALSE, cx);
+    privk = PK11_GenerateKeyPairWithOpFlags(slot, CKM_EC_KEY_PAIR_GEN, 
+                        param, pubk,
+                        PK11_ATTR_SESSION | PK11_ATTR_INSENSITIVE | 
+                        PK11_ATTR_PUBLIC,
+                        CKF_DERIVE, CKF_DERIVE|CKF_SIGN,cx);
     if (!privk) 
-	privk = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, param, 
-	                             pubk, PR_FALSE, PR_TRUE, cx);
+        privk = PK11_GenerateKeyPairWithOpFlags(slot, CKM_EC_KEY_PAIR_GEN, 
+                        param, pubk,
+                        PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE | 
+                        PK11_ATTR_PRIVATE,
+                        CKF_DERIVE, CKF_DERIVE|CKF_SIGN,cx);
 
     PK11_FreeSlot(slot);
     return(privk);
 }
 
 void
 SECKEY_DestroyPrivateKey(SECKEYPrivateKey *privk)
 {
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -89,16 +89,24 @@ else
 endif
 endif
 
 ifeq ($(OS_TARGET),OSF1)
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD
     MPI_SRCS += mpvalpha.c
 endif
 
+ifeq (OS2,$(OS_TARGET))
+    ASFILES  = mpi_x86_os2.s
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
+    DEFINES += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
+    DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
+endif
+
 ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))  #omits WINCE
 ifndef USE_64
 # 32-bit Windows
 ifdef NS_USE_GCC
 # Ideally, we want to use assembler
 #     ASFILES  = mpi_x86.s
 #     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE \
 #                -DMP_ASSEMBLY_DIV_2DX1D
@@ -217,19 +225,16 @@ endif
 # (ldvector.c) to the blapi functions defined in the freebl
 # shared libraries.
 ifeq (,$(filter-out BSD_OS FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET)))
     MKSHLIB += -Wl,-Bsymbolic
 endif
 
 ifeq ($(OS_TARGET),SunOS)
 
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
 ifdef NS_USE_GCC
     ifdef GCC_USE_GNU_LD
 	MKSHLIB += -Wl,-Bsymbolic,-z,now,-z,text
     else
 	MKSHLIB += -Wl,-B,symbolic,-z,now,-z,text
     endif # GCC_USE_GNU_LD
 else
     MKSHLIB += -B symbolic -z now -z text
--- a/security/nss/lib/freebl/des.c
+++ b/security/nss/lib/freebl/des.c
@@ -398,16 +398,21 @@ static const HALF PC2[8][64] = {
     temp  = (word ^ (word >> 18)) & 0x00003333; \
     word ^=  temp | (temp << 18); \
     temp  = (word ^ (word >> 9)) & 0x00550055; \
     word ^=  temp | (temp << 9);
 
 #if defined(__GNUC__) && defined(NSS_X86_OR_X64)
 #define BYTESWAP(word, temp) \
     __asm("bswap	%0" : "+r" (word));
+#elif (_MSC_VER >= 1300) && defined(NSS_X86_OR_X64)
+#include <stdlib.h>
+#pragma intrinsic(_byteswap_ulong)
+#define BYTESWAP(word, temp) \
+    word = _byteswap_ulong(word);
 #else
 #define BYTESWAP(word, temp) \
     word = (word >> 16) | (word << 16); \
     temp = 0x00ff00ff; \
     word = ((word & temp) << 8) | ((word >> 8) & temp); 
 #endif
 
 #define PC1(left, right, c0, d0, temp) \
--- a/security/nss/lib/freebl/drbg.c
+++ b/security/nss/lib/freebl/drbg.c
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: drbg.c,v 1.8 2009/04/01 03:37:29 wtc%google.com Exp $ */
+/* $Id: drbg.c,v 1.9 2009/06/10 03:24:01 rrelyea%redhat.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "prerror.h"
 #include "secerr.h"
 
@@ -376,16 +376,19 @@ prng_generateNewBytes(RNGContext *rng,
  */
 static const PRCallOnceType pristineCallOnce;
 static PRCallOnceType coRNGInit;
 static PRStatus rng_init(void)
 {
     PRUint8 bytes[PRNG_SEEDLEN*2]; /* entropy + nonce */
     unsigned int numBytes;
     if (globalrng == NULL) {
+	/* bytes needs to have enough space to hold
+	 * a SHA256 hash value. Blow up at compile time if this isn't true */
+	PR_STATIC_ASSERT(sizeof(bytes) >= SHA256_LENGTH);
 	/* create a new global RNG context */
 	globalrng = &theGlobalRng;
         PORT_Assert(NULL == globalrng->lock);
 	/* create a lock for it */
 	globalrng->lock = PZ_NewLock(nssILockOther);
 	if (globalrng->lock == NULL) {
 	    globalrng = NULL;
 	    PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
@@ -409,16 +412,20 @@ static PRStatus rng_init(void)
 	    PZ_DestroyLock(globalrng->lock);
 	    globalrng->lock = NULL;
 	    globalrng = NULL;
 	    return PR_FAILURE;
 	}
 	/* the RNG is in a valid state */
 	globalrng->isValid = PR_TRUE;
 
+	/* fetch one random value so that we can populate rng->oldV for our
+	 * continous random number test. */
+	prng_generateNewBytes(globalrng, bytes, SHA256_LENGTH, NULL, 0);
+
 	/* Fetch more entropy into the PRNG */
 	RNG_SystemInfoForRNG();
     }
     return PR_SUCCESS;
 }
 
 /*
  * Clean up the global RNG context
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_x86_os2.s
@@ -0,0 +1,573 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#  $Id: mpi_x86_os2.s,v 1.1 2009/06/04 23:53:42 julien.pierre.boogz%sun.com Exp $
+#
+
+.data
+.align 4
+ #
+ # -1 means to call _s_mpi_is_sse to determine if we support sse 
+ #    instructions.
+ #  0 means to use x86 instructions
+ #  1 means to use sse2 instructions
+.type	is_sse,@object
+.size	is_sse,4
+is_sse: .long	-1 
+
+#
+# sigh, handle the difference between -fPIC and not PIC
+# default to pic, since this file seems to be exclusively
+# linux right now (solaris uses mpi_i86pc.s and windows uses
+# mpi_x86_asm.c)
+#
+#.ifndef NO_PIC
+#.macro GET   var,reg
+#    movl   \var@GOTOFF(%ebx),\reg
+#.endm
+#.macro PUT   reg,var
+#    movl   \reg,\var@GOTOFF(%ebx)
+#.endm
+#.else
+.macro GET   var,reg
+    movl   \var,\reg
+.endm
+.macro PUT   reg,var
+    movl   \reg,\var
+.endm
+#.endif
+
+.text
+
+
+ #  ebp - 36:	caller's esi
+ #  ebp - 32:	caller's edi
+ #  ebp - 28:	
+ #  ebp - 24:	
+ #  ebp - 20:	
+ #  ebp - 16:	
+ #  ebp - 12:	
+ #  ebp - 8:	
+ #  ebp - 4:	
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	a	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	b	argument
+ #  ebp + 20:	c	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+.globl	_s_mpv_mul_d
+.type	_s_mpv_mul_d,@function
+_s_mpv_mul_d:
+    GET    is_sse,%eax
+    cmp    $0,%eax
+    je     _s_mpv_mul_d_x86
+    jg     _s_mpv_mul_d_sse2
+    call   _s_mpi_is_sse2
+    PUT    %eax,is_sse
+    cmp    $0,%eax
+    jg     _s_mpv_mul_d_sse2
+_s_mpv_mul_d_x86:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     2f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+1:
+    lodsl			# eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	# edx = b
+    mull   %edx			# edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		# add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    %edx,%ebx		# high half of product becomes next carry
+
+    stosl			# [es:edi] = ax; edi += 4;
+    dec    %ecx			# --a_len
+    jnz    1b			# jmp if a_len != 0
+2:
+    mov    %ebx,0(%edi)		# *c = carry
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+_s_mpv_mul_d_sse2:
+    push   %ebp
+    mov    %esp,%ebp
+    push   %edi
+    push   %esi
+    psubq  %mm2,%mm2		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    movd   16(%ebp),%mm1	# mm1 = b
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     6f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+5:
+    movd   0(%esi),%mm0         # mm0 = *a++
+    add    $4,%esi
+    pmuludq %mm1,%mm0           # mm0 = b * *a++
+    paddq  %mm0,%mm2            # add the carry
+    movd   %mm2,0(%edi)         # store the 32bit result
+    add    $4,%edi
+    psrlq  $32, %mm2		# save the carry
+    dec    %ecx			# --a_len
+    jnz    5b			# jmp if a_len != 0
+6:
+    movd   %mm2,0(%edi)		# *c = carry
+    emms
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ #  ebp - 36:	caller's esi
+ #  ebp - 32:	caller's edi
+ #  ebp - 28:	
+ #  ebp - 24:	
+ #  ebp - 20:	
+ #  ebp - 16:	
+ #  ebp - 12:	
+ #  ebp - 8:	
+ #  ebp - 4:	
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	a	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	b	argument
+ #  ebp + 20:	c	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+.globl	_s_mpv_mul_d_add
+.type	_s_mpv_mul_d_add,@function
+_s_mpv_mul_d_add:
+    GET    is_sse,%eax
+    cmp    $0,%eax
+    je     _s_mpv_mul_d_add_x86
+    jg     _s_mpv_mul_d_add_sse2
+    call   _s_mpi_is_sse2
+    PUT    %eax,is_sse
+    cmp    $0,%eax
+    jg     _s_mpv_mul_d_add_sse2
+_s_mpv_mul_d_add_x86:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     11f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+10:
+    lodsl			# eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	# edx = b
+    mull   %edx			# edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		# add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    0(%edi),%ebx		# add in current word from *c
+    add    %ebx,%eax		
+    adc    $0,%edx
+    mov    %edx,%ebx		# high half of product becomes next carry
+
+    stosl			# [es:edi] = ax; edi += 4;
+    dec    %ecx			# --a_len
+    jnz    10b			# jmp if a_len != 0
+11:
+    mov    %ebx,0(%edi)		# *c = carry
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+_s_mpv_mul_d_add_sse2:
+    push   %ebp
+    mov    %esp,%ebp
+    push   %edi
+    push   %esi
+    psubq  %mm2,%mm2		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    movd   16(%ebp),%mm1	# mm1 = b
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     16f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+15:
+    movd   0(%esi),%mm0         # mm0 = *a++
+    add    $4,%esi
+    pmuludq %mm1,%mm0           # mm0 = b * *a++
+    paddq  %mm0,%mm2            # add the carry
+    movd   0(%edi),%mm0
+    paddq  %mm0,%mm2            # add the carry
+    movd   %mm2,0(%edi)         # store the 32bit result
+    add    $4,%edi
+    psrlq  $32, %mm2		# save the carry
+    dec    %ecx			# --a_len
+    jnz    15b			# jmp if a_len != 0
+16:
+    movd   %mm2,0(%edi)		# *c = carry
+    emms
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ #  ebp - 8:	caller's esi
+ #  ebp - 4:	caller's edi
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	a	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	b	argument
+ #  ebp + 20:	c	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+.globl	_s_mpv_mul_d_add_prop
+.type	_s_mpv_mul_d_add_prop,@function
+_s_mpv_mul_d_add_prop:
+    GET    is_sse,%eax
+    cmp    $0,%eax
+    je     _s_mpv_mul_d_add_prop_x86
+    jg     _s_mpv_mul_d_add_prop_sse2
+    call   _s_mpi_is_sse2
+    PUT    %eax,is_sse
+    cmp    $0,%eax
+    jg     _s_mpv_mul_d_add_prop_sse2
+_s_mpv_mul_d_add_prop_x86:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     21f			# jmp if a_len == 0
+    cld
+    mov    8(%ebp),%esi		# esi = a
+20:
+    lodsl			# eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	# edx = b
+    mull   %edx			# edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		# add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    0(%edi),%ebx		# add in current word from *c
+    add    %ebx,%eax		
+    adc    $0,%edx
+    mov    %edx,%ebx		# high half of product becomes next carry
+
+    stosl			# [es:edi] = ax; edi += 4;
+    dec    %ecx			# --a_len
+    jnz    20b			# jmp if a_len != 0
+21:
+    cmp    $0,%ebx		# is carry zero?
+    jz     23f
+    mov    0(%edi),%eax		# add in current word from *c
+    add	   %ebx,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jnc    23f
+22:
+    mov    0(%edi),%eax		# add in current word from *c
+    adc	   $0,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jc     22b
+23:
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+_s_mpv_mul_d_add_prop_sse2:
+    push   %ebp
+    mov    %esp,%ebp
+    push   %edi
+    push   %esi
+    push   %ebx
+    psubq  %mm2,%mm2		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    movd   16(%ebp),%mm1	# mm1 = b
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     26f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+25:
+    movd   0(%esi),%mm0         # mm0 = *a++
+    movd   0(%edi),%mm3		# fetch the sum
+    add    $4,%esi
+    pmuludq %mm1,%mm0           # mm0 = b * *a++
+    paddq  %mm0,%mm2            # add the carry
+    paddq  %mm3,%mm2            # add *c++
+    movd   %mm2,0(%edi)         # store the 32bit result
+    add    $4,%edi
+    psrlq  $32, %mm2		# save the carry
+    dec    %ecx			# --a_len
+    jnz    25b			# jmp if a_len != 0
+26:
+    movd   %mm2,%ebx
+    cmp    $0,%ebx		# is carry zero?
+    jz     28f
+    mov    0(%edi),%eax
+    add    %ebx, %eax
+    stosl
+    jnc    28f
+27:
+    mov    0(%edi),%eax		# add in current word from *c
+    adc	   $0,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jc     27b
+28:
+    emms
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+
+ #  ebp - 20:	caller's esi
+ #  ebp - 16:	caller's edi
+ #  ebp - 12:	
+ #  ebp - 8:	carry
+ #  ebp - 4:	a_len	local
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	pa	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	ps	argument
+ #  ebp + 20:	
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+
+.globl	_s_mpv_sqr_add_prop
+.type	_s_mpv_sqr_add_prop,@function
+_s_mpv_sqr_add_prop:
+     GET   is_sse,%eax
+     cmp    $0,%eax
+     je     _s_mpv_sqr_add_prop_x86
+     jg     _s_mpv_sqr_add_prop_sse2
+     call   _s_mpi_is_sse2
+     PUT    %eax,is_sse
+     cmp    $0,%eax
+     jg     _s_mpv_sqr_add_prop_sse2
+_s_mpv_sqr_add_prop_x86:
+     push   %ebp
+     mov    %esp,%ebp
+     sub    $12,%esp
+     push   %edi
+     push   %esi
+     push   %ebx
+     movl   $0,%ebx		# carry = 0
+     mov    12(%ebp),%ecx	# a_len
+     mov    16(%ebp),%edi	# edi = ps
+     cmp    $0,%ecx
+     je     31f			# jump if a_len == 0
+     cld
+     mov    8(%ebp),%esi	# esi = pa
+30:
+     lodsl			# %eax = [ds:si]; si += 4;
+     mull   %eax
+
+     add    %ebx,%eax		# add "carry"
+     adc    $0,%edx
+     mov    0(%edi),%ebx
+     add    %ebx,%eax		# add low word from result
+     mov    4(%edi),%ebx
+     stosl			# [es:di] = %eax; di += 4;
+     adc    %ebx,%edx		# add high word from result
+     movl   $0,%ebx
+     mov    %edx,%eax
+     adc    $0,%ebx
+     stosl			# [es:di] = %eax; di += 4;
+     dec    %ecx		# --a_len
+     jnz    30b			# jmp if a_len != 0
+31:
+    cmp    $0,%ebx		# is carry zero?
+    jz     34f
+    mov    0(%edi),%eax		# add in current word from *c
+    add	   %ebx,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jnc    34f
+32:
+    mov    0(%edi),%eax		# add in current word from *c
+    adc	   $0,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jc     32b
+34:
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+_s_mpv_sqr_add_prop_sse2:
+    push   %ebp
+    mov    %esp,%ebp
+    push   %edi
+    push   %esi
+    push   %ebx
+    psubq  %mm2,%mm2		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    16(%ebp),%edi
+    cmp    $0,%ecx
+    je     36f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+35:
+    movd   0(%esi),%mm0        # mm0 = *a
+    movd   0(%edi),%mm3	       # fetch the sum
+    add	   $4,%esi
+    pmuludq %mm0,%mm0          # mm0 = sqr(a)
+    paddq  %mm0,%mm2           # add the carry
+    paddq  %mm3,%mm2           # add the low word
+    movd   4(%edi),%mm3
+    movd   %mm2,0(%edi)        # store the 32bit result
+    psrlq  $32, %mm2	
+    paddq  %mm3,%mm2           # add the high word
+    movd   %mm2,4(%edi)        # store the 32bit result
+    psrlq  $32, %mm2	       # save the carry.
+    add    $8,%edi
+    dec    %ecx			# --a_len
+    jnz    35b			# jmp if a_len != 0
+36:
+    movd   %mm2,%ebx
+    cmp    $0,%ebx		# is carry zero?
+    jz     38f
+    mov    0(%edi),%eax
+    add    %ebx, %eax
+    stosl
+    jnc    38f
+37:
+    mov    0(%edi),%eax		# add in current word from *c
+    adc	   $0,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jc     37b
+38:
+    emms
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ #
+ # Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
+ # so its high bit is 1.   This code is from NSPR.
+ #
+ # mp_err _s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
+ # 		          mp_digit *qp, mp_digit *rp)
+
+ #  esp +  0:   Caller's ebx
+ #  esp +  4:	return address
+ #  esp +  8:	Nhi	argument
+ #  esp + 12:	Nlo	argument
+ #  esp + 16:	divisor	argument
+ #  esp + 20:	qp	argument
+ #  esp + 24:   rp	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+ # 
+
+.globl	_s_mpv_div_2dx1d
+.type	_s_mpv_div_2dx1d,@function
+_s_mpv_div_2dx1d:
+       push   %ebx
+       mov    8(%esp),%edx
+       mov    12(%esp),%eax
+       mov    16(%esp),%ebx
+       div    %ebx
+       mov    20(%esp),%ebx
+       mov    %eax,0(%ebx)
+       mov    24(%esp),%ebx
+       mov    %edx,0(%ebx)
+       xor    %eax,%eax		# return zero
+       pop    %ebx
+       ret    
+       nop
+  
--- a/security/nss/lib/freebl/nsslowhash.c
+++ b/security/nss/lib/freebl/nsslowhash.c
@@ -28,17 +28,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nsslowhash.c,v 1.3 2009/04/15 21:31:55 rrelyea%redhat.com Exp $ */
+/* $Id: nsslowhash.c,v 1.4 2009/06/09 23:34:06 rrelyea%redhat.com Exp $ */
 
 #include "stubs.h"
 #include "prtypes.h"
 #include "secerr.h"
 #include "pkcs11t.h"
 #include "blapi.h"
 #include "sechash.h"
 #include "nsslowhash.h"
@@ -284,56 +284,76 @@ static int nsslow_GetFIPSEnabled(void) {
     if (d != '1')
         return 0;
 #endif
     return 1;
 }
 
 
 static int post = 0;
+static int post_failed = 0;
 
 static NSSLOWInitContext dummyContext = { 0 };
 
 NSSLOWInitContext *
 NSSLOW_Init(void)
 {
     SECStatus rv;
     CK_RV crv;
     PRBool nsprAvailable = PR_FALSE;
 
 
     rv = FREEBL_InitStubs();
     nsprAvailable = (rv ==  SECSuccess ) ? PR_TRUE : PR_FALSE;
+
+    if (post_failed) {
+	return NULL;
+    }
 	
 
     if (!post && nsslow_GetFIPSEnabled()) {
 	crv = freebl_fipsPowerUpSelfTest();
 	if (crv != CKR_OK) {
+	    post_failed = 1;
 	    return NULL;
 	}
     }
     post = 1;
 
     
     return &dummyContext;
 }
 
 void
 NSSLOW_Shutdown(NSSLOWInitContext *context)
 {
    PORT_Assert(context == &dummyContext);
    return;
 }
 
+void
+NSSLOW_Reset(NSSLOWInitContext *context)
+{
+   PORT_Assert(context == &dummyContext);
+   post_failed = 0;
+   post = 0;
+   return;
+}
+
 NSSLOWHASHContext *
 NSSLOWHASH_NewContext(NSSLOWInitContext *initContext, 
 			HASH_HashType hashType)
 {
    NSSLOWHASHContext *context;
 
+   if (post_failed) {
+	PORT_SetError(SEC_ERROR_PKCS11_DEVICE_ERROR);
+	return NULL;
+   }
+
    if (initContext != &dummyContext) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return (NULL);
    }
 
    context = PORT_ZNew(NSSLOWHASHContext);
    if (!context) {
 	return NULL;
--- a/security/nss/lib/freebl/nsslowhash.h
+++ b/security/nss/lib/freebl/nsslowhash.h
@@ -40,16 +40,17 @@
  * Also NOTE: this only works with Hashing. Only the FIPS interface is enabled.
  */
 
 typedef struct NSSLOWInitContextStr NSSLOWInitContext;
 typedef struct NSSLOWHASHContextStr NSSLOWHASHContext;
 
 NSSLOWInitContext *NSSLOW_Init(void);
 void NSSLOW_Shutdown(NSSLOWInitContext *context);
+void NSSLOW_Reset(NSSLOWInitContext *context);
 NSSLOWHASHContext *NSSLOWHASH_NewContext(
 			NSSLOWInitContext *initContext, 
 			HASH_HashType hashType);
 void NSSLOWHASH_Begin(NSSLOWHASHContext *context);
 void NSSLOWHASH_Update(NSSLOWHASHContext *context, 
 			const unsigned char *buf, 
 			unsigned int len);
 void NSSLOWHASH_End(NSSLOWHASHContext *context, 
--- a/security/nss/lib/freebl/stubs.c
+++ b/security/nss/lib/freebl/stubs.c
@@ -530,16 +530,24 @@ freebl_InitNSSUtil(void *lib)
  * fetch the library if it's loaded. For NSS it should already be loaded
  */
 #define freebl_getLibrary(libName)  \
     dlopen (libName, RTLD_LAZY|RTLD_NOLOAD)
 
 #define freebl_releaseLibrary(lib) \
     if (lib) dlclose(lib)
 
+static void * FREEBLnsprGlobalLib = NULL;
+static void * FREEBLnssutilGlobalLib = NULL;
+
+void __attribute ((destructor)) FREEBL_unload()
+{
+    freebl_releaseLibrary(FREEBLnsprGlobalLib);
+    freebl_releaseLibrary(FREEBLnssutilGlobalLib);
+}
 #endif
 
 /*
  * load the symbols from the real libraries if available.
  * 
  * if force is set, explicitly load the libraries if they are not already
  * loaded. If we could not use the real libraries, return failure.
  */
@@ -547,35 +555,37 @@ extern SECStatus
 FREEBL_InitStubs()
 {
     SECStatus rv = SECSuccess;
 #ifdef FREEBL_NO_WEAK
     void *nspr = NULL; 
     void *nssutil = NULL; 
 
     /* NSPR should be first */
-    if (!ptr_PR_DestroyLock) {
+    if (!FREEBLnsprGlobalLib) {
 	nspr = freebl_getLibrary(nsprLibName);
 	if (!nspr) {
 	    return SECFailure;
 	}
 	rv = freebl_InitNSPR(nspr);
-	freebl_releaseLibrary(nspr);
 	if (rv != SECSuccess) {
+	    freebl_releaseLibrary(nspr);
 	    return rv;
 	}
+	FREEBLnsprGlobalLib = nspr; /* adopt */
     }
     /* now load NSSUTIL */
-    if (!ptr_SECITEM_ZfreeItem_Util) {
+    if (!FREEBLnssutilGlobalLib) {
 	nssutil= freebl_getLibrary(nssutilLibName);
 	if (!nssutil) {
 	    return SECFailure;
 	}
 	rv = freebl_InitNSSUtil(nssutil);
-	freebl_releaseLibrary(nssutil);
 	if (rv != SECSuccess) {
+	    freebl_releaseLibrary(nssutil);
 	    return rv;
 	}
+	FREEBLnssutilGlobalLib = nssutil; /* adopt */
     }
 #endif
 
     return rv;
 }
--- a/security/nss/lib/freebl/unix_rand.c
+++ b/security/nss/lib/freebl/unix_rand.c
@@ -624,54 +624,16 @@ GiveSystemInfo(void)
     }
     rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
     if (rv > 0) {
 	RNG_RandomUpdate(buf, rv);
     }
 }
 #endif /* sinix */
 
-#if defined(VMS)
-#include <c_asm.h>
-
-static void
-GiveSystemInfo(void)
-{
-    long si;
- 
-    /* 
-     * This is copied from the SCO/UNIXWARE etc section. And like the comment
-     * there says, what's the point? This isn't random, it generates the same
-     * stuff every time its run!
-     */
-    si = sysconf(_SC_CHILD_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
- 
-    si = sysconf(_SC_STREAM_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
- 
-    si = sysconf(_SC_OPEN_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
-}
- 
-/*
- * Use the "get the cycle counter" instruction on the alpha.
- * The low 32 bits completely turn over in less than a minute.
- * The high 32 bits are some non-counter gunk that changes sometimes.
- */
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    unsigned long t;
- 
-    t = asm("rpcc %v0");
-    return CopyLowBits(buf, maxbytes, &t, sizeof(t));
-}
- 
-#endif /* VMS */
 
 #ifdef BEOS
 #include <be/kernel/OS.h>
 
 static size_t
 GetHighResClock(void *buf, size_t maxbytes)
 {
     bigtime_t bigtime; /* Actually an int64 */
@@ -875,19 +837,16 @@ safe_pclose(FILE *fp)
     }
 
     /* Reset SIGCHLD signal hander before returning */
     sigaction(SIGCHLD, &oldact, NULL);
 
     return status;
 }
 
-
-#if !defined(VMS)
-
 #ifdef DARWIN
 #include <crt_externs.h>
 #endif
 
 /* Fork netstat to collect its output by default. Do not unset this unless
  * another source of entropy is available
  */
 #define DO_NETSTAT 1
@@ -1018,75 +977,16 @@ void RNG_SystemInfoForRNG(void)
     if (fp != NULL) {
 	while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0)
 	    RNG_RandomUpdate(buf, bytes);
 	safe_pclose(fp);
     }
 #endif
 
 }
-#else
-void RNG_SystemInfoForRNG(void)
-{
-    FILE *fp;
-    char buf[BUFSIZ];
-    size_t bytes;
-    int extra;
-    char **cp;
-    extern char **environ;
-    char *randfile;
- 
-    GiveSystemInfo();
- 
-    bytes = RNG_GetNoise(buf, sizeof(buf));
-    RNG_RandomUpdate(buf, bytes);
- 
-    /*
-     * Pass the C environment and the addresses of the pointers to the
-     * hash function. This makes the random number function depend on the
-     * execution environment of the user and on the platform the program
-     * is running on.
-     */
-    cp = environ;
-    while (*cp) {
-	RNG_RandomUpdate(*cp, strlen(*cp));
-	cp++;
-    }
-    RNG_RandomUpdate(environ, (char*)cp - (char*)environ);
- 
-    /* Give in system information */
-    if (gethostname(buf, sizeof(buf)) > 0) {
-	RNG_RandomUpdate(buf, strlen(buf));
-    }
-    GiveSystemInfo();
- 
-    /* If the user points us to a random file, pass it through the rng */
-    randfile = getenv("NSRANDFILE");
-    if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
-	RNG_FileForRNG(randfile);
-    }
-
-    /*
-    ** We need to generate at least 1024 bytes of seed data. Since we don't
-    ** do the file stuff for VMS, and because the environ list is so short
-    ** on VMS, we need to make sure we generate enough. So do another 1000
-    ** bytes to be sure.
-    */
-    extra = 1000;
-    while (extra > 0) {
-        cp = environ;
-        while (*cp) {
-	    int n = strlen(*cp);
-	    RNG_RandomUpdate(*cp, n);
-	    extra -= n;
-	    cp++;
-        }
-    }
-}
-#endif
 
 #define TOTAL_FILE_LIMIT 1000000	/* one million */
 
 size_t RNG_FileUpdate(const char *fileName, size_t limit)
 {
     FILE *        file;
     size_t        bytes;
     size_t        fileBytes = 0;
--- a/security/nss/lib/freebl/win_rand.c
+++ b/security/nss/lib/freebl/win_rand.c
@@ -53,16 +53,17 @@
 #include <stdio.h>
 #include "prio.h"
 #include "prerror.h"
 
 static PRInt32  filesToRead;
 static DWORD    totalFileBytes;
 static DWORD    maxFileBytes	= 250000;	/* 250 thousand */
 static DWORD    dwNumFiles, dwReadEvery, dwFileToRead;
+static PRBool   usedWindowsPRNG;
 
 static BOOL
 CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow)
 {
     LARGE_INTEGER   liCount;
 
     if (!QueryPerformanceCounter(&liCount))
         return FALSE;
@@ -126,55 +127,53 @@ size_t RNG_GetNoise(void *buf, size_t ma
     nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
     memcpy(((char *)buf) + n, &sTime, nBytes);
     n += nBytes;
     }
 
     return n;
 }
 
-typedef PRInt32 (* Handler)(const char *);
+typedef PRInt32 (* Handler)(const PRUnichar *);
 #define MAX_DEPTH 2
+#define MAX_FOLDERS 4
+#define MAX_FILES 1024
 
 static void
 EnumSystemFilesInFolder(Handler func, PRUnichar* szSysDir, int maxDepth) 
 {
     int                 iContinue;
+    unsigned int        uFolders  = 0;
+    unsigned int        uFiles    = 0;
     HANDLE              lFindHandle;
     WIN32_FIND_DATAW    fdData;
     PRUnichar           szFileName[_MAX_PATH];
-    char                narrowFileName[_MAX_PATH];
 
     if (maxDepth < 0)
     	return;
-    // tack *.* on the end so we actually look for files. this will
-    // not overflow
-    wcscpy(szFileName, szSysDir);
-    wcscat(szFileName, L"\\*.*");
+    // append *.* so we actually look for files.
+    _snwprintf(szFileName, _MAX_PATH, L"%s\\*.*", szSysDir);
 
     lFindHandle = FindFirstFileW(szFileName, &fdData);
     if (lFindHandle == INVALID_HANDLE_VALUE)
         return;
     do {
 	iContinue = 1;
 	if (wcscmp(fdData.cFileName, L".") == 0 ||
             wcscmp(fdData.cFileName, L"..") == 0) {
 	    // skip "." and ".."
 	} else {
 	    // pass the full pathname to the callback
 	    _snwprintf(szFileName, _MAX_PATH, L"%s\\%s", szSysDir, 
 		       fdData.cFileName);
 	    if (fdData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
-		EnumSystemFilesInFolder(func, szFileName, maxDepth - 1);
+		if (++uFolders <= MAX_FOLDERS)
+		    EnumSystemFilesInFolder(func, szFileName, maxDepth - 1);
 	    } else {
-		iContinue = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, 
-						narrowFileName, _MAX_PATH, 
-						NULL, NULL);
-		if (iContinue)
-		    iContinue = !(*func)(narrowFileName);
+		iContinue = (++uFiles <= MAX_FILES) && !(*func)(szFileName);
 	    }
 	}
 	if (iContinue)
 	    iContinue = FindNextFileW(lFindHandle, &fdData);
     } while (iContinue);
     FindClose(lFindHandle);
 }
 
@@ -182,17 +181,16 @@ static BOOL
 EnumSystemFiles(Handler func)
 {
     PRUnichar szSysDir[_MAX_PATH];
     static const int folders[] = {
     	CSIDL_BITBUCKET,  
 	CSIDL_RECENT,
 #ifndef WINCE		     
 	CSIDL_INTERNET_CACHE, 
-	CSIDL_COMPUTERSNEARME, 
 	CSIDL_HISTORY,
 #endif
 	0
     };
     int i = 0;
     if (_MAX_PATH > (i = GetTempPathW(_MAX_PATH, szSysDir))) {
         if (i > 0 && szSysDir[i-1] == L'\\')
 	    szSysDir[i-1] = L'\0'; // we need to lop off the trailing slash
@@ -203,66 +201,81 @@ EnumSystemFiles(Handler func)
         if (szSysDir[0])
             EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH);
         szSysDir[0] =  L'\0';
     }
     return PR_TRUE;
 }
 
 static PRInt32
-CountFiles(const char *file)
+CountFiles(const PRUnichar *file)
 {
     dwNumFiles++;
     return 0;
 }
 
-static void 
+static int
 ReadSingleFile(const char *filename)
 {
     PRFileDesc *    file;
-    int             nBytes;
     unsigned char   buffer[1024];
 
     file = PR_Open(filename, PR_RDONLY, 0);
     if (file != NULL) {
 	while (PR_Read(file, buffer, sizeof buffer) > 0)
 	    ;
         PR_Close(file);
     }
+    return (file != NULL);
 }
 
 static PRInt32
-ReadOneFile(const char *file)
+ReadOneFile(const PRUnichar *szFileName)
 {
+    char narrowFileName[_MAX_PATH];
+
     if (dwNumFiles == dwFileToRead) {
-	ReadSingleFile(file);
+	int success = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, 
+					  narrowFileName, _MAX_PATH, 
+					  NULL, NULL);
+	if (success)
+	    success = ReadSingleFile(narrowFileName);
+    	if (!success)
+	    dwFileToRead++; /* couldn't read this one, read the next one. */
     }
     dwNumFiles++;
     return dwNumFiles > dwFileToRead;
 }
 
 static PRInt32
-ReadFiles(const char *file)
+ReadFiles(const PRUnichar *szFileName)
 {
+    char narrowFileName[_MAX_PATH];
+
     if ((dwNumFiles % dwReadEvery) == 0) {
 	++filesToRead;
     }
     if (filesToRead) {
-	DWORD    prevFileBytes = totalFileBytes;
-        RNG_FileForRNG(file);
+	DWORD prevFileBytes = totalFileBytes;
+	int   iContinue     = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, 
+						  narrowFileName, _MAX_PATH, 
+						  NULL, NULL);
+	if (iContinue) {
+	    RNG_FileForRNG(narrowFileName);
+	}
 	if (prevFileBytes < totalFileBytes) {
 	    --filesToRead;
 	}
     }
     dwNumFiles++;
     return (totalFileBytes >= maxFileBytes);
 }
 
 static void
-ReadSystemFiles()
+ReadSystemFiles(void)
 {
     // first count the number of files
     dwNumFiles = 0;
     if (!EnumSystemFiles(CountFiles))
         return;
 
     RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
 
@@ -272,16 +285,17 @@ ReadSystemFiles()
     if (dwNumFiles == 0)
         return;
 
     dwReadEvery = dwNumFiles / 10;
     if (dwReadEvery == 0)
         dwReadEvery = 1;  // less than 10 files
 
     dwNumFiles = 0;
+    totalFileBytes = 0;
     EnumSystemFiles(ReadFiles);
 }
 
 void RNG_SystemInfoForRNG(void)
 {
     DWORD           dwVal;
     char            buffer[256];
     int             nBytes;
@@ -344,18 +358,19 @@ void RNG_SystemInfoForRNG(void)
                          &dwNumClusters)) {
         RNG_RandomUpdate(&dwSectors,      sizeof(dwSectors));
         RNG_RandomUpdate(&dwBytes,        sizeof(dwBytes));
         RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters));
         RNG_RandomUpdate(&dwNumClusters,  sizeof(dwNumClusters));
     }
 #endif
 
-    // now let's do some files
-    ReadSystemFiles();
+    // Skip the potentially slow file scanning if the OS's PRNG worked.
+    if (!usedWindowsPRNG)
+	ReadSystemFiles();
 
     nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
     RNG_RandomUpdate(buffer, nBytes);
 }
 
 static void rng_systemJitter(void)
 {   
     dwNumFiles = 0;
@@ -405,18 +420,20 @@ void RNG_FileForRNG(const char *filename
  * The Windows CE and Windows Mobile FIPS Security Policy, page 13,
  * (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp825.pdf)
  * says CeGenRandom is the right function to call for creating a seed
  * for a random number generator.
  */
 size_t RNG_SystemRNG(void *dest, size_t maxLen)
 {
     size_t bytes = 0;
+    usedWindowsPRNG = PR_FALSE;
     if (CeGenRandom(maxLen, dest)) {
-	    bytes = maxLen;
+	bytes = maxLen;
+	usedWindowsPRNG = PR_TRUE;
     }
     if (bytes == 0) {
 	bytes = rng_systemFromNoise(dest,maxLen);
     }
     return bytes;
 }
 
 
@@ -424,18 +441,16 @@ size_t RNG_SystemRNG(void *dest, size_t 
 
 void RNG_FileForRNG(const char *filename)
 {
     FILE*           file;
     int             nBytes;
     struct stat     stat_buf;
     unsigned char   buffer[1024];
 
-   /* static DWORD    totalFileBytes = 0; */
-
     /* windows doesn't initialize all the bytes in the stat buf,
      * so initialize them all here to avoid UMRs.
      */
     memset(&stat_buf, 0, sizeof stat_buf);
 
     if (stat((char *)filename, &stat_buf) < 0)
         return;
 
@@ -511,25 +526,27 @@ size_t RNG_SystemRNG(void *dest, size_t 
     HMODULE hModule;
     RtlGenRandomFn pRtlGenRandom;
     CryptAcquireContextAFn pCryptAcquireContextA;
     CryptReleaseContextFn pCryptReleaseContext;
     CryptGenRandomFn pCryptGenRandom;
     HCRYPTPROV hCryptProv;
     size_t bytes = 0;
 
+    usedWindowsPRNG = PR_FALSE;
     hModule = LoadLibrary("advapi32.dll");
     if (hModule == NULL) {
 	return rng_systemFromNoise(dest,maxLen);
     }
     pRtlGenRandom = (RtlGenRandomFn)
 	GetProcAddress(hModule, "SystemFunction036");
     if (pRtlGenRandom) {
 	if (pRtlGenRandom(dest, maxLen)) {
 	    bytes = maxLen;
+	    usedWindowsPRNG = PR_TRUE;
 	} else {
 	    bytes = rng_systemFromNoise(dest,maxLen);
 	}
 	goto done;
     }
     pCryptAcquireContextA = (CryptAcquireContextAFn)
 	GetProcAddress(hModule, "CryptAcquireContextA");
     pCryptReleaseContext = (CryptReleaseContextFn)
@@ -539,16 +556,17 @@ size_t RNG_SystemRNG(void *dest, size_t 
     if (!pCryptAcquireContextA || !pCryptReleaseContext || !pCryptGenRandom) {
 	bytes = rng_systemFromNoise(dest,maxLen);
 	goto done;
     }
     if (pCryptAcquireContextA(&hCryptProv, NULL, NULL,
 	PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
 	if (pCryptGenRandom(hCryptProv, maxLen, dest)) {
 	    bytes = maxLen;
+	    usedWindowsPRNG = PR_TRUE;
 	}
 	pCryptReleaseContext(hCryptProv, 0);
     }
     if (bytes == 0) {
 	bytes = rng_systemFromNoise(dest,maxLen);
     }
 done:
     FreeLibrary(hModule);
--- a/security/nss/lib/jar/jarver.c
+++ b/security/nss/lib/jar/jarver.c
@@ -338,21 +338,21 @@ jar_parse_any(JAR *jar, int type, JAR_Si
 	return status;
 #endif
 
     /* null terminate the first line */
     raw_manifest = jar_eat_line(0, PR_TRUE, raw_manifest, &raw_len);
 
     /* skip over the preliminary section */
     /* This is one section at the top of the file with global metainfo */
-    while (raw_len) {
+    while (raw_len > 0) {
 	JAR_Metainfo *met;
 
 	raw_manifest = jar_eat_line(1, PR_TRUE, raw_manifest, &raw_len);
-	if (!*raw_manifest)
+	if (raw_len <= 0 || !*raw_manifest)
 	    break;
 
 	met = PORT_ZNew(JAR_Metainfo);
 	if (met == NULL)
 	    return JAR_ERR_MEMORY;
 
 	/* Parse out the header & info */
 	if (PORT_Strlen (raw_manifest) >= SZ) {
@@ -438,17 +438,17 @@ jar_parse_any(JAR *jar, int type, JAR_Si
 	if (match != 0) {
 	    /* global digest doesn't match, SF file therefore invalid */
 	    jar->valid = JAR_ERR_METADATA;
 	    return JAR_ERR_METADATA;
 	}
     }
 
     /* done with top section of global data */
-    while (raw_len) {
+    while (raw_len > 0) {
 	*x_md5 = 0;
 	*x_sha = 0;
 	*x_name = 0;
 
 	/* If this is a manifest file, attempt to get a digest of the following
 	   section, without damaging it. This digest will be saved later. */
 
 	if (type == jarTypeMF) {
@@ -456,28 +456,28 @@ jar_parse_any(JAR *jar, int type, JAR_Si
 	    long sec_len = raw_len;
 
 	    if (!*raw_manifest || *raw_manifest == '\n') {
 		/* skip the blank line */
 		sec = jar_eat_line(1, PR_FALSE, raw_manifest, &sec_len);
 	    } else
 		sec = raw_manifest;
 
-	    if (!PORT_Strncasecmp(sec, "Name:", 5)) {
+	    if (sec_len > 0 && !PORT_Strncasecmp(sec, "Name:", 5)) {
 		if (type == jarTypeMF)
 		    mfdig = jar_digest_section(sec, sec_len);
 		else
 		    mfdig = NULL;
 	    }
 	}
 
 
-	while (raw_len) {
+	while (raw_len > 0) {
 	    raw_manifest = jar_eat_line(1, PR_TRUE, raw_manifest, &raw_len);
-	    if (!*raw_manifest)
+	    if (raw_len <= 0 || !*raw_manifest)
 		break; /* blank line, done with this entry */
 
 	    if (PORT_Strlen(raw_manifest) >= SZ) {
 		/* almost certainly nonsense */
 		continue;
 	    }
 
 	    /* Parse out the name/value pair */
@@ -742,63 +742,82 @@ loser:
 	PORT_Free(fing);
     }
     return JAR_ERR_MEMORY;
 }
 
 /*
  *  e a t _ l i n e
  *
- *  Consume an ASCII line from the top of a file kept in memory. 
- *  This destroys the file in place. 
+ * Reads and/or modifies input buffer "data" of length "*len".
+ * This function does zero, one or two of the following tasks:
+ * 1) if "lines" is non-zero, it reads and discards that many lines from
+ *    the input.  NUL characters are treated as end-of-line characters,
+ *    not as end-of-input characters.  The input is NOT NUL terminated.
+ *    Note: presently, all callers pass either 0 or 1 for lines.
+ * 2) After skipping the specified number of input lines, if "eating" is 
+ *    non-zero, it finds the end of the next line of input and replaces
+ *    the end of line character(s) with a NUL character.
+ *  This function modifies the input buffer, containing the file, in place. 
  *  This function handles PC, Mac, and Unix style text files.
+ *  On entry, *len contains the maximum number of characters that this
+ *  function should ever examine, starting with the character in *data.
+ *  On return, *len is reduced by the number of characters skipped by the
+ *  first task, if any;
+ *  If lines is zero and eating is false, this function returns
+ *  the value in the data argument, but otherwise does nothing.
  */
 static char *
 jar_eat_line(int lines, int eating, char *data, long *len)
 {
-    char *ret;
+    char *start = data;
+    long maxLen = *len;
 
-    ret = data;
-    if (!*len)
-	return ret;
+    if (maxLen <= 0)
+	return start;
+
+#define GO_ON ((data - start) < maxLen)
 
     /* Eat the requisite number of lines, if any;
-	 prior to terminating the current line with a 0. */
+       prior to terminating the current line with a 0. */
+    for (/* yip */ ; lines > 0; lines--) {
+	while (GO_ON && *data && *data != '\r' && *data != '\n')
+	    data++;
 
-    for (/* yip */ ; lines; lines--) {
-	while (*data && *data != '\n')
+	/* Eat any leading CR */
+	if (GO_ON && *data == '\r')
 	    data++;
 
 	/* After the CR, ok to eat one LF */
-	if (*data == '\n')
+	if (GO_ON && *data == '\n')
 	    data++;
 
-	/* If there are zeros, we put them there */
-	while (*data == 0 && data - ret < *len)
+	/* If there are NULs, this function probably put them there */
+	while (GO_ON && !*data)
 	    data++;
     }
-
-    *len -= data - ret;
-    ret = data;
-
-    if (eating) {
+    maxLen -= data - start;           /* we have this many characters left. */
+    *len  = maxLen;
+    start = data;                     /* now start again here.            */
+    if (maxLen > 0 && eating) {
 	/* Terminate this line with a 0 */
-	while (*data && *data != '\n' && *data != '\r')
+	while (GO_ON && *data && *data != '\n' && *data != '\r')
 	    data++;
 
-	/* In any case we are allowed to eat CR */
-	if (*data == '\r')
+	/* If not past the end, we are allowed to eat one CR */
+	if (GO_ON && *data == '\r')
 	    *data++ = 0;
 
-	/* After the CR, ok to eat one LF */
-	if (*data == '\n')
+	/* After the CR (if any), if not past the end, ok to eat one LF */
+	if (GO_ON && *data == '\n')
 	    *data++ = 0;
     }
-    return ret;
+    return start;
 }
+#undef GO_ON
 
 /*
  *  j a r _ d i g e s t _ s e c t i o n
  *
  *  Return the digests of the next section of the manifest file.
  *  Does not damage the manifest file, unlike parse_manifest.
  *
  */
@@ -806,19 +825,19 @@ static JAR_Digest *
 jar_digest_section(char *manifest, long length)
 {
     long global_len;
     char *global_end;
 
     global_end = manifest;
     global_len = length;
 
-    while (global_len) {
+    while (global_len > 0) {
 	global_end = jar_eat_line(1, PR_FALSE, global_end, &global_len);
-	if (*global_end == 0 || *global_end == '\n')
+	if (global_len > 0 && (*global_end == 0 || *global_end == '\n'))
 	    break;
     }
     return JAR_calculate_digest (manifest, global_end - manifest);
 }
 
 /*
  *  J A R _ v e r i f y _ d i g e s t
  *
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -137,17 +137,17 @@ PKIX_ERRORENTRY(CERTCHAINFAILSCERTIFICAT
 PKIX_ERRORENTRY(CERTCHAINTONSSCHAINFAILED,Fail to convert pkix cert chain to nss cert chain,0),
 PKIX_ERRORENTRY(CERTCHAINTOPKIXCERTLISTFAILED,Failed to convert nss cert chain to pkix cert chain,0),
 PKIX_ERRORENTRY(CERTCHECKCERTTYPEFAILED,Check cert type failed,SEC_ERROR_INADEQUATE_CERT_TYPE),
 PKIX_ERRORENTRY(CERTCHECKCERTVALIDTIMESFAILED,CERT_CheckCertValidTimes failed,SEC_ERROR_EXPIRED_CERTIFICATE),
 PKIX_ERRORENTRY(CERTCHECKCRLFAILED,Fail to get crl cache issued by cert,0),
 PKIX_ERRORENTRY(CERTCHECKEXTENDEDKEYUSAGEFAILED,pkix_pl_Cert_CheckExtendedKeyUsage failed,0),
 PKIX_ERRORENTRY(CERTCHECKKEYUSAGEFAILED,CERT_CheckKeyUsage failed,SEC_ERROR_INADEQUATE_KEY_USAGE),
 PKIX_ERRORENTRY(CERTCHECKNAMECONSTRAINTSFAILED,PKIX_PL_Cert_CheckNameConstraints failed,0),
-PKIX_ERRORENTRY(CERTCHECKVALIDITYFAILED,PKIX_PL_Cert_CheckValidity failed,SEC_ERROR_CERT_NOT_VALID),
+PKIX_ERRORENTRY(CERTCHECKVALIDITYFAILED,PKIX_PL_Cert_CheckValidity failed,0),
 PKIX_ERRORENTRY(CERTCOMPLETECRLDECODEDENTRIESFAILED,CERT_CompleteCRLDecodedEntries failed,0),
 PKIX_ERRORENTRY(CERTCOPYNAMECONSTRAINTFAILED,CERT_CopyNameConstraint failed,0),
 PKIX_ERRORENTRY(CERTCOPYNAMEFAILED,CERT_CopyName failed,0),
 PKIX_ERRORENTRY(CERTCREATEFAILED,PKIX_PL_Cert_Create failed,0),
 PKIX_ERRORENTRY(CERTCREATEGENERALNAMELISTFAILED,CERT_CreateGeneralNameList failed,0),
 PKIX_ERRORENTRY(CERTCREATETOLISTFAILED,pkix_pl_Cert_CreateToList failed,0),
 PKIX_ERRORENTRY(CERTCREATEWITHNSSCERTFAILED,pkix_pl_Cert_CreateWithNSSCert failed,0),
 PKIX_ERRORENTRY(CERTDECODEALTNAMEEXTENSIONFAILED,CERT_DecodeAltNameExtension failed,0),
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
@@ -269,16 +269,18 @@ pkix_pl_AIAMgr_GetHTTPCerts(
 
                 PKIX_CHECK(PKIX_PL_InfoAccess_GetLocation
                         (ia, &location, plContext),
                        PKIX_INFOACCESSGETLOCATIONFAILED);
 
                 /* find or create httpClient = default client */
 		httpClient = SEC_GetRegisteredHttpClient();
 		aiaMgr->client.hdata.httpClient = httpClient;
+		if (!httpClient)
+		    PKIX_ERROR(PKIX_OUTOFMEMORY);
 
 		if (httpClient->version == 1) {
 
                         PKIX_UInt32 timeout =
                              ((PKIX_PL_NssContext*)plContext)->timeoutSeconds;
 
 			hcv1 = &(httpClient->fcnTable.ftable1);
 
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.c
@@ -147,29 +147,29 @@ pkix_pl_CrlDp_Create(
                  * a distinguish name. */
                 PKIX_ERROR(PKIX_NOTCONFORMINGCRLDP);
             }
             issuerName = &dp->crlIssuer->name.directoryName;
         } else {
             issuerName = certIssuerName;
         }
         rdnArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-        if (rdnArena) {
+        if (!rdnArena) {
             PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
         }
         issuerNameCopy = (CERTName *)PORT_ArenaZNew(rdnArena, CERTName*);
         if (!issuerNameCopy) {
             PKIX_ERROR(PKIX_ALLOCERROR);
         }
         rv = CERT_CopyName(rdnArena, issuerNameCopy, (CERTName*)issuerName);
         if (rv == SECFailure) {
             PKIX_ERROR(PKIX_ALLOCERROR);
         }
         rv = CERT_AddRDN(issuerNameCopy, (CERTRDN*)relName);
-        if (rv = SECFailure) {
+        if (rv == SECFailure) {
             PKIX_ERROR(PKIX_ALLOCERROR);
         }
         dpl->distPointType = relativeDistinguishedName;
         dpl->name.issuerName = issuerNameCopy;
         rdnArena = NULL;
     }
     *pPkixDP = dpl;
     dpl = NULL;
--- a/security/nss/lib/nss/config.mk
+++ b/security/nss/lib/nss/config.mk
@@ -124,39 +124,16 @@ SHARED_LIBRARY_DIRS = \
 	../libpkix/pkix/util \
 	../libpkix/pkix/crlsel \
 	../libpkix/pkix/store \
 	../libpkix/pkix_pl_nss/pki \
 	../libpkix/pkix_pl_nss/system \
 	../libpkix/pkix_pl_nss/module \
 	$(NULL)
 
-ifeq ($(OS_TARGET),SunOS)
-ifeq ($(BUILD_SUN_PKG), 1)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-ifeq ($(USE_64), 1)
-MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
-else
-MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps'
-endif
-else
-MKSHLIB += -R '$$ORIGIN'
-endif
-endif
-
-ifeq ($(OS_ARCH), HP-UX) 
-ifneq ($(OS_TEST), ia64)
-# pa-risc
-ifeq ($(USE_64), 1)
-MKSHLIB += +b '$$ORIGIN'
-endif
-endif
-endif
-
 ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
 ifndef NS_USE_GCC
 # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
 # but do not put it in the import library.  See bug 142575.
 DEFINES += -DWIN32_NSS3_DLL_COMPAT
 DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
 endif
 endif
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.66 2009/04/30 18:16:09 kaie%kuix.de Exp $ */
+/* $Id: nss.h,v 1.67 2009/07/20 20:06:57 nelson%bolyard.com Exp $ */
 
 #ifndef __nss_h_
 #define __nss_h_
 
 /* The private macro _NSS_ECC_STRING is for NSS internal use only. */
 #ifdef NSS_ENABLE_ECC
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
 #define _NSS_ECC_STRING " Extended ECC"
@@ -61,17 +61,17 @@
 
 /*
  * NSS's major version, minor version, patch level, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.12.4.1" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.12.4.4" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   12
 #define NSS_VPATCH   4
 #define NSS_BETA     PR_TRUE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -31,19 +31,20 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nssinit.c,v 1.97 2008/08/22 01:33:03 wtc%google.com Exp $ */
+/* $Id: nssinit.c,v 1.98 2009/05/29 19:23:30 wtc%google.com Exp $ */
 
 #include <ctype.h>
+#include <string.h>
 #include "seccomon.h"
 #include "prinit.h"
 #include "prprf.h"
 #include "prmem.h"
 #include "cert.h"
 #include "key.h"
 #include "ssl.h"
 #include "sslproto.h"
@@ -550,17 +551,21 @@ loser:
 	}
 	if (nss_InitShutdownList() != SECSuccess) {
 	    return SECFailure;
 	}
 	CERT_SetDefaultCertDB((CERTCertDBHandle *)
 				STAN_GetDefaultTrustDomain());
 	if ((!noModDB) && (!noCertDB) && (!noRootInit)) {
 	    if (!SECMOD_HasRootCerts()) {
-		nss_FindExternalRoot(configdir, secmodName);
+		const char *dbpath = configdir;
+		if (strncmp(dbpath, "sql:", 4) == 0) {
+		    dbpath += 4;
+		}
+		nss_FindExternalRoot(dbpath, secmodName);
 	    }
 	}
 	pk11sdr_Init();
 	cert_CreateSubjectKeyIDHashTable();
 	nss_IsInitted = PR_TRUE;
     }
 
     if (SECSuccess == rv) {
--- a/security/nss/lib/pk11wrap/pk11auth.c
+++ b/security/nss/lib/pk11wrap/pk11auth.c
@@ -625,26 +625,27 @@ PK11_DoPassword(PK11SlotInfo *slot, PRBo
 	}
     } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
     return rv;
 }
 
 void PK11_LogoutAll(void)
 {
     SECMODListLock *lock = SECMOD_GetDefaultModuleListLock();
-    SECMODModuleList *modList = SECMOD_GetDefaultModuleList();
+    SECMODModuleList *modList;
     SECMODModuleList *mlp = NULL;
     int i;
 
     /* NSS is not initialized, there are not tokens to log out */
     if (lock == NULL) {
 	return;
     }
 
     SECMOD_GetReadLock(lock);
+    modList = SECMOD_GetDefaultModuleList();
     /* find the number of entries */
     for (mlp = modList; mlp != NULL; mlp = mlp->next) {
 	for (i=0; i < mlp->module->slotCount; i++) {
 	    PK11_Logout(mlp->module->slots[i]);
 	}
     }
 
     SECMOD_ReleaseReadLock(lock);
--- a/security/nss/lib/pk11wrap/pk11sdr.h
+++ b/security/nss/lib/pk11wrap/pk11sdr.h
@@ -38,22 +38,23 @@
 #define _PK11SDR_H_
 
 #include "seccomon.h"
 
 SEC_BEGIN_PROTOS
 
 /*
  * PK11SDR_Encrypt - encrypt data using the specified key id or SDR default
- *
+ * result should be freed with SECItem_ZfreeItem
  */
 SECStatus
 PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx);
 
 /*
  * PK11SDR_Decrypt - decrypt data previously encrypted with PK11SDR_Encrypt
+ * result should be freed with SECItem_ZfreeItem
  */
 SECStatus
 PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx);
 
 SEC_END_PROTOS
 
 #endif
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -45,16 +45,17 @@
 #include "nssilock.h"
 #include "secmodi.h"
 #include "secmodti.h"
 #include "pkcs11.h"
 #include "pk11func.h"
 #include "secitem.h"
 #include "secoid.h"
 #include "secerr.h"
+#include "hasht.h"
 
 /* forward static declarations. */
 static PK11SymKey *pk11_DeriveWithTemplate(PK11SymKey *baseKey, 
 	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
 	CK_ATTRIBUTE_TYPE operation, int keySize, CK_ATTRIBUTE *userAttr, 
 	unsigned int numAttrs, PRBool isPerm);
 
 static void
@@ -673,40 +674,52 @@ PK11_GetKeyData(PK11SymKey *symKey)
 
 /* This symbol is exported for backward compatibility. */
 SECItem *
 __PK11_GetKeyData(PK11SymKey *symKey)
 {
     return PK11_GetKeyData(symKey);
 }
 
+
+/*
+ * PKCS #11 key Types with predefined length
+ */
+unsigned int
+pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType)
+{
+    int length = 0;
+    switch (keyType) {
+      case CKK_DES: length = 8; break;
+      case CKK_DES2: length = 16; break;
+      case CKK_DES3: length = 24; break;
+      case CKK_SKIPJACK: length = 10; break;
+      case CKK_BATON: length = 20; break;
+      case CKK_JUNIPER: length = 20; break;
+      default: break;
+    }
+    return length;
+}
+
 /* return the keylength if possible.  '0' if not */
 unsigned int
 PK11_GetKeyLength(PK11SymKey *key)
 {
     CK_KEY_TYPE keyType;
 
     if (key->size != 0) return key->size;
 
     /* First try to figure out the key length from its type */
     keyType = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_KEY_TYPE);
-    switch (keyType) {
-      case CKK_DES: key->size = 8; break;
-      case CKK_DES2: key->size = 16; break;
-      case CKK_DES3: key->size = 24; break;
-      case CKK_SKIPJACK: key->size = 10; break;
-      case CKK_BATON: key->size = 20; break;
-      case CKK_JUNIPER: key->size = 20; break;
-      case CKK_GENERIC_SECRET:
-	if (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)  {
-	    key->size=48;
-	}
-	break;
-      default: break;
+    key->size = pk11_GetPredefinedKeyLength(keyType);
+    if ((keyType == CKK_GENERIC_SECRET) &&
+	(key->type == CKM_SSL3_PRE_MASTER_KEY_GEN))  {
+	key->size=48;
     }
+
    if( key->size != 0 ) return key->size;
 
    if (key->data.data == NULL) {
 	PK11_ExtractKeyValue(key);
    }
    /* key is probably secret. Look up its length */
    /*  this is new PKCS #11 version 2.0 functionality. */
    if (key->size == 0) {
@@ -1631,17 +1644,16 @@ PK11_PubDerive(SECKEYPrivateKey *privKey
 	    CK_BBOOL cktrue = CK_TRUE;
 	    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
 	    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
 	    CK_ULONG key_size = 0;
 	    CK_ATTRIBUTE keyTemplate[4];
 	    int templateCount;
 	    CK_ATTRIBUTE *attrs = keyTemplate;
 	    CK_ECDH1_DERIVE_PARAMS *mechParams = NULL;
-	    SECItem *pubValue = NULL;
 
 	    if (pubKey->keyType != ecKey) {
 		PORT_SetError(SEC_ERROR_BAD_KEY);
 		break;
 	    }
 
 	    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
 	    attrs++;
@@ -1650,52 +1662,66 @@ PK11_PubDerive(SECKEYPrivateKey *privKey
 	    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
 	    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
 	    attrs++;
 	    templateCount =  attrs - keyTemplate;
 	    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
 
 	    keyType = PK11_GetKeyType(target,keySize);
 	    key_size = keySize;
-	    symKey->size = keySize;
-	    if (key_size == 0) templateCount--;
+	    if (key_size == 0) {
+		if (pk11_GetPredefinedKeyLength(keyType)) {
+		    templateCount --;
+		} else {
+		    /* sigh, some tokens can't figure this out and require
+		     * CKA_VALUE_LEN to be set */
+		    key_size = SHA1_LENGTH;
+		}
+	    }
+	    symKey->size = key_size;
 
 	    mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); 
 	    mechParams->kdf = CKD_SHA1_KDF;
 	    mechParams->ulSharedDataLen = 0;
 	    mechParams->pSharedData = NULL;
-
-	    if (PR_GetEnv("NSS_USE_DECODED_CKA_EC_POINT")) {
-		mechParams->ulPublicDataLen =  pubKey->u.ec.publicValue.len;
-		mechParams->pPublicData =  pubKey->u.ec.publicValue.data;
-	    } else {
-		pubValue = SEC_ASN1EncodeItem(NULL, NULL,
-			&pubKey->u.ec.publicValue,
-			SEC_ASN1_GET(SEC_OctetStringTemplate));
-		if (pubValue == NULL) {
-	    	    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
-		    break;
-		}
-		mechParams->ulPublicDataLen =  pubValue->len;
-		mechParams->pPublicData =  pubValue->data;
-	    }
+	    mechParams->ulPublicDataLen =  pubKey->u.ec.publicValue.len;
+	    mechParams->pPublicData =  pubKey->u.ec.publicValue.data;
 
 	    mechanism.mechanism = derive;
 	    mechanism.pParameter = mechParams;
 	    mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS);
 
 	    pk11_EnterKeyMonitor(symKey);
 	    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, 
 		&mechanism, privKey->pkcs11ID, keyTemplate, 
 		templateCount, &symKey->objectID);
 	    pk11_ExitKeyMonitor(symKey);
 
-	    if (pubValue) {
+	    /* old PKCS #11 spec was ambiguous on what needed to be passed,
+	     * try this again with and encoded public key */
+	    if (crv != CKR_OK) {
+		SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL,
+			&pubKey->u.ec.publicValue,
+			SEC_ASN1_GET(SEC_OctetStringTemplate));
+		if (pubValue == NULL) {
+	    	    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
+		    break;
+		}
+		mechParams->ulPublicDataLen =  pubValue->len;
+		mechParams->pPublicData =  pubValue->data;
+
+		pk11_EnterKeyMonitor(symKey);
+		crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, 
+		    &mechanism, privKey->pkcs11ID, keyTemplate, 
+		    templateCount, &symKey->objectID);
+		pk11_ExitKeyMonitor(symKey);
+
 		SECITEM_FreeItem(pubValue,PR_TRUE);
 	    }
+
 	    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
 
 	    if (crv == CKR_OK) return symKey;
 	    PORT_SetError( PK11_MapError(crv) );
 	}
    }
 
    PK11_FreeSymKey(symKey);
@@ -1717,17 +1743,16 @@ pk11_PubDeriveECKeyWithKDF(
     CK_BBOOL                cktrue          = CK_TRUE;
     CK_OBJECT_CLASS         keyClass        = CKO_SECRET_KEY;
     CK_KEY_TYPE             keyType         = CKK_GENERIC_SECRET;
     CK_ULONG                key_size        = 0;
     CK_ATTRIBUTE            keyTemplate[4];
     int                     templateCount;
     CK_ATTRIBUTE           *attrs           = keyTemplate;
     CK_ECDH1_DERIVE_PARAMS *mechParams      = NULL;
-    SECItem *pubValue = NULL;
 
     if (pubKey->keyType != ecKey) {
 	PORT_SetError(SEC_ERROR_BAD_KEY);
 	return NULL;
     }
     if ((kdf < CKD_NULL) || (kdf > CKD_SHA1_KDF)) {
 	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
 	return NULL;
@@ -1745,63 +1770,87 @@ pk11_PubDeriveECKeyWithKDF(
     PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));    attrs++;
     PK11_SETATTRS(attrs, operation, &cktrue, 1);                      attrs++;
     PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); attrs++;
     templateCount =  attrs - keyTemplate;
     PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
 
     keyType = PK11_GetKeyType(target,keySize);
     key_size = keySize;
-    symKey->size = keySize;
-    if (key_size == 0) 
-    	templateCount--;
+    if (key_size == 0) {
+	if (pk11_GetPredefinedKeyLength(keyType)) {
+	    templateCount --;
+	} else {
+	    /* sigh, some tokens can't figure this out and require
+	     * CKA_VALUE_LEN to be set */
+	    switch (kdf) {
+	    case CKD_NULL:
+		key_size = (pubKey->u.ec.publicValue.len-1)/2;
+		break;
+	    case CKD_SHA1_KDF:
+		key_size = SHA1_LENGTH;
+		break;
+	    default:
+		PORT_Assert(!"Invalid CKD");
+		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+		return NULL;
+	    }
+	}
+    }
+    symKey->size = key_size;
 
     mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS);
     if (!mechParams) {
 	PK11_FreeSymKey(symKey);
 	return NULL;
     }
     mechParams->kdf = kdf;
     if (sharedData == NULL) {
 	mechParams->ulSharedDataLen = 0;
 	mechParams->pSharedData     = NULL;
     } else {
 	mechParams->ulSharedDataLen = sharedData->len;
 	mechParams->pSharedData     = sharedData->data;
     }
-    if (PR_GetEnv("NSS_USE_DECODED_CKA_EC_POINT")) {
-	mechParams->ulPublicDataLen =  pubKey->u.ec.publicValue.len;
-	mechParams->pPublicData =  pubKey->u.ec.publicValue.data;
-    } else {
-	pubValue = SEC_ASN1EncodeItem(NULL, NULL,
-		&pubKey->u.ec.publicValue,
-		SEC_ASN1_GET(SEC_OctetStringTemplate));
-	if (pubValue == NULL) {
-    	    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
-	    PK11_FreeSymKey(symKey);
-	    return NULL;
-	}
-	mechParams->ulPublicDataLen =  pubValue->len;
-	mechParams->pPublicData =  pubValue->data;
-    }
+    mechParams->ulPublicDataLen =  pubKey->u.ec.publicValue.len;
+    mechParams->pPublicData =  pubKey->u.ec.publicValue.data;
 
     mechanism.mechanism      = derive;
     mechanism.pParameter     = mechParams;
     mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS);
 
     pk11_EnterKeyMonitor(symKey);
     crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, 
     	privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID);
     pk11_ExitKeyMonitor(symKey);
 
-    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
-    if (pubValue) {
+    /* old PKCS #11 spec was ambiguous on what needed to be passed,
+     * try this again with and encoded public key */
+    if (crv != CKR_OK) {
+	SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL,
+		&pubKey->u.ec.publicValue,
+		SEC_ASN1_GET(SEC_OctetStringTemplate));
+	if (pubValue == NULL) {
+	    goto loser;
+	}
+	mechParams->ulPublicDataLen =  pubValue->len;
+	mechParams->pPublicData =  pubValue->data;
+
+	pk11_EnterKeyMonitor(symKey);
+	crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, 
+	    &mechanism, privKey->pkcs11ID, keyTemplate, 
+	    templateCount, &symKey->objectID);
+	pk11_ExitKeyMonitor(symKey);
+
 	SECITEM_FreeItem(pubValue,PR_TRUE);
     }
 
+loser:
+    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
+
     if (crv != CKR_OK) {
 	PK11_FreeSymKey(symKey);
 	symKey = NULL;
 	PORT_SetError( PK11_MapError(crv) );
     }
     return symKey;
 }
 
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -477,23 +477,29 @@ PK11_ExitSlotMonitor(PK11SlotInfo *slot)
 
 /***********************************************************
  * Functions to find specific slots.
  ***********************************************************/
 PRBool
 SECMOD_HasRootCerts(void)
 {
    SECMODModuleList *mlp;
-   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+   SECMODModuleList *modules;
    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
    int i;
    PRBool found = PR_FALSE;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return found;
+    }
+
    /* work through all the slots */
    SECMOD_GetReadLock(moduleLock);
+   modules = SECMOD_GetDefaultModuleList();
    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
 	for (i=0; i < mlp->module->slotCount; i++) {
 	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
 	    if (PK11_IsPresent(tmpSlot)) {
 		if (tmpSlot->hasRootCerts) {
 		    found = PR_TRUE;
 		    break;
 		}
@@ -509,39 +515,45 @@ SECMOD_HasRootCerts(void)
 /***********************************************************
  * Functions to find specific slots.
  ***********************************************************/
 PK11SlotList *
 PK11_FindSlotsByNames(const char *dllName, const char* slotName,
                         const char* tokenName, PRBool presentOnly)
 {
     SECMODModuleList *mlp;
-    SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+    SECMODModuleList *modules;
     SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
     int i;
     PK11SlotList* slotList = NULL;
     PRUint32 slotcount = 0;
     SECStatus rv = SECSuccess;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return slotList;
+    }
+
     slotList = PK11_NewSlotList();
     if (!slotList) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
-        return NULL;
+        return slotList;
     }
 
     if ( ((NULL == dllName) || (0 == *dllName)) &&
         ((NULL == slotName) || (0 == *slotName)) &&
         ((NULL == tokenName) || (0 == *tokenName)) ) {
         /* default to softoken */
         PK11_AddSlotToList(slotList, PK11_GetInternalKeySlot());
         return slotList;
     }
 
     /* work through all the slots */
     SECMOD_GetReadLock(moduleLock);
+    modules = SECMOD_GetDefaultModuleList();
     for (mlp = modules; mlp != NULL; mlp = mlp->next) {
         PORT_Assert(mlp->module);
         if (!mlp->module) {
             rv = SECFailure;
             break;
         }
         if ((!dllName) || (mlp->module->dllName &&
             (0 == PORT_Strcmp(mlp->module->dllName, dllName)))) {
@@ -579,27 +591,32 @@ PK11_FindSlotsByNames(const char *dllNam
 
     return slotList;
 }
 
 PK11SlotInfo *
 PK11_FindSlotByName(const char *name)
 {
    SECMODModuleList *mlp;
-   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+   SECMODModuleList *modules;
    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
    int i;
    PK11SlotInfo *slot = NULL;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return slot;
+    }
    if ((name == NULL) || (*name == 0)) {
 	return PK11_GetInternalKeySlot();
    }
 
    /* work through all the slots */
    SECMOD_GetReadLock(moduleLock);
+   modules = SECMOD_GetDefaultModuleList();
    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
 	for (i=0; i < mlp->module->slotCount; i++) {
 	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
 	    if (PK11_IsPresent(tmpSlot)) {
 		if (PORT_Strcmp(tmpSlot->token_name,name) == 0) {
 		    slot = PK11_ReferenceSlot(tmpSlot);
 		    break;
 		}
@@ -616,23 +633,28 @@ PK11_FindSlotByName(const char *name)
     return slot;
 }
 
 
 PK11SlotInfo *
 PK11_FindSlotBySerial(char *serial)
 {
    SECMODModuleList *mlp;
-   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+   SECMODModuleList *modules;
    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
    int i;
    PK11SlotInfo *slot = NULL;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return slot;
+    }
    /* work through all the slots */
    SECMOD_GetReadLock(moduleLock);
+   modules = SECMOD_GetDefaultModuleList();
    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
 	for (i=0; i < mlp->module->slotCount; i++) {
 	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
 	    if (PK11_IsPresent(tmpSlot)) {
 		if (PORT_Memcmp(tmpSlot->serial,serial,
 					sizeof(tmpSlot->serial)) == 0) {
 		    slot = PK11_ReferenceSlot(tmpSlot);
 		    break;
@@ -1717,33 +1739,38 @@ PK11_DoesMechanism(PK11SlotInfo *slot, C
  * Return true if a token that can do the desired mechanism exists.
  * This allows us to have hardware tokens that can do function XYZ magically
  * allow SSL Ciphers to appear if they are plugged in.
  */
 PRBool
 PK11_TokenExists(CK_MECHANISM_TYPE type)
 {
     SECMODModuleList *mlp;
-    SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+    SECMODModuleList *modules;
     SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
     PK11SlotInfo *slot;
     PRBool found = PR_FALSE;
     int i;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return found;
+    }
     /* we only need to know if there is a token that does this mechanism.
      * check the internal module first because it's fast, and supports 
      * almost everything. */
     slot = PK11_GetInternalSlot();
     if (slot) {
     	found = PK11_DoesMechanism(slot,type);
 	PK11_FreeSlot(slot);
     }
     if (found) return PR_TRUE; /* bypass getting module locks */
 
     SECMOD_GetReadLock(moduleLock);
+    modules = SECMOD_GetDefaultModuleList();
     for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) {
 	for (i=0; i < mlp->module->slotCount; i++) {
 	    slot = mlp->module->slots[i];
 	    if (PK11_IsPresent(slot)) {
 		if (PK11_DoesMechanism(slot,type)) {
 		    found = PR_TRUE;
 		    break;
 		}
@@ -1759,36 +1786,47 @@ PK11_TokenExists(CK_MECHANISM_TYPE type)
  * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM,
  * get all the tokens. Make sure tokens that need authentication are put at
  * the end of this list.
  */
 PK11SlotList *
 PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, 
                   void *wincx)
 {
-    PK11SlotList *     list         = PK11_NewSlotList();
-    PK11SlotList *     loginList    = PK11_NewSlotList();
-    PK11SlotList *     friendlyList = PK11_NewSlotList();
+    PK11SlotList *     list;
+    PK11SlotList *     loginList;
+    PK11SlotList *     friendlyList;
     SECMODModuleList * mlp;
-    SECMODModuleList * modules      = SECMOD_GetDefaultModuleList();
-    SECMODListLock *   moduleLock   = SECMOD_GetDefaultModuleListLock();
+    SECMODModuleList * modules;
+    SECMODListLock *   moduleLock;
     int                i;
 #if defined( XP_WIN32 ) 
     int                j            = 0;
     PRInt32            waste[16];
 #endif
 
+    moduleLock   = SECMOD_GetDefaultModuleListLock();
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return NULL;
+    }
+
+    list         = PK11_NewSlotList();
+    loginList    = PK11_NewSlotList();
+    friendlyList = PK11_NewSlotList();
     if ((list == NULL)  || (loginList == NULL) || (friendlyList == NULL)) {
 	if (list) PK11_FreeSlotList(list);
 	if (loginList) PK11_FreeSlotList(loginList);
 	if (friendlyList) PK11_FreeSlotList(friendlyList);
 	return NULL;
     }
 
     SECMOD_GetReadLock(moduleLock);
+
+    modules      = SECMOD_GetDefaultModuleList();
     for(mlp = modules; mlp != NULL; mlp = mlp->next) {
 
 #if defined( XP_WIN32 ) 
 	/* This is works around some horrible cache/page thrashing problems 
 	** on Win32.  Without this, this loop can take up to 6 seconds at 
 	** 100% CPU on a Pentium-Pro 200.  The thing this changes is to 
 	** increase the size of the stack frame and modify it.  
 	** Moving the loop code itself seems to have no effect.
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -218,16 +218,20 @@ SECMODListLock *SECMOD_GetDefaultModuleL
  * return that module.
  */
 SECMODModule *
 SECMOD_FindModule(const char *name)
 {
     SECMODModuleList *mlp;
     SECMODModule *module = NULL;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return module;
+    }
     SECMOD_GetReadLock(moduleLock);
     for(mlp = modules; mlp != NULL; mlp = mlp->next) {
 	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
 	    module = mlp->module;
 	    SECMOD_ReferenceModule(module);
 	    break;
 	}
     }
@@ -253,16 +257,20 @@ found:
  * return that module.
  */
 SECMODModule *
 SECMOD_FindModuleByID(SECMODModuleID id) 
 {
     SECMODModuleList *mlp;
     SECMODModule *module = NULL;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return module;
+    }
     SECMOD_GetReadLock(moduleLock);
     for(mlp = modules; mlp != NULL; mlp = mlp->next) {
 	if (id == mlp->module->moduleID) {
 	    module = mlp->module;
 	    SECMOD_ReferenceModule(module);
 	    break;
 	}
     }
@@ -277,16 +285,20 @@ SECMOD_FindModuleByID(SECMODModuleID id)
  * Find the Slot based on ID and the module.
  */
 PK11SlotInfo *
 SECMOD_FindSlotByID(SECMODModule *module, CK_SLOT_ID slotID)
 {
     int i;
     PK11SlotInfo *slot = NULL;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return slot;
+    }
     SECMOD_GetReadLock(moduleLock);
     for (i=0; i < module->slotCount; i++) {
 	PK11SlotInfo *cSlot = module->slots[i];
 
 	if (cSlot->slotID == slotID) {
 	    slot = PK11_ReferenceSlot(cSlot);
 	    break;
 	}
@@ -324,16 +336,21 @@ SECMOD_LookupSlot(SECMODModuleID moduleI
 SECStatus
 SECMOD_DeleteModuleEx(const char *name, SECMODModule *mod, 
 						int *type, PRBool permdb) 
 {
     SECMODModuleList *mlp;
     SECMODModuleList **mlpp;
     SECStatus rv = SECFailure;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return rv;
+    }
+
     *type = SECMOD_EXTERNAL;
 
     SECMOD_GetWriteLock(moduleLock);
     for (mlpp = &modules,mlp = modules; 
 				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
 	if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) ||
 							mod == mlp->module) {
 	    /* don't delete the internal module */
@@ -400,16 +417,20 @@ SECMOD_DeleteInternalModule(const char *
     SECMODModuleList *mlp;
     SECMODModuleList **mlpp;
     SECStatus rv = SECFailure;
 
     if (pendingModule) {
 	PORT_SetError(SEC_ERROR_MODULE_STUCK);
 	return rv;
     }
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return rv;
+    }
 
     SECMOD_GetWriteLock(moduleLock);
     for(mlpp = &modules,mlp = modules; 
 				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
 	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
 	    /* don't delete the internal module */
 	    if (mlp->module->internal) {
 		SECMOD_RemoveList(mlpp,mlp);
@@ -503,16 +524,20 @@ SECMOD_AddModule(SECMODModule *newModule
 
 PK11SlotInfo *
 SECMOD_FindSlot(SECMODModule *module,const char *name) 
 {
     int i;
     char *string;
     PK11SlotInfo *retSlot = NULL;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return retSlot;
+    }
     SECMOD_GetReadLock(moduleLock);
     for (i=0; i < module->slotCount; i++) {
 	PK11SlotInfo *slot = module->slots[i];
 
 	if (PK11_IsPresent(slot)) {
 	    string = PK11_GetTokenName(slot);
 	} else {
 	    string = PK11_GetSlotName(slot);
@@ -569,16 +594,20 @@ SECMOD_AddNewModuleEx(const char* module
                               char* modparms, char* nssparms)
 {
     SECMODModule *module;
     SECStatus result = SECFailure;
     int s,i;
     PK11SlotInfo* slot;
 
     PR_SetErrorText(0, NULL);
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return result;
+    }
 
     module = SECMOD_CreateModule(dllPath, moduleName, modparms, nssparms);
 
     if (module == NULL) {
 	return result;
     }
 
     if (module->dllName != NULL) {
@@ -688,20 +717,24 @@ SECMOD_InternaltoPubCipherFlags(unsigned
     return internalFlags;
 }
 
 /* Funtion reports true if module of modType is installed/configured */
 PRBool 
 SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags )
 {
     PRBool result = PR_FALSE;
-    SECMODModuleList *mods = SECMOD_GetDefaultModuleList();
+    SECMODModuleList *mods;
+
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return result;
+    }
     SECMOD_GetReadLock(moduleLock);
-
-
+    mods = SECMOD_GetDefaultModuleList();
     for ( ; mods != NULL; mods = mods->next) {
         if (mods->module->ssl[0] & 
 		SECMOD_PubCipherFlagstoInternal(pubCipherEnableFlags)) {
             result = PR_TRUE;
         }
     }
 
     SECMOD_ReleaseReadLock(moduleLock);
@@ -862,16 +895,21 @@ SECMOD_UpdateSlotList(SECMODModule *mod)
     CK_ULONG count;
     CK_ULONG i, oldCount;
     PRBool freeRef = PR_FALSE;
     void *mark = NULL;
     CK_ULONG *slotIDs = NULL;
     PK11SlotInfo **newSlots = NULL;
     PK11SlotInfo **oldSlots = NULL;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return SECFailure;
+    }
+
     /* C_GetSlotList is not a session function, make sure 
      * calls are serialized */
     PZ_Lock(mod->refLock);
     freeRef = PR_TRUE;
     /* see if the number of slots have changed */
     crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, NULL, &count);
     if (crv != CKR_OK) {
 	PORT_SetError(PK11_MapError(crv));
@@ -983,16 +1021,20 @@ loser:
 PK11SlotInfo *
 secmod_HandleWaitForSlotEvent(SECMODModule *mod,  unsigned long flags,
 						PRIntervalTime latency)
 {
     PRBool removableSlotsFound = PR_FALSE;
     int i;
     int error = SEC_ERROR_NO_EVENT;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return NULL;
+    }
     PZ_Lock(mod->refLock);
     if (mod->evControlMask & SECMOD_END_WAIT) {
 	mod->evControlMask &= ~SECMOD_END_WAIT;
 	PZ_Unlock(mod->refLock);
 	PORT_SetError(SEC_ERROR_NO_EVENT);
 	return NULL;
     }
     mod->evControlMask |= SECMOD_WAIT_SIMULATED_EVENT;
@@ -1179,16 +1221,20 @@ loser:
  * watch for.
  */
 PRBool
 SECMOD_HasRemovableSlots(SECMODModule *mod)
 {
     int i;
     PRBool ret = PR_FALSE;
 
+    if (!moduleLock) {
+    	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return ret;
+    }
     SECMOD_GetReadLock(moduleLock);
     for (i=0; i < mod->slotCount; i++) {
 	PK11SlotInfo *slot = mod->slots[i];
 	/* perm modules are not inserted or removed */
 	if (slot->isPerm) {
 	    continue;
 	}
 	ret = PR_TRUE;
--- a/security/nss/lib/pkcs12/p12d.c
+++ b/security/nss/lib/pkcs12/p12d.c
@@ -2402,17 +2402,20 @@ sec_pkcs12_add_cert(sec_PKCS12SafeBag *c
 	certList[1] = NULL;
 	
 	rv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageUserCertImport,
 			     1, certList, NULL, PR_TRUE, PR_FALSE, nickData);
     } else {
 	rv = PK11_ImportDERCert(cert->slot, derCert, CK_INVALID_HANDLE,
 							nickData, PR_FALSE);
     }
-
+    if (rv) {
+	cert->problem = 1;
+	cert->error = PORT_GetError();
+    }
     cert->installed = PR_TRUE;
     if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
     return rv;
 }
 
 static SECItem *
 sec_pkcs12_get_public_value_and_type(SECKEYPublicKey *pubKey, KeyType *type);
 
--- a/security/nss/lib/smime/config.mk
+++ b/security/nss/lib/smime/config.mk
@@ -88,23 +88,8 @@ SHARED_LIBRARY_LIBS = \
 	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
 	$(NULL)
 
 SHARED_LIBRARY_DIRS = \
 	../pkcs12 \
 	../pkcs7 \
 	$(NULL)
 
-ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
-endif
-
-ifeq ($(OS_ARCH), HP-UX) 
-ifneq ($(OS_TEST), ia64)
-# pa-risc
-ifeq ($(USE_64), 1)
-MKSHLIB += +b '$$ORIGIN'
-endif
-endif
-endif
-
--- a/security/nss/lib/softoken/config.mk
+++ b/security/nss/lib/softoken/config.mk
@@ -91,26 +91,14 @@ EXTRA_SHARED_LIBS += \
 	$(NULL)
 endif
 
 ifeq ($(OS_TARGET),AIX)
 OS_LIBS += -lpthread
 endif
 
 ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
 OS_LIBS += -lbsm 
 endif
 
-ifeq ($(OS_ARCH), HP-UX) 
-ifneq ($(OS_TEST), ia64)
-# pa-risc
-ifeq ($(USE_64), 1)
-MKSHLIB += +b '$$ORIGIN'
-endif
-endif
-endif
-
 ifeq ($(OS_TARGET),WINCE)
 DEFINES += -DDBM_USING_NSPR
 endif
--- a/security/nss/lib/softoken/fipstest.c
+++ b/security/nss/lib/softoken/fipstest.c
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: fipstest.c,v 1.25 2009/03/29 03:45:34 wtc%google.com Exp $ */
+/* $Id: fipstest.c,v 1.27 2009/06/19 23:05:48 rrelyea%redhat.com Exp $ */
 
 #include "softoken.h"   /* Required for RC2-ECB, RC2-CBC, RC4, DES-ECB,  */
                         /*              DES-CBC, DES3-ECB, DES3-CBC, RSA */
                         /*              and DSA.                         */
 #include "seccomon.h"   /* Required for RSA and DSA. */
 #include "lowkeyi.h"    /* Required for RSA and DSA. */
 #include "pkcs11.h"     /* Required for PKCS #11. */
 #include "secerr.h"
@@ -85,27 +85,27 @@
 /* FIPS preprocessor directives for message digests             */
 #define FIPS_KNOWN_HASH_MESSAGE_LENGTH          64  /* 512-bits */
 
 
 /* FIPS preprocessor directives for RSA.                         */
 #define FIPS_RSA_TYPE                           siBuffer
 #define FIPS_RSA_PUBLIC_EXPONENT_LENGTH           3 /*   24-bits */
 #define FIPS_RSA_PRIVATE_VERSION_LENGTH           1 /*    8-bits */
-#define FIPS_RSA_MESSAGE_LENGTH                 128 /* 1024-bits */
-#define FIPS_RSA_COEFFICIENT_LENGTH              64 /*  512-bits */
-#define FIPS_RSA_PRIME0_LENGTH                   64 /*  512-bits */
-#define FIPS_RSA_PRIME1_LENGTH                   64 /*  512-bits */
-#define FIPS_RSA_EXPONENT0_LENGTH                64 /*  512-bits */
-#define FIPS_RSA_EXPONENT1_LENGTH                64 /*  512-bits */
-#define FIPS_RSA_PRIVATE_EXPONENT_LENGTH        128 /* 1024-bits */
-#define FIPS_RSA_ENCRYPT_LENGTH                 128 /* 1024-bits */
-#define FIPS_RSA_DECRYPT_LENGTH                 128 /* 1024-bits */
-#define FIPS_RSA_SIGNATURE_LENGTH               128 /* 1024-bits */
-#define FIPS_RSA_MODULUS_LENGTH                 128 /* 1024-bits */
+#define FIPS_RSA_MESSAGE_LENGTH                 256 /* 2048-bits */
+#define FIPS_RSA_COEFFICIENT_LENGTH             128 /* 1024-bits */
+#define FIPS_RSA_PRIME0_LENGTH                  128 /* 1024-bits */
+#define FIPS_RSA_PRIME1_LENGTH                  128 /* 1024-bits */
+#define FIPS_RSA_EXPONENT0_LENGTH               128 /* 1024-bits */
+#define FIPS_RSA_EXPONENT1_LENGTH               128 /* 1024-bits */
+#define FIPS_RSA_PRIVATE_EXPONENT_LENGTH        256 /* 2048-bits */
+#define FIPS_RSA_ENCRYPT_LENGTH                 256 /* 2048-bits */
+#define FIPS_RSA_DECRYPT_LENGTH                 256 /* 2048-bits */
+#define FIPS_RSA_SIGNATURE_LENGTH               256 /* 2048-bits */
+#define FIPS_RSA_MODULUS_LENGTH                 256 /* 2048-bits */
 
 
 /* FIPS preprocessor directives for DSA.                        */
 #define FIPS_DSA_TYPE                           siBuffer
 #define FIPS_DSA_DIGEST_LENGTH                  20 /*  160-bits */
 #define FIPS_DSA_SUBPRIME_LENGTH                20 /*  160-bits */
 #define FIPS_DSA_SIGNATURE_LENGTH               40 /*  320-bits */
 #define FIPS_DSA_PRIME_LENGTH                  128 /* 1024-bits */
@@ -1144,212 +1144,333 @@ loser:
 
     return( SECFailure );
 
 }
 
 static CK_RV
 sftk_fips_RSA_PowerUpSelfTest( void )
 {
-    /* RSA Known Modulus used in both Public/Private Key Values (1024-bits). */
+    /* RSA Known Modulus used in both Public/Private Key Values (2048-bits). */
     static const PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = {
-                               0xd5, 0x84, 0x95, 0x07, 0xf4, 0xd0, 0x1f, 0x82,
-                               0xf3, 0x79, 0xf4, 0x99, 0x48, 0x10, 0xe1, 0x71,
-                               0xa5, 0x62, 0x22, 0xa3, 0x4b, 0x00, 0xe3, 0x5b,
-                               0x3a, 0xcc, 0x10, 0x83, 0xe0, 0xaf, 0x61, 0x13,
-                               0x54, 0x6a, 0xa2, 0x6a, 0x2c, 0x5e, 0xb3, 0xcc,
-                               0xa3, 0x71, 0x9a, 0xb2, 0x3e, 0x78, 0xec, 0xb5,
-                               0x0e, 0x6e, 0x31, 0x3b, 0x77, 0x1f, 0x6e, 0x94,
-                               0x41, 0x60, 0xd5, 0x6e, 0xd9, 0xc6, 0xf9, 0x29,
-                               0xc3, 0x40, 0x36, 0x25, 0xdb, 0xea, 0x0b, 0x07,
-                               0xae, 0x76, 0xfd, 0x99, 0x29, 0xf4, 0x22, 0xc1,
-                               0x1a, 0x8f, 0x05, 0xfe, 0x98, 0x09, 0x07, 0x05,
-                               0xc2, 0x0f, 0x0b, 0x11, 0x83, 0x39, 0xca, 0xc7,
-                               0x43, 0x63, 0xff, 0x33, 0x80, 0xe7, 0xc3, 0x78,
-                               0xae, 0xf1, 0x73, 0x52, 0x98, 0x1d, 0xde, 0x5c,
-                               0x53, 0x6e, 0x01, 0x73, 0x0d, 0x12, 0x7e, 0x77,
-                               0x03, 0xf1, 0xef, 0x1b, 0xc8, 0xa8, 0x0f, 0x97};
+                            0xb8, 0x15, 0x00, 0x33, 0xda, 0x0c, 0x9d, 0xa5,
+                            0x14, 0x8c, 0xde, 0x1f, 0x23, 0x07, 0x54, 0xe2,
+                            0xc6, 0xb9, 0x51, 0x04, 0xc9, 0x65, 0x24, 0x6e,
+                            0x0a, 0x46, 0x34, 0x5c, 0x37, 0x86, 0x6b, 0x88,
+                            0x24, 0x27, 0xac, 0xa5, 0x02, 0x79, 0xfb, 0xed,
+                            0x75, 0xc5, 0x3f, 0x6e, 0xdf, 0x05, 0x5f, 0x0f,
+                            0x20, 0x70, 0xa0, 0x5b, 0x85, 0xdb, 0xac, 0xb9,
+                            0x5f, 0x02, 0xc2, 0x64, 0x1e, 0x84, 0x5b, 0x3e,
+                            0xad, 0xbf, 0xf6, 0x2e, 0x51, 0xd6, 0xad, 0xf7,
+                            0xa7, 0x86, 0x75, 0x86, 0xec, 0xa7, 0xe1, 0xf7,
+                            0x08, 0xbf, 0xdc, 0x56, 0xb1, 0x3b, 0xca, 0xd8,
+                            0xfc, 0x51, 0xdf, 0x9a, 0x2a, 0x37, 0x06, 0xf2,
+                            0xd1, 0x6b, 0x9a, 0x5e, 0x2a, 0xe5, 0x20, 0x57,
+                            0x35, 0x9f, 0x1f, 0x98, 0xcf, 0x40, 0xc7, 0xd6,
+                            0x98, 0xdb, 0xde, 0xf5, 0x64, 0x53, 0xf7, 0x9d,
+                            0x45, 0xf3, 0xd6, 0x78, 0xb9, 0xe3, 0xa3, 0x20,
+                            0xcd, 0x79, 0x43, 0x35, 0xef, 0xd7, 0xfb, 0xb9,
+                            0x80, 0x88, 0x27, 0x2f, 0x63, 0xa8, 0x67, 0x3d,
+                            0x4a, 0xfa, 0x06, 0xc6, 0xd2, 0x86, 0x0b, 0xa7,
+                            0x28, 0xfd, 0xe0, 0x1e, 0x93, 0x4b, 0x17, 0x2e,
+                            0xb0, 0x11, 0x6f, 0xc6, 0x2b, 0x98, 0x0f, 0x15,
+                            0xe3, 0x87, 0x16, 0x7a, 0x7c, 0x67, 0x3e, 0x12,
+                            0x2b, 0xf8, 0xbe, 0x48, 0xc1, 0x97, 0x47, 0xf4,
+                            0x1f, 0x81, 0x80, 0x12, 0x28, 0xe4, 0x7b, 0x1e,
+                            0xb7, 0x00, 0xa4, 0xde, 0xaa, 0xfb, 0x0f, 0x77,
+                            0x84, 0xa3, 0xd6, 0xb2, 0x03, 0x48, 0xdd, 0x53,
+                            0x8b, 0x46, 0x41, 0x28, 0x52, 0xc4, 0x53, 0xf0,
+                            0x1c, 0x95, 0xd9, 0x36, 0xe0, 0x0f, 0x26, 0x46,
+                            0x9c, 0x61, 0x0e, 0x80, 0xca, 0x86, 0xaf, 0x39,
+                            0x95, 0xe5, 0x60, 0x43, 0x61, 0x3e, 0x2b, 0xb4,
+                            0xe8, 0xbd, 0x8d, 0x77, 0x62, 0xf5, 0x32, 0x43,
+                            0x2f, 0x4b, 0x65, 0x82, 0x14, 0xdd, 0x29, 0x5b};
 
     /* RSA Known Public Key Values (24-bits). */
     static const PRUint8 rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] 
                                                        = { 0x01, 0x00, 0x01 };
     /* RSA Known Private Key Values (version                 is    8-bits), */
-    /*                              (private exponent        is 1024-bits), */
-    /*                              (private prime0          is  512-bits), */
-    /*                              (private prime1          is  512-bits), */
-    /*                              (private prime exponent0 is  512-bits), */
-    /*                              (private prime exponent1 is  512-bits), */
-    /*                          and (private coefficient     is  512-bits). */
+    /*                              (private exponent        is 2048-bits), */
+    /*                              (private prime0          is 1024-bits), */
+    /*                              (private prime1          is 1024-bits), */
+    /*                              (private prime exponent0 is 1024-bits), */
+    /*                              (private prime exponent1 is 1024-bits), */
+    /*                          and (private coefficient     is 1024-bits). */
     static const PRUint8 rsa_version[] = { 0x00 };
 
     static const PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH]
-                           = { 0x85, 0x27, 0x47, 0x61, 0x4c, 0xd4, 0xb5, 0xb2,
-                               0x0e, 0x70, 0x91, 0x8f, 0x3d, 0x97, 0xf9, 0x5f,
-                               0xcc, 0x09, 0x65, 0x1c, 0x7c, 0x5b, 0xb3, 0x6d,
-                               0x63, 0x3f, 0x7b, 0x55, 0x22, 0xbb, 0x7c, 0x48,
-                               0x77, 0xae, 0x80, 0x56, 0xc2, 0x10, 0xd5, 0x03,
-                               0xdb, 0x31, 0xaf, 0x8d, 0x54, 0xd4, 0x48, 0x99,
-                               0xa8, 0xc4, 0x23, 0x43, 0xb8, 0x48, 0x0b, 0xc7,
-                               0xbc, 0xf5, 0xcc, 0x64, 0x72, 0xbf, 0x59, 0x06,
-                               0x04, 0x1c, 0x32, 0xf5, 0x14, 0x2e, 0x6e, 0xe2,
-                               0x0f, 0x5c, 0xde, 0x36, 0x3c, 0x6e, 0x7c, 0x4d,
-                               0xcc, 0xd3, 0x00, 0x6e, 0xe5, 0x45, 0x46, 0xef,
-                               0x4d, 0x25, 0x46, 0x6d, 0x7f, 0xed, 0xbb, 0x4f,
-                               0x4d, 0x9f, 0xda, 0x87, 0x47, 0x8f, 0x74, 0x44,
-                               0xb7, 0xbe, 0x9d, 0xf5, 0xdd, 0xd2, 0x4c, 0xa5,
-                               0xab, 0x74, 0xe5, 0x29, 0xa1, 0xd2, 0x45, 0x3b,
-                               0x33, 0xde, 0xd5, 0xae, 0xf7, 0x03, 0x10, 0x21};
+                         = {0x29, 0x08, 0x05, 0x53, 0x89, 0x76, 0xe6, 0x6c,
+                            0xb5, 0x77, 0xf0, 0xca, 0xdf, 0xf3, 0xf2, 0x67,
+                            0xda, 0x03, 0xd4, 0x9b, 0x4c, 0x88, 0xce, 0xe5,
+                            0xf8, 0x44, 0x4d, 0xc7, 0x80, 0x58, 0xe5, 0xff,
+                            0x22, 0x8f, 0xf5, 0x5b, 0x92, 0x81, 0xbe, 0x35,
+                            0xdf, 0xda, 0x67, 0x99, 0x3e, 0xfc, 0xe3, 0x83,
+                            0x6b, 0xa7, 0xaf, 0x16, 0xb7, 0x6f, 0x8f, 0xc0,
+                            0x81, 0xfd, 0x0b, 0x77, 0x65, 0x95, 0xfb, 0x00,
+                            0xad, 0x99, 0xec, 0x35, 0xc6, 0xe8, 0x23, 0x3e,
+                            0xe0, 0x88, 0x88, 0x09, 0xdb, 0x16, 0x50, 0xb7,
+                            0xcf, 0xab, 0x74, 0x61, 0x9e, 0x7f, 0xc5, 0x67,
+                            0x38, 0x56, 0xc7, 0x90, 0x85, 0x78, 0x5e, 0x84,
+                            0x21, 0x49, 0xea, 0xce, 0xb2, 0xa0, 0xff, 0xe4,
+                            0x70, 0x7f, 0x57, 0x7b, 0xa8, 0x36, 0xb8, 0x54,
+                            0x8d, 0x1d, 0xf5, 0x44, 0x9d, 0x68, 0x59, 0xf9,
+                            0x24, 0x6e, 0x85, 0x8f, 0xc3, 0x5f, 0x8a, 0x2c,
+                            0x94, 0xb7, 0xbc, 0x0e, 0xa5, 0xef, 0x93, 0x06,
+                            0x38, 0xcd, 0x07, 0x0c, 0xae, 0xb8, 0x44, 0x1a,
+                            0xd8, 0xe7, 0xf5, 0x9a, 0x1e, 0x9c, 0x18, 0xc7,
+                            0x6a, 0xc2, 0x7f, 0x28, 0x01, 0x4f, 0xb4, 0xb8,
+                            0x90, 0x97, 0x5a, 0x43, 0x38, 0xad, 0xe8, 0x95,
+                            0x68, 0x83, 0x1a, 0x1b, 0x10, 0x07, 0xe6, 0x02,
+                            0x52, 0x1f, 0xbf, 0x76, 0x6b, 0x46, 0xd6, 0xfb,
+                            0xc3, 0xbe, 0xb5, 0xac, 0x52, 0x53, 0x01, 0x1c,
+                            0xf3, 0xc5, 0xeb, 0x64, 0xf2, 0x1e, 0xc4, 0x38,
+                            0xe9, 0xaa, 0xd9, 0xc3, 0x72, 0x51, 0xa5, 0x44,
+                            0x58, 0x69, 0x0b, 0x1b, 0x98, 0x7f, 0xf2, 0x23,
+                            0xff, 0xeb, 0xf0, 0x75, 0x24, 0xcf, 0xc5, 0x1e,
+                            0xb8, 0x6a, 0xc5, 0x2f, 0x4f, 0x23, 0x50, 0x7d,
+                            0x15, 0x9d, 0x19, 0x7a, 0x0b, 0x82, 0xe0, 0x21,
+                            0x5b, 0x5f, 0x9d, 0x50, 0x2b, 0x83, 0xe4, 0x48,
+                            0xcc, 0x39, 0xe5, 0xfb, 0x13, 0x7b, 0x6f, 0x81 };
 
     static const PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH]   = {
-                               0xf9, 0x74, 0x8f, 0x16, 0x02, 0x6b, 0xa0, 0xee,
-                               0x7f, 0x28, 0x97, 0x91, 0xdc, 0xec, 0xc0, 0x7c,
-                               0x49, 0xc2, 0x85, 0x76, 0xee, 0x66, 0x74, 0x2d,
-                               0x1a, 0xb8, 0xf7, 0x2f, 0x11, 0x5b, 0x36, 0xd8,
-                               0x46, 0x33, 0x3b, 0xd8, 0xf3, 0x2d, 0xa1, 0x03,
-                               0x83, 0x2b, 0xec, 0x35, 0x43, 0x32, 0xff, 0xdd,
-                               0x81, 0x7c, 0xfd, 0x65, 0x13, 0x04, 0x7c, 0xfc,
-                               0x03, 0x97, 0xf0, 0xd5, 0x62, 0xdc, 0x0d, 0xbf};
+                            0xe4, 0xbf, 0x21, 0x62, 0x9b, 0xa9, 0x77, 0x40,
+                            0x8d, 0x2a, 0xce, 0xa1, 0x67, 0x5a, 0x4c, 0x96,
+                            0x45, 0x98, 0x67, 0xbd, 0x75, 0x22, 0x33, 0x6f,
+                            0xe6, 0xcb, 0x77, 0xde, 0x9e, 0x97, 0x7d, 0x96,
+                            0x8c, 0x5e, 0x5d, 0x34, 0xfb, 0x27, 0xfc, 0x6d,
+                            0x74, 0xdb, 0x9d, 0x2e, 0x6d, 0xf6, 0xea, 0xfc,
+                            0xce, 0x9e, 0xda, 0xa7, 0x25, 0xa2, 0xf4, 0x58,
+                            0x6d, 0x0a, 0x3f, 0x01, 0xc2, 0xb4, 0xab, 0x38,
+                            0xc1, 0x14, 0x85, 0xb6, 0xfa, 0x94, 0xc3, 0x85,
+                            0xf9, 0x3c, 0x2e, 0x96, 0x56, 0x01, 0xe7, 0xd6,
+                            0x14, 0x71, 0x4f, 0xfb, 0x4c, 0x85, 0x52, 0xc4,
+                            0x61, 0x1e, 0xa5, 0x1e, 0x96, 0x13, 0x0d, 0x8f,
+                            0x66, 0xae, 0xa0, 0xcd, 0x7d, 0x25, 0x66, 0x19,
+                            0x15, 0xc2, 0xcf, 0xc3, 0x12, 0x3c, 0xe8, 0xa4,
+                            0x52, 0x4c, 0xcb, 0x28, 0x3c, 0xc4, 0xbf, 0x95,
+                            0x33, 0xe3, 0x81, 0xea, 0x0c, 0x6c, 0xa2, 0x05};
     static const PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH]   = {
-                               0xdb, 0x1e, 0xa7, 0x3d, 0xe7, 0xfa, 0x8b, 0x04,
-                               0x83, 0x48, 0xf3, 0xa5, 0x31, 0x9d, 0x35, 0x5e,
-                               0x4d, 0x54, 0x77, 0xcc, 0x84, 0x09, 0xf3, 0x11,
-                               0x0d, 0x54, 0xed, 0x85, 0x39, 0xa9, 0xca, 0xa8,
-                               0xea, 0xae, 0x19, 0x9c, 0x75, 0xdb, 0x88, 0xb8,
-                               0x04, 0x8d, 0x54, 0xc6, 0xa4, 0x80, 0xf8, 0x93,
-                               0xf0, 0xdb, 0x19, 0xef, 0xd7, 0x87, 0x8a, 0x8f,
-                               0x5a, 0x09, 0x2e, 0x54, 0xf3, 0x45, 0x24, 0x29};
+                            0xce, 0x03, 0x94, 0xf4, 0xa9, 0x2c, 0x1e, 0x06,
+                            0xe7, 0x40, 0x30, 0x01, 0xf7, 0xbb, 0x68, 0x8c,
+                            0x27, 0xd2, 0x15, 0xe3, 0x28, 0x49, 0x5b, 0xa8,
+                            0xc1, 0x9a, 0x42, 0x7e, 0x31, 0xf9, 0x08, 0x34,
+                            0x81, 0xa2, 0x0f, 0x04, 0x61, 0x34, 0xe3, 0x36,
+                            0x92, 0xb1, 0x09, 0x2b, 0xe9, 0xef, 0x84, 0x88,
+                            0xbe, 0x9c, 0x98, 0x60, 0xa6, 0x60, 0x84, 0xe9,
+                            0x75, 0x6f, 0xcc, 0x81, 0xd1, 0x96, 0xef, 0xdd,
+                            0x2e, 0xca, 0xc4, 0xf5, 0x42, 0xfb, 0x13, 0x2b,
+                            0x57, 0xbf, 0x14, 0x5e, 0xc2, 0x7f, 0x77, 0x35,
+                            0x29, 0xc4, 0xe5, 0xe0, 0xf9, 0x6d, 0x15, 0x4a,
+                            0x42, 0x56, 0x1c, 0x3e, 0x0c, 0xc5, 0xce, 0x70,
+                            0x08, 0x63, 0x1e, 0x73, 0xdb, 0x7e, 0x74, 0x05,
+                            0x32, 0x01, 0xc6, 0x36, 0x32, 0x75, 0x6b, 0xed,
+                            0x9d, 0xfe, 0x7c, 0x7e, 0xa9, 0x57, 0xb4, 0xe9,
+                            0x22, 0xe4, 0xe7, 0xfe, 0x36, 0x07, 0x9b, 0xdf};
     static const PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = {
-                               0x6a, 0xd1, 0x25, 0x80, 0x18, 0x33, 0x3c, 0x2b,
-                               0x44, 0x19, 0xfe, 0xa5, 0x40, 0x03, 0xc4, 0xfc,
-                               0xb3, 0x9c, 0xef, 0x07, 0x99, 0x58, 0x17, 0xc1,
-                               0x44, 0xa3, 0x15, 0x7d, 0x7b, 0x22, 0x22, 0xdf,
-                               0x03, 0x58, 0x66, 0xf5, 0x24, 0x54, 0x52, 0x91,
-                               0x2d, 0x76, 0xfe, 0x63, 0x64, 0x4e, 0x0f, 0x50,
-                               0x2b, 0x65, 0x79, 0x1f, 0xf1, 0xbf, 0xc7, 0x41,
-                               0x26, 0xcc, 0xc6, 0x1c, 0xa9, 0x83, 0x6f, 0x03};
+                            0x04, 0x5a, 0x3a, 0xa9, 0x64, 0xaa, 0xd9, 0xd1,
+                            0x09, 0x9e, 0x99, 0xe5, 0xea, 0x50, 0x86, 0x8a,
+                            0x89, 0x72, 0x77, 0xee, 0xdb, 0xee, 0xb5, 0xa9,
+                            0xd8, 0x6b, 0x60, 0xb1, 0x84, 0xb4, 0xff, 0x37,
+                            0xc1, 0x1d, 0xfe, 0x8a, 0x06, 0x89, 0x61, 0x3d,
+                            0x37, 0xef, 0x01, 0xd3, 0xa3, 0x56, 0x02, 0x6c,
+                            0xa3, 0x05, 0xd4, 0xc5, 0x3f, 0x6b, 0x15, 0x59,
+                            0x25, 0x61, 0xff, 0x86, 0xea, 0x0c, 0x84, 0x01,
+                            0x85, 0x72, 0xfd, 0x84, 0x58, 0xca, 0x41, 0xda,
+                            0x27, 0xbe, 0xe4, 0x68, 0x09, 0xe4, 0xe9, 0x63,
+                            0x62, 0x6a, 0x31, 0x8a, 0x67, 0x8f, 0x55, 0xde,
+                            0xd4, 0xb6, 0x3f, 0x90, 0x10, 0x6c, 0xf6, 0x62,
+                            0x17, 0x23, 0x15, 0x7e, 0x33, 0x76, 0x65, 0xb5,
+                            0xee, 0x7b, 0x11, 0x76, 0xf5, 0xbe, 0xe0, 0xf2,
+                            0x57, 0x7a, 0x8c, 0x97, 0x0c, 0x68, 0xf5, 0xf8,
+                            0x41, 0xcf, 0x7f, 0x66, 0x53, 0xac, 0x31, 0x7d};
     static const PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = {
-                               0x12, 0x84, 0x1a, 0x99, 0xce, 0x9a, 0x8b, 0x58,
-                               0xcc, 0x47, 0x43, 0xdf, 0x77, 0xbb, 0xd3, 0x20,
-                               0xae, 0xe4, 0x2e, 0x63, 0x67, 0xdc, 0xf7, 0x5f,
-                               0x3f, 0x83, 0x27, 0xb7, 0x14, 0x52, 0x56, 0xbf,
-                               0xc3, 0x65, 0x06, 0xe1, 0x03, 0xcc, 0x93, 0x57,
-                               0x09, 0x7b, 0x6f, 0xe8, 0x81, 0x4a, 0x2c, 0xb7,
-                               0x43, 0xa9, 0x20, 0x1d, 0xf6, 0x56, 0x8b, 0xcc,
-                               0xe5, 0x4c, 0xd5, 0x4f, 0x74, 0x67, 0x29, 0x51};
+                            0x93, 0x54, 0x14, 0x6e, 0x73, 0x9d, 0x4d, 0x4b,
+                            0xfa, 0x8c, 0xf8, 0xc8, 0x2f, 0x76, 0x22, 0xea,
+                            0x38, 0x80, 0x11, 0x8f, 0x05, 0xfc, 0x90, 0x44,
+                            0x3b, 0x50, 0x2a, 0x45, 0x3d, 0x4f, 0xaf, 0x02,
+                            0x7d, 0xc2, 0x7b, 0xa2, 0xd2, 0x31, 0x94, 0x5c,
+                            0x2e, 0xc3, 0xd4, 0x9f, 0x47, 0x09, 0x37, 0x6a,
+                            0xe3, 0x85, 0xf1, 0xa3, 0x0c, 0xd8, 0xf1, 0xb4,
+                            0x53, 0x7b, 0xc4, 0x71, 0x02, 0x86, 0x42, 0xbb,
+                            0x96, 0xff, 0x03, 0xa3, 0xb2, 0x67, 0x03, 0xea,
+                            0x77, 0x31, 0xfb, 0x4b, 0x59, 0x24, 0xf7, 0x07,
+                            0x59, 0xfb, 0xa9, 0xba, 0x1e, 0x26, 0x58, 0x97,
+                            0x66, 0xa1, 0x56, 0x49, 0x39, 0xb1, 0x2c, 0x55,
+                            0x0a, 0x6a, 0x78, 0x18, 0xba, 0xdb, 0xcf, 0xf4,
+                            0xf7, 0x32, 0x35, 0xa2, 0x04, 0xab, 0xdc, 0xa7,
+                            0x6d, 0xd9, 0xd5, 0x06, 0x6f, 0xec, 0x7d, 0x40,
+                            0x4c, 0xe8, 0x0e, 0xd0, 0xc9, 0xaa, 0xdf, 0x59};
     static const PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = {
-                               0x23, 0xab, 0xf4, 0x03, 0x2f, 0x29, 0x95, 0x74,
-                               0xac, 0x1a, 0x33, 0x96, 0x62, 0xed, 0xf7, 0xf6,
-                               0xae, 0x07, 0x2a, 0x2e, 0xe8, 0xab, 0xfb, 0x1e,
-                               0xb9, 0xb2, 0x88, 0x1e, 0x85, 0x05, 0x42, 0x64,
-                               0x03, 0xb2, 0x8b, 0xc1, 0x81, 0x75, 0xd7, 0xba,
-                               0xaa, 0xd4, 0x31, 0x3c, 0x8a, 0x96, 0x23, 0x9d,
-                               0x3f, 0x06, 0x3e, 0x44, 0xa9, 0x62, 0x2f, 0x61,
-                               0x5a, 0x51, 0x82, 0x2c, 0x04, 0x85, 0x73, 0xd1};
+                            0x17, 0xd7, 0xf5, 0x0a, 0xf0, 0x68, 0x97, 0x96,
+                            0xc4, 0x29, 0x18, 0x77, 0x9a, 0x1f, 0xe3, 0xf3,
+                            0x12, 0x13, 0x0f, 0x7e, 0x7b, 0xb9, 0xc1, 0x91,
+                            0xf9, 0xc7, 0x08, 0x56, 0x5c, 0xa4, 0xbc, 0x83,
+                            0x71, 0xf9, 0x78, 0xd9, 0x2b, 0xec, 0xfe, 0x6b,
+                            0xdc, 0x2f, 0x63, 0xc9, 0xcd, 0x50, 0x14, 0x5b,
+                            0xd3, 0x6e, 0x85, 0x4d, 0x0c, 0xa2, 0x0b, 0xa0,
+                            0x09, 0xb6, 0xca, 0x34, 0x9c, 0xc2, 0xc1, 0x4a,
+                            0xb0, 0xbc, 0x45, 0x93, 0xa5, 0x7e, 0x99, 0xb5,
+                            0xbd, 0xe4, 0x69, 0x29, 0x08, 0x28, 0xd2, 0xcd,
+                            0xab, 0x24, 0x78, 0x48, 0x41, 0x26, 0x0b, 0x37,
+                            0xa3, 0x43, 0xd1, 0x95, 0x1a, 0xd6, 0xee, 0x22,
+                            0x1c, 0x00, 0x0b, 0xc2, 0xb7, 0xa4, 0xa3, 0x21,
+                            0xa9, 0xcd, 0xe4, 0x69, 0xd3, 0x45, 0x02, 0xb1,
+                            0xb7, 0x3a, 0xbf, 0x51, 0x35, 0x1b, 0x78, 0xc2,
+                            0xcf, 0x0c, 0x0d, 0x60, 0x09, 0xa9, 0x44, 0x02};
 
     /* RSA Known Plaintext Message (1024-bits). */
     static const PRUint8 rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = {
-                                         "Known plaintext message utilized" 
+                                         "Known plaintext message utilized"
                                          "for RSA Encryption &  Decryption"
-                                         "block, SHA1, SHA256, SHA384  and"
-                                         "SHA512 RSA Signature KAT tests."};
+                                         "blocks SHA256, SHA384  and      "
+                                         "SHA512 RSA Signature KAT tests. "
+                                         "Known plaintext message utilized"
+                                         "for RSA Encryption &  Decryption"
+                                         "blocks SHA256, SHA384  and      "
+                                         "SHA512 RSA Signature KAT  tests."};
 
-    /* RSA Known Ciphertext (1024-bits). */
+    /* RSA Known Ciphertext (2048-bits). */
     static const PRUint8 rsa_known_ciphertext[] = {
-                               0x1e, 0x7e, 0x12, 0xbb, 0x15, 0x62, 0xd0, 0x23,
-                               0x53, 0x4c, 0x51, 0x97, 0x77, 0x06, 0xa0, 0xbb,
-                               0x26, 0x99, 0x9a, 0x8f, 0x39, 0xad, 0x88, 0x5c,
-                               0xc4, 0xce, 0x33, 0x40, 0x94, 0x92, 0xb4, 0x0e,
-                               0xab, 0x71, 0xa9, 0x5d, 0x9a, 0x37, 0xe3, 0x9a,
-                               0x24, 0x95, 0x13, 0xea, 0x0f, 0xbb, 0xf7, 0xff,
-                               0xdf, 0x31, 0x33, 0x23, 0x1d, 0xce, 0x26, 0x9e,
-                               0xd1, 0xde, 0x98, 0x40, 0xde, 0x57, 0x86, 0x12,
-                               0xf1, 0xe6, 0x5a, 0x3f, 0x08, 0x02, 0x81, 0x85,
-                               0xe0, 0xd9, 0xad, 0x3c, 0x8c, 0x71, 0xf8, 0xcf,
-                               0x0a, 0x98, 0xc5, 0x08, 0xdc, 0xc4, 0xca, 0x8c,
-                               0x23, 0x1b, 0x4d, 0x9b, 0xb5, 0x13, 0x44, 0xe1,
-                               0x5f, 0xf9, 0x30, 0x80, 0x25, 0xe0, 0x1e, 0x94,
-                               0xa3, 0x0c, 0xdc, 0x82, 0x2e, 0xfb, 0x30, 0xbe,
-                               0x89, 0xba, 0x76, 0xb6, 0x23, 0xf7, 0xda, 0x7c,
-                               0xca, 0xe6, 0x02, 0xbd, 0x92, 0xce, 0x64, 0xfc};
+                            0x04, 0x12, 0x46, 0xe3, 0x6a, 0xee, 0xde, 0xdd,
+                            0x49, 0xa1, 0xd9, 0x83, 0xf7, 0x35, 0xf9, 0x70,
+                            0x88, 0x03, 0x2d, 0x01, 0x8b, 0xd1, 0xbf, 0xdb,
+                            0xe5, 0x1c, 0x85, 0xbe, 0xb5, 0x0b, 0x48, 0x45,
+                            0x7a, 0xf0, 0xa0, 0xe3, 0xa2, 0xbb, 0x4b, 0xf6,
+                            0x27, 0xd0, 0x1b, 0x12, 0xe3, 0x77, 0x52, 0x34,
+                            0x9e, 0x8e, 0x03, 0xd2, 0xf8, 0x79, 0x6e, 0x39,
+                            0x79, 0x53, 0x3c, 0x44, 0x14, 0x94, 0xbb, 0x8d,
+                            0xaa, 0x14, 0x44, 0xa0, 0x7b, 0xa5, 0x8c, 0x93,
+                            0x5f, 0x99, 0xa4, 0xa3, 0x6e, 0x7a, 0x38, 0x40,
+                            0x78, 0xfa, 0x36, 0x91, 0x5e, 0x9a, 0x9c, 0xba,
+                            0x1e, 0xd4, 0xf9, 0xda, 0x4b, 0x0f, 0xa8, 0xa3,
+                            0x1c, 0xf3, 0x3a, 0xd1, 0xa5, 0xb4, 0x51, 0x16,
+                            0xed, 0x4b, 0xcf, 0xec, 0x93, 0x7b, 0x90, 0x21,
+                            0xbc, 0x3a, 0xf4, 0x0b, 0xd1, 0x3a, 0x2b, 0xba,
+                            0xa6, 0x7d, 0x5b, 0x53, 0xd8, 0x64, 0xf9, 0x29,
+                            0x7b, 0x7f, 0x77, 0x3e, 0x51, 0x4c, 0x9a, 0x94,
+                            0xd2, 0x4b, 0x4a, 0x8d, 0x61, 0x74, 0x97, 0xae,
+                            0x53, 0x6a, 0xf4, 0x90, 0xc2, 0x2c, 0x49, 0xe2,
+                            0xfa, 0xeb, 0x91, 0xc5, 0xe5, 0x83, 0x13, 0xc9,
+                            0x44, 0x4b, 0x95, 0x2c, 0x57, 0x70, 0x15, 0x5c,
+                            0x64, 0x8d, 0x1a, 0xfd, 0x2a, 0xc7, 0xb2, 0x9c,
+                            0x5c, 0x99, 0xd3, 0x4a, 0xfd, 0xdd, 0xf6, 0x82,
+                            0x87, 0x8c, 0x5a, 0xc4, 0xa8, 0x0d, 0x2a, 0xef,
+                            0xc3, 0xa2, 0x7e, 0x8e, 0x67, 0x9f, 0x6f, 0x63,
+                            0xdb, 0xbb, 0x1d, 0x31, 0xc4, 0xbb, 0xbc, 0x13,
+                            0x3f, 0x54, 0xc6, 0xf6, 0xc5, 0x28, 0x32, 0xab,
+                            0x96, 0x42, 0x10, 0x36, 0x40, 0x92, 0xbb, 0x57,
+                            0x55, 0x38, 0xf5, 0x43, 0x7e, 0x43, 0xc4, 0x65,
+                            0x47, 0x64, 0xaa, 0x0f, 0x4c, 0xe9, 0x49, 0x16,
+                            0xec, 0x6a, 0x50, 0xfd, 0x14, 0x49, 0xca, 0xdb,
+                            0x44, 0x54, 0xca, 0xbe, 0xa3, 0x0e, 0x5f, 0xef};
 
-    /* RSA Known Signed Hash (1024-bits). */
-    static const PRUint8 rsa_known_sha1_signature[] = {
-                               0xd2, 0xa4, 0xe0, 0x2b, 0xc7, 0x03, 0x7f, 0xc6,
-                               0x06, 0x9e, 0xa2, 0x82, 0x19, 0xe9, 0x2b, 0xaf,
-                               0xe3, 0x48, 0x88, 0xc1, 0xf3, 0xb5, 0x0d, 0xe4,
-                               0x52, 0x9e, 0xad, 0xd5, 0x58, 0xb5, 0x9f, 0xe8,
-                               0x40, 0xe9, 0xb7, 0x2e, 0xc6, 0x71, 0x58, 0x56,
-                               0x04, 0xac, 0xb0, 0xf3, 0x3a, 0x42, 0x38, 0x08,
-                               0xc4, 0x43, 0x39, 0xba, 0x19, 0xce, 0xb1, 0x99,
-                               0xf1, 0x8d, 0x89, 0xd8, 0x50, 0x07, 0x14, 0x3d,
-                               0xcf, 0xd0, 0xb6, 0x79, 0xde, 0x9c, 0x89, 0x32,
-                               0xb0, 0x73, 0x3f, 0xed, 0x03, 0x0b, 0xdf, 0x6d,
-                               0x7e, 0xc9, 0x1c, 0x39, 0xe8, 0x2b, 0x16, 0x09,
-                               0xbb, 0x5f, 0x99, 0x2f, 0xeb, 0xf3, 0x37, 0x73,
-                               0x0d, 0x0e, 0xcc, 0x95, 0xad, 0x90, 0x80, 0x03,
-                               0x1d, 0x80, 0x55, 0x37, 0xa1, 0x2a, 0x71, 0x76,
-                               0x23, 0x87, 0x8c, 0x9b, 0x41, 0x07, 0xc6, 0x3d,
-                               0xc6, 0xa3, 0x7d, 0x1b, 0xff, 0x4e, 0x11, 0x19};
-
-    /* RSA Known Signed Hash (1024-bits). */
+    /* RSA Known Signed Hash (2048-bits). */
     static const PRUint8 rsa_known_sha256_signature[] = {
-                               0x27, 0x35, 0xdd, 0xc4, 0xf8, 0xe2, 0x0b, 0xa3,
-                               0xef, 0x63, 0x57, 0x3b, 0xe1, 0x58, 0x9a, 0xbc,
-                               0x20, 0x9c, 0x25, 0x12, 0x01, 0xbf, 0xbb, 0x29,
-                               0x80, 0x1a, 0xb1, 0x37, 0x9c, 0xcd, 0x67, 0xc7,
-                               0x0d, 0xf8, 0x64, 0x10, 0x9f, 0xe2, 0xa1, 0x9b,
-                               0x21, 0x90, 0xcc, 0xda, 0x8b, 0x76, 0x5e, 0x79,
-                               0x00, 0x9d, 0x58, 0x8b, 0x8a, 0xb3, 0xc3, 0xb5,
-                               0xf1, 0x54, 0xc5, 0x8c, 0x72, 0xba, 0xde, 0x51,
-                               0x3c, 0x6b, 0x94, 0xd6, 0xf3, 0x1b, 0xa2, 0x53,
-                               0xe6, 0x1a, 0x46, 0x1d, 0x7f, 0x14, 0x86, 0xcc,
-                               0xa6, 0x30, 0x92, 0x96, 0xc0, 0x96, 0x24, 0xf0,
-                               0x42, 0x53, 0x4c, 0xdd, 0x27, 0xdf, 0x1d, 0x2e,
-                               0x8b, 0x83, 0xbe, 0xed, 0x85, 0x1d, 0x50, 0x46,
-                               0xa3, 0x7d, 0x20, 0xea, 0x3e, 0x91, 0xfb, 0xf6,
-                               0x86, 0x51, 0xfd, 0x8c, 0xe5, 0x31, 0xe6, 0x7e,
-                               0x60, 0x08, 0x0e, 0xec, 0xa6, 0xea, 0x24, 0x8d};
+                            0x8c, 0x2d, 0x2e, 0xfb, 0x37, 0xb5, 0x6f, 0x38,
+                            0x9f, 0x06, 0x5a, 0xf3, 0x8c, 0xa0, 0xd0, 0x7a,
+                            0xde, 0xcf, 0xf9, 0x14, 0x95, 0x59, 0xd3, 0x5f,
+                            0x51, 0x5d, 0x5d, 0xad, 0xd8, 0x71, 0x33, 0x50,
+                            0x1d, 0x03, 0x3b, 0x3a, 0x32, 0x00, 0xb4, 0xde,
+                            0x7f, 0xe4, 0xb1, 0xe5, 0x6b, 0x83, 0xf4, 0x80,
+                            0x10, 0x3b, 0xb8, 0x8a, 0xdb, 0xe8, 0x0a, 0x42,
+                            0x9e, 0x8d, 0xd7, 0xbe, 0xed, 0xde, 0x5a, 0x3d,
+                            0xc6, 0xdb, 0xfe, 0x49, 0x6a, 0xe9, 0x1e, 0x75,
+                            0x66, 0xf1, 0x3f, 0x9e, 0x3f, 0xff, 0x05, 0x65,
+                            0xde, 0xca, 0x62, 0x62, 0xf3, 0xec, 0x53, 0x09,
+                            0xa0, 0x37, 0xd5, 0x66, 0x62, 0x72, 0x14, 0xb6,
+                            0x51, 0x32, 0x67, 0x50, 0xc1, 0xe1, 0x2f, 0x9e,
+                            0x98, 0x4e, 0x53, 0x96, 0x55, 0x4b, 0xc4, 0x92,
+                            0xc3, 0xb4, 0x80, 0xf0, 0x35, 0xc9, 0x00, 0x4b,
+                            0x5c, 0x85, 0x92, 0xb1, 0xe8, 0x6e, 0xa5, 0x51,
+                            0x38, 0x9f, 0xc9, 0x11, 0xb6, 0x14, 0xdf, 0x34,
+                            0x64, 0x40, 0x82, 0x82, 0xde, 0x16, 0x69, 0x93,
+                            0x89, 0x4e, 0x5c, 0x32, 0xf2, 0x0a, 0x4e, 0x9e,
+                            0xbd, 0x63, 0x99, 0x4f, 0xf3, 0x15, 0x90, 0xc2,
+                            0xfe, 0x6f, 0xb7, 0xf4, 0xad, 0xd4, 0x8e, 0x0b,
+                            0xd2, 0xf5, 0x22, 0xd2, 0x71, 0x65, 0x13, 0xf7,
+                            0x82, 0x7b, 0x75, 0xb6, 0xc1, 0xb4, 0x45, 0xbd,
+                            0x8f, 0x95, 0xcf, 0x5b, 0x95, 0x32, 0xef, 0x18,
+                            0x5f, 0xd3, 0xdf, 0x7e, 0x22, 0xdd, 0x25, 0xeb,
+                            0xe1, 0xbf, 0x3b, 0x9a, 0x55, 0x75, 0x4f, 0x3c,
+                            0x38, 0x67, 0x57, 0x04, 0x04, 0x57, 0x27, 0xf6,
+                            0x34, 0x0e, 0x57, 0x8a, 0x7c, 0xff, 0x7d, 0xca,
+                            0x8c, 0x06, 0xf8, 0x9d, 0xdb, 0xe4, 0xd8, 0x19,
+                            0xdd, 0x4d, 0xfd, 0x8f, 0xa0, 0x06, 0x53, 0xe8,
+                            0x33, 0x00, 0x70, 0x3f, 0x6b, 0xc3, 0xbd, 0x9a,
+                            0x78, 0xb5, 0xa9, 0xef, 0x6d, 0xda, 0x67, 0x92};
 
-    /* RSA Known Signed Hash (1024-bits). */
-    static const PRUint8 rsa_known_sha384_signature[] = {
-                               0x0b, 0x03, 0x94, 0x4f, 0x94, 0x78, 0x9b, 0x96,
-                               0x76, 0xeb, 0x72, 0x58, 0xe1, 0xc5, 0xc7, 0x5f,
-                               0x85, 0x01, 0xa8, 0xc4, 0xf6, 0x1a, 0xb5, 0x2c,
-                               0xd1, 0xd8, 0x87, 0xde, 0x3a, 0x9c, 0x9f, 0x57,
-                               0x81, 0x2a, 0x1e, 0x23, 0x07, 0x70, 0xb0, 0xf9,
-                               0x28, 0x3d, 0xfa, 0xe5, 0x2e, 0x1b, 0x9a, 0x72,
-                               0xc3, 0x74, 0xb3, 0x42, 0x1c, 0x9a, 0x13, 0xdc,
-                               0xc9, 0xd6, 0xd5, 0x88, 0xc9, 0x9c, 0x46, 0xf1,
-                               0x0c, 0xa6, 0xf7, 0xd8, 0x06, 0xa3, 0x1b, 0xdf,
-                               0x55, 0xb3, 0x1b, 0x7b, 0x58, 0x1d, 0xff, 0x19,
-                               0xc7, 0xe0, 0xdd, 0x59, 0xac, 0x2f, 0x78, 0x71,
-                               0xe7, 0xe0, 0x17, 0xa3, 0x1c, 0x5c, 0x92, 0xef,
-                               0xb6, 0x75, 0xed, 0xbe, 0x18, 0x39, 0x6b, 0xd7,
-                               0xc9, 0x08, 0x62, 0x55, 0x62, 0xac, 0x5d, 0xa1,
-                               0x9b, 0xd5, 0xb8, 0x98, 0x15, 0xc0, 0xf5, 0x41,
-                               0x85, 0x44, 0x96, 0xca, 0x10, 0xdc, 0x57, 0x21};
+   /* RSA Known Signed Hash (2048-bits). */
+   static const PRUint8 rsa_known_sha384_signature[] = {
+                            0x20, 0x2d, 0x21, 0x3a, 0xaa, 0x1e, 0x05, 0x15,
+                            0x5c, 0xca, 0x84, 0x86, 0xc0, 0x15, 0x81, 0xdf,
+                            0xd4, 0x06, 0x9f, 0xe0, 0xc1, 0xed, 0xef, 0x0f,
+                            0xfe, 0xb3, 0xc3, 0xbb, 0x28, 0xa5, 0x56, 0xbf,
+                            0xe3, 0x11, 0x5c, 0xc2, 0xc0, 0x0b, 0xfa, 0xfa,
+                            0x3d, 0xd3, 0x06, 0x20, 0xe2, 0xc9, 0xe4, 0x66,
+                            0x28, 0xb7, 0xc0, 0x3b, 0x3c, 0x96, 0xc6, 0x49,
+                            0x3b, 0xcf, 0x86, 0x49, 0x31, 0xaf, 0x5b, 0xa3,
+                            0xec, 0x63, 0x10, 0xdf, 0xda, 0x2f, 0x68, 0xac,
+                            0x7b, 0x3a, 0x49, 0xfa, 0xe6, 0x0d, 0xfe, 0x37,
+                            0x17, 0x56, 0x8e, 0x5c, 0x48, 0x97, 0x43, 0xf7,
+                            0xa0, 0xbc, 0xe3, 0x4b, 0x42, 0xde, 0x58, 0x1d,
+                            0xd9, 0x5d, 0xb3, 0x08, 0x35, 0xbd, 0xa4, 0xe1,
+                            0x80, 0xc3, 0x64, 0xab, 0x21, 0x97, 0xad, 0xfb,
+                            0x71, 0xee, 0xa3, 0x3d, 0x9c, 0xaa, 0xfa, 0x16,
+                            0x60, 0x46, 0x32, 0xda, 0x44, 0x2e, 0x10, 0x92,
+                            0x20, 0xd8, 0x98, 0x80, 0x84, 0x75, 0x5b, 0x70,
+                            0x91, 0x00, 0x33, 0x19, 0x69, 0xc9, 0x2a, 0xec,
+                            0x3d, 0xe5, 0x5f, 0x0f, 0x9a, 0xa7, 0x97, 0x1f,
+                            0x79, 0xc3, 0x1d, 0x65, 0x74, 0x62, 0xc5, 0xa1,
+                            0x23, 0x65, 0x4b, 0x84, 0xa1, 0x03, 0x98, 0xf3,
+                            0xf1, 0x02, 0x24, 0xca, 0xe5, 0xd4, 0xc8, 0xa2,
+                            0x30, 0xad, 0x72, 0x7d, 0x29, 0x60, 0x1a, 0x8e,
+                            0x6f, 0x23, 0xa4, 0xda, 0x68, 0xa4, 0x45, 0x9c,
+                            0x39, 0x70, 0x44, 0x18, 0x4b, 0x73, 0xfe, 0xf8,
+                            0x33, 0x53, 0x1d, 0x7e, 0x93, 0x93, 0xac, 0xc7,
+                            0x1e, 0x6e, 0x6b, 0xfd, 0x9e, 0xba, 0xa6, 0x71,
+                            0x70, 0x47, 0x6a, 0xd6, 0x82, 0x32, 0xa2, 0x6e,
+                            0x20, 0x72, 0xb0, 0xba, 0xec, 0x91, 0xbb, 0x6b,
+                            0xcc, 0x84, 0x0a, 0x33, 0x2b, 0x8a, 0x8d, 0xeb,
+                            0x71, 0xcd, 0xca, 0x67, 0x1b, 0xad, 0x10, 0xd4,
+                            0xce, 0x4f, 0xc0, 0x29, 0xec, 0xfa, 0xed, 0xfa};
 
-    /* RSA Known Signed Hash (1024-bits). */
-    static const PRUint8 rsa_known_sha512_signature[] = {
-                               0xa5, 0xd0, 0x80, 0x04, 0x22, 0xfc, 0x80, 0x73,
-                               0x7d, 0x46, 0xc8, 0x7b, 0xac, 0x44, 0x7b, 0xe6,
-                               0x07, 0xe5, 0x61, 0x4c, 0x33, 0x7f, 0x6f, 0x46,
-                               0x7c, 0x30, 0xe3, 0x75, 0x59, 0x4b, 0x42, 0xf3,
-                               0x9f, 0x35, 0x3c, 0x10, 0x56, 0xdb, 0xd2, 0x69,
-                               0x43, 0xcb, 0x77, 0xe9, 0x7d, 0xcd, 0x07, 0x43,
-                               0xc5, 0xd4, 0x0c, 0x9d, 0xf5, 0x92, 0xbd, 0x0e,
-                               0x3b, 0xb7, 0x68, 0x88, 0x84, 0xca, 0xae, 0x0d,
-                               0xab, 0x71, 0x10, 0xad, 0xab, 0x27, 0xe4, 0xa3,
-                               0x24, 0x41, 0xeb, 0x1c, 0xa6, 0x5f, 0xf1, 0x85,
-                               0xd0, 0xf6, 0x22, 0x74, 0x3d, 0x81, 0xbe, 0xdd,
-                               0x1b, 0x2a, 0x4c, 0xd1, 0x6c, 0xb5, 0x6d, 0x7a,
-                               0xbb, 0x99, 0x69, 0x01, 0xa6, 0xc0, 0x98, 0xfa,
-                               0x97, 0xa3, 0xd1, 0xb0, 0xdf, 0x09, 0xe3, 0x3d,
-                               0x88, 0xee, 0x90, 0xf3, 0x10, 0x41, 0x0f, 0x06,
-                               0x31, 0xe9, 0x60, 0x2d, 0xbf, 0x63, 0x7b, 0xf8};
+   /* RSA Known Signed Hash (2048-bits). */
+   static const PRUint8 rsa_known_sha512_signature[] = {
+                            0x35, 0x0e, 0x74, 0x9d, 0xeb, 0xc7, 0x67, 0x31,
+                            0x9f, 0xff, 0x0b, 0xbb, 0x5e, 0x66, 0xb4, 0x2f,
+                            0xbf, 0x72, 0x60, 0x4f, 0xe9, 0xbd, 0xec, 0xc8,
+                            0x17, 0x79, 0x5f, 0x39, 0x83, 0xb4, 0x54, 0x2e,
+                            0x01, 0xb9, 0xd3, 0x20, 0x47, 0xcb, 0xd4, 0x42,
+                            0xf2, 0x6e, 0x36, 0xc1, 0x97, 0xad, 0xef, 0x8e,
+                            0xe6, 0x51, 0xee, 0x5e, 0x9e, 0x88, 0xb4, 0x9d,
+                            0xda, 0x3e, 0x77, 0x4b, 0xe8, 0xae, 0x48, 0x53,
+                            0x2c, 0xc4, 0xd3, 0x25, 0x6b, 0x23, 0xb7, 0x54,
+                            0x3c, 0x95, 0x8f, 0xfb, 0x6f, 0x6d, 0xc5, 0x56,
+                            0x39, 0x69, 0x28, 0x0e, 0x74, 0x9b, 0x31, 0xe8,
+                            0x76, 0x77, 0x2b, 0xc1, 0x44, 0x89, 0x81, 0x93,
+                            0xfc, 0xf6, 0xec, 0x5f, 0x8f, 0x89, 0xfc, 0x1d,
+                            0xa4, 0x53, 0x58, 0x8c, 0xe9, 0xc0, 0xc0, 0x26,
+                            0xe6, 0xdf, 0x6d, 0x27, 0xb1, 0x8e, 0x3e, 0xb6,
+                            0x47, 0xe1, 0x02, 0x96, 0xc2, 0x5f, 0x7f, 0x3d,
+                            0xc5, 0x6c, 0x2f, 0xea, 0xaa, 0x5e, 0x39, 0xfc,
+                            0x77, 0xca, 0x00, 0x02, 0x5c, 0x64, 0x7c, 0xce,
+                            0x7d, 0x63, 0x82, 0x05, 0xed, 0xf7, 0x5b, 0x55,
+                            0x58, 0xc0, 0xeb, 0x76, 0xd7, 0x95, 0x55, 0x37,
+                            0x85, 0x7d, 0x17, 0xad, 0xd2, 0x11, 0xfd, 0x97,
+                            0x48, 0xb5, 0xc2, 0x5e, 0xc7, 0x62, 0xc0, 0xe0,
+                            0x68, 0xa8, 0x61, 0x14, 0x41, 0xca, 0x25, 0x3a,
+                            0xec, 0x48, 0x54, 0x22, 0x83, 0x2b, 0x69, 0x54,
+                            0xfd, 0xc8, 0x99, 0x9a, 0xee, 0x37, 0x03, 0xa3,
+                            0x8f, 0x0f, 0x32, 0xb0, 0xaa, 0x74, 0x39, 0x04,
+                            0x7c, 0xd9, 0xc2, 0x8f, 0xbe, 0xf2, 0xc4, 0xbe,
+                            0xdd, 0x7a, 0x7a, 0x7f, 0x72, 0xd3, 0x80, 0x59,
+                            0x18, 0xa0, 0xa1, 0x2d, 0x6f, 0xa3, 0xa9, 0x48,
+                            0xed, 0x20, 0xa6, 0xea, 0xaa, 0x10, 0x83, 0x98,
+                            0x0c, 0x13, 0x69, 0x6e, 0xcd, 0x31, 0x6b, 0xd0,
+                            0x66, 0xa6, 0x5e, 0x30, 0x0c, 0x82, 0xd5, 0x81};
 
     static const RSAPublicKey    bl_public_key = { NULL,
       { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,         
                                         FIPS_RSA_MODULUS_LENGTH },
       { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent, 
                                         FIPS_RSA_PUBLIC_EXPONENT_LENGTH }
     };
     static const RSAPrivateKey   bl_private_key = { NULL,
@@ -1442,23 +1563,16 @@ sftk_fips_RSA_PowerUpSelfTest( void )
                                   rsa_computed_plaintext,
                                   rsa_known_ciphertext);
 
     if( ( rsa_status != SECSuccess ) ||
         ( PORT_Memcmp( rsa_computed_plaintext, rsa_known_plaintext_msg,
                        FIPS_RSA_DECRYPT_LENGTH ) != 0 ) )
         goto rsa_loser;
 
-    rsa_status = sftk_fips_RSA_PowerUpSigSelfTest (HASH_AlgSHA1,
-                           rsa_public_key, rsa_private_key,
-                           rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 
-                           rsa_known_sha1_signature);
-    if( rsa_status != SECSuccess )
-        goto rsa_loser;
-
     rsa_status = sftk_fips_RSA_PowerUpSigSelfTest (HASH_AlgSHA256,
                            rsa_public_key, rsa_private_key,
                            rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
                            rsa_known_sha256_signature);
     if( rsa_status != SECSuccess )
         goto rsa_loser;
 
     rsa_status = sftk_fips_RSA_PowerUpSigSelfTest (HASH_AlgSHA384,
@@ -1817,107 +1931,91 @@ sftk_fips_RNG_PowerUpSelfTest( void )
 			0xc5,0x79,0x10,0x8b,0x23,0x79,0x37,0x14,
 			0x9f,0x2c,0xc7,0x0b,0x39,0xf8,0xee,0xef,
 			0x95,0x0c,0x97,0x59,0xfc,0x0a,0x85,0x41,
 			0x76,0x9d,0x6d,0x67,0x00,0x4e,0x19,0x12,
 			0x02,0x16,0x53,0xea,0xf2,0x73,0xd7,0xd6,
 			0x7f,0x7e,0xc8,0xae,0x9c,0x09,0x99,0x7d,
 			0xbb,0x9e,0x48,0x7f,0xbb,0x96,0x46,0xb3,
 			0x03,0x75,0xf8,0xc8,0x69,0x45,0x3f,0x97,
-			0x5e,0x2e,0x48,0xe1,0x5d,0x58,0x97,0x4c};
+			0x5e,0x2e,0x48,0xe1,0x5d,0x58,0x97,0x4c };
    static const PRUint8 rng_known_result[] = {
 			0x16,0xe1,0x8c,0x57,0x21,0xd8,0xf1,0x7e,
 			0x5a,0xa0,0x16,0x0b,0x7e,0xa6,0x25,0xb4,
 			0x24,0x19,0xdb,0x54,0xfa,0x35,0x13,0x66,
 			0xbb,0xaa,0x2a,0x1b,0x22,0x33,0x2e,0x4a,
 			0x14,0x07,0x9d,0x52,0xfc,0x73,0x61,0x48,
 			0xac,0xc1,0x22,0xfc,0xa4,0xfc,0xac,0xa4,
-			0xdb,0xda,0x5b,0x27,0x33,0xc4,0xb3,0xec,
-			0xb0,0xf2,0xee,0x63,0x11,0x61,0xdb,0x30,
-			0xd3,0x04,0x6b,0x96,0x22,0x1e,0x17,0x24,
-			0x1a,0x54,0x70,0xf3,0x4d,0x1c,0x6a,0xb0,
-			0xf9,0xe3,0xc8,0x07,0x97,0x5f,0xbb,0xe5,
-			0xde,0xce,0xa9,0x3f,0x91,0xd3,0x82,0x33,
-			0x11,0x3f,0x5b,0xb2,0xa9,0x1e,0x71,0x59,
-			0x68,0x8f,0x7d,0x77,0xfd,0xf5,0xcb,0xc8,
-			0x8f,0x51,0xb9,0x62,0x30,0x1b,0x12,0xa5,
-			0x7a,0xe1,0xf3,0x15,0x49,0x15,0xe9,0xc4,
-			0x3d,0x2d,0x1f,0x8c,0xe8,0x4e,0xd1,0xe6,
-			0x4e,0xf1,0x7a,0x64,0x2e,0x05,0xd6,0xee,
-			0xb8,0x7b,0x71,0x82,0x38,0x2b,0xc5,0xdd,
-			0x3a,0x32,0xae,0x64,0x0e,0xed,0x30,0xb2,
-			0x00,0x72,0x61,0x65,0xfb,0x09,0x26,0x68,
-			0x3e,0x36,0xb3,0x15,0xe2,0x30,0xde,0x49,
-			0xed,0x60,0xc5,0x40,0xe1,0x1a,0xe9,0x33,
-			0x7f,0x77,0xb5,0xa9,0xf7,0xa1,0xb9,0xdb,
-			0x77,0x61,0x00,0xc2,0x18,0xa1,0xa1,0x3a,
-			0x0e,0x2a,0x6c,0xa1,0x3f,0x33,0xdd,0xb9,
-			0x23,0x48,0x75,0x50,0xd3,0xbb,0xd9,0x0e,
-			0xdb,0xb4,0x62,0x33,0x52,0x41,0x5c,0xfc,
-			0xdd,0x89,0xd6,0x60,0xe8,0x2b,0x6f,0xb2,
-			0x7f,0x4d,0x97,0x8c,0x69,0xa4,0x15,0x16,
-			0x4c,0x7f,0x4d,0x8d,0x2e,0xec,0xfa,0x0e,
-			0xfa,0x37,0xe9,0x9d,0x21,0x9b,0x69,0x2a,
-			0xc5,0x4f,0x5b,0x59,0xe9,0x98,0x73,0x54,
-			0x28,0x33,0x4d,0x7c,0x53,0x8c,0x43,0x2b,
-			0xc7,0x0e,0xfb,0x35,0x9d,0xf7,0x2e,0x1a,
-			0xaa,0x80,0xa3,0x70,0x2c,0x72,0x43,0xb0,
-			0x35,0x3b,0xe2,0x58,0x63,0xf8,0x1d,0xcd,
-			0x55,0x66,0xb8,0x1e,0x06,0xa5,0xb6,0x4d,
-			0xc2,0x9f,0x9b,0xde,0xa3,0xda,0x67,0x0e,
-			0xd9,0x4b,0xfd,0x29,0xba,0x16,0x4e,0x03,
-			0xe9,0x04,0x9a,0x67,0xf8,0xc4,0xb7,0x01,
-			0xba,0x3c,0x5f,0xdd,0x8e,0x56,0xf3,0xea,
-			0xf4,0xfb,0x75,0x76,0x30,0x20,0xe6,0xec,
-			0x44,0xc9,0x76,0xb2,0x21,0x0c,0x1c,0xb9,
-			0x5f,0x27,0xff,0x09,0x45,0x2c,0x26,0xfd,
-			0x27,0xb0,0xca,0x67,0xd3,0xb0,0x77,0x3e,
-			0x10,0x46,0xdd,0x81,0x70,0x47,0x5c,0x12,
-			0xe7,0x37,0x49,0x17,0xf5,0x04,0xbc,0x62,
-			0xef,0xba,0x6e,0x1d,0xb9,0x42,0xb5,0xf9,
-			0xda,0x2f,0x5b,0x05,0xa7,0x34,0x19,0xf6,
-			0xa4,0xdb,0x45,0xb0,0x18,0x6b,0x32,0x75,
-			0x0f,0x34,0xc8,0x1c,0x14,0xca,0x4f,0xf9,
-			0x43,0x76,0xa5,0x41,0xeb,0xd4,0x37,0xc9,
-			0xc8,0x94,0xe7,0x0f,0x4a,0xa1,0x72,0xc7,
-			0x48,0xbd,0x1c,0x84,0x74,0x73,0xd1,0x73,
-			0xcd,0x1e,0xf0,0xb9,0x66,0x00,0x63,0xab};
+			0xdb,0xda,0x5b,0x27,0x33,0xc4,0xb3 };
+   static const PRUint8 reseed_entropy[] = {
+			0xc6,0x0b,0x0a,0x30,0x67,0x07,0xf4,0xe2,
+			0x24,0xa7,0x51,0x6f,0x5f,0x85,0x3e,0x5d,
+			0x67,0x97,0xb8,0x3b,0x30,0x9c,0x7a,0xb1,
+			0x52,0xc6,0x1b,0xc9,0x46,0xa8,0x62,0x79 };
+   static const PRUint8 additional_input[] = {
+			0x86,0x82,0x28,0x98,0xe7,0xcb,0x01,0x14,
+			0xae,0x87,0x4b,0x1d,0x99,0x1b,0xc7,0x41,
+			0x33,0xff,0x33,0x66,0x40,0x95,0x54,0xc6,
+			0x67,0x4d,0x40,0x2a,0x1f,0xf9,0xeb,0x65 };
+   static const PRUint8 rng_reseed_result[] = {
+			0x02,0x0c,0xc6,0x17,0x86,0x49,0xba,0xc4,
+			0x7b,0x71,0x35,0x05,0xf0,0xdb,0x4a,0xc2,
+			0x2c,0x38,0xc1,0xa4,0x42,0xe5,0x46,0x4a,
+			0x7d,0xf0,0xbe,0x47,0x88,0xb8,0x0e,0xc6,
+			0x25,0x2b,0x1d,0x13,0xef,0xa6,0x87,0x96,
+			0xa3,0x7d,0x5b,0x80,0xc2,0x38,0x76,0x61,
+			0xc7,0x80,0x5d,0x0f,0x05,0x76,0x85 };
    static const PRUint8 Q[] = {
 			0x85,0x89,0x9c,0x77,0xa3,0x79,0xff,0x1a,
 			0x86,0x6f,0x2f,0x3e,0x2e,0xf9,0x8c,0x9c,
 			0x9d,0xef,0xeb,0xed};
-  static const PRUint8 GENX[] = {
+   static const PRUint8 GENX[] = {
 			0x65,0x48,0xe3,0xca,0xac,0x64,0x2d,0xf7,
 			0x7b,0xd3,0x4e,0x79,0xc9,0x7d,0xa6,0xa8,
 			0xa2,0xc2,0x1f,0x8f,0xe9,0xb9,0xd3,0xa1,
 			0x3f,0xf7,0x0c,0xcd,0xa6,0xca,0xbf,0xce,
 			0x84,0x0e,0xb6,0xf1,0x0d,0xbe,0xa9,0xa3};
-  static const PRUint8 rng_known_DSAX[] = {
+   static const PRUint8 rng_known_DSAX[] = {
 			0x7a,0x86,0xf1,0x7f,0xbd,0x4e,0x6e,0xd9,
 			0x0a,0x26,0x21,0xd0,0x19,0xcb,0x86,0x73,
 			0x10,0x1f,0x60,0xd7};
 
 
 
    SECStatus rng_status = SECSuccess;
+   PR_STATIC_ASSERT(sizeof(rng_known_result) >= sizeof(rng_reseed_result));
    PRUint8 result[sizeof(rng_known_result)];
    PRUint8 DSAX[FIPS_DSA_SUBPRIME_LENGTH];
 
    /********************************************/
    /* Generate random bytes with a known seed. */
    /********************************************/
    rng_status = PRNGTEST_Instantiate(entropy, sizeof entropy, 
 				     NULL, 0, NULL, 0);
    if (rng_status != SECSuccess) {
 	return ( CKR_DEVICE_ERROR );
    }
-   rng_status = PRNGTEST_Generate(result, sizeof result, NULL, 0);
+   rng_status = PRNGTEST_Generate(result, sizeof rng_known_result, NULL, 0);
    if ( ( rng_status != SECSuccess)  ||
         ( PORT_Memcmp( result, rng_known_result,
-                       sizeof result ) != 0 ) ) {
+                       sizeof rng_known_result ) != 0 ) ) {
+	PRNGTEST_Uninstantiate();
+	return ( CKR_DEVICE_ERROR );
+   }
+   rng_status = PRNGTEST_Reseed(reseed_entropy, sizeof reseed_entropy,
+				additional_input, sizeof additional_input);
+   if (rng_status != SECSuccess) {
+	PRNGTEST_Uninstantiate();
+	return ( CKR_DEVICE_ERROR );
+   }
+   rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0);
+   if ( ( rng_status != SECSuccess)  ||
+        ( PORT_Memcmp( result, rng_reseed_result,
+                       sizeof rng_reseed_result ) != 0 ) ) {
+	PRNGTEST_Uninstantiate();
 	return ( CKR_DEVICE_ERROR );
    }
    rng_status = PRNGTEST_Uninstantiate();
    if (rng_status != SECSuccess) {
 	return ( CKR_DEVICE_ERROR );
    }
   
    /*******************************************/
--- a/security/nss/lib/softoken/legacydb/config.mk
+++ b/security/nss/lib/softoken/legacydb/config.mk
@@ -85,26 +85,14 @@ EXTRA_SHARED_LIBS += \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 endif
 
 ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
 OS_LIBS += -lbsm 
 endif
 
-ifeq ($(OS_ARCH), HP-UX) 
-ifneq ($(OS_TEST), ia64)
-# pa-risc
-ifeq ($(USE_64), 1)
-MKSHLIB += +b '$$ORIGIN'
-endif
-endif
-endif
-
 ifeq ($(OS_TARGET),WINCE)
 DEFINES += -DDBM_USING_NSPR
 endif
--- a/security/nss/lib/softoken/pk11pars.h
+++ b/security/nss/lib/softoken/pk11pars.h
@@ -117,17 +117,17 @@ static PRBool secmod_argGetPair(char c) 
     case '[': return ']';
     case '(': return ')';
     default: break;
     }
     return ' ';
 }
 
 static PRBool secmod_argIsBlank(char c) {
-   return isspace(c);
+   return isspace((unsigned char )c);
 }
 
 static PRBool secmod_argIsEscape(char c) {
     return c == '\\';
 }
 
 static PRBool secmod_argIsQuote(char c) {
     switch (c) {
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -2584,18 +2584,16 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR p
 	crv = CKR_DEVICE_ERROR;
 	return crv;
     }
     rv = BL_Init();             /* initialize freebl engine */
     if (rv != SECSuccess) {
 	crv = CKR_DEVICE_ERROR;
 	return crv;
     }
-    RNG_SystemInfoForRNG();
-
 
     /* NOTE:
      * we should be getting out mutexes from this list, not statically binding
      * them from NSPR. This should happen before we allow the internal to split
      * off from the rest on NSS.
      */
 
    /* initialize the key and cert db's */
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -138,17 +138,17 @@ sftk_FreeAttribute(SFTKAttribute *attrib
     }
 }
 
 static SFTKAttribute *    
 sftk_FindTokenAttribute(SFTKTokenObject *object,CK_ATTRIBUTE_TYPE type)
 {
     SFTKAttribute *myattribute = NULL;
     SFTKDBHandle *dbHandle = NULL;
-    CK_RV crv;
+    CK_RV crv = CKR_HOST_MEMORY;
 
     myattribute = (SFTKAttribute*)PORT_Alloc(sizeof(SFTKAttribute));
     if (myattribute == NULL) {
 	goto loser;
     }
 
     dbHandle = sftk_getDBForTokenObject(object->obj.slot, object->obj.handle);
 
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -319,17 +319,17 @@ sdb_getTempDir(sqlite3 *sqlDB)
     }
     return tempDir;
 }
 
 
 /*
  * Map SQL_LITE errors to PKCS #11 errors as best we can.
  */
-static int 
+static CK_RV
 sdb_mapSQLError(sdbDataType type, int sqlerr)
 {
     switch (sqlerr) {
     /* good matches */
     case SQLITE_OK:
     case SQLITE_DONE:
 	return CKR_OK;
     case SQLITE_NOMEM:
@@ -726,16 +726,17 @@ sdb_FindObjectsInit(SDB *sdb, const CK_A
 	(*find)->sqlDB = sqlDB;
 	UNLOCK_SQLITE()  
 	return CKR_OK;
     } 
     error = sdb_mapSQLError(sdb_p->type, sqlerr);
 
 loser: 
     if (findstmt) {
+	sqlite3_reset(findstmt);
 	sqlite3_finalize(findstmt);
     }
     if (sqlDB) {
 	sdb_closeDBLocal(sdb_p, sqlDB) ;
     }
     UNLOCK_SQLITE()  
     return error;
 }
@@ -1972,18 +1973,20 @@ s_open(const char *directory, const char
     char *cert = sdb_BuildFileName(directory, certPrefix,
 				   "cert", cert_version, flags);
     char *key = sdb_BuildFileName(directory, keyPrefix,
 				   "key", key_version, flags);
     CK_RV error = CKR_OK;
     int inUpdate;
     PRUint32 accessOps;
 
-    *certdb = NULL;
-    *keydb = NULL;
+    if (certdb) 
+	*certdb = NULL;
+    if (keydb) 
+	*keydb = NULL;
     *newInit = 0;
 
 #ifdef SQLITE_UNSAFE_THREADS
     if (sqlite_lock == NULL) {
 	sqlite_lock = PR_NewLock();
 	if (sqlite_lock == NULL) {
 	    error = CKR_HOST_MEMORY;
 	    goto loser;
--- a/security/nss/lib/softoken/sftkdb.c
+++ b/security/nss/lib/softoken/sftkdb.c
@@ -1323,22 +1323,23 @@ sftkdb_GetAttributeValue(SFTKDBHandle *h
     return crv;
 
 }
 
 CK_RV
 sftkdb_SetAttributeValue(SFTKDBHandle *handle, SFTKObject *object,
                                 const CK_ATTRIBUTE *template, CK_ULONG count)
 {
-    CK_RV crv = CKR_OK;
     CK_ATTRIBUTE *ntemplate;
     unsigned char *data = NULL;
     PLArenaPool *arena = NULL;
+    SDB *db;
+    CK_RV crv = CKR_OK;
     CK_OBJECT_HANDLE objectID = (object->handle & SFTK_OBJ_ID_MASK);
-    SDB *db;
+    PRBool inTransaction = PR_FALSE;
 
     if (handle == NULL) {
 	return CKR_TOKEN_WRITE_PROTECTED;
     }
 
     db = SFTK_GET_SDB(handle);
     /* nothing to do */
     if (count == 0) {
@@ -1358,43 +1359,47 @@ sftkdb_SetAttributeValue(SFTKDBHandle *h
     ntemplate = sftkdb_fixupTemplateIn(template, count, &data);
     if (ntemplate == NULL) {
 	return CKR_HOST_MEMORY;
     }
 
     /* make sure we don't have attributes that conflict with the existing DB */
     crv = sftkdb_checkConflicts(db, object->objclass, template, count, objectID);
     if (crv != CKR_OK) {
-	return crv;
+	goto loser;
     }
 
     arena = PORT_NewArena(256);
     if (arena ==  NULL) {
-	return CKR_HOST_MEMORY;
+	crv = CKR_HOST_MEMORY;
+	goto loser;
     }
 
     crv = (*db->sdb_Begin)(db);
     if (crv != CKR_OK) {
 	goto loser;
     }
+    inTransaction = PR_TRUE;
     crv = sftkdb_setAttributeValue(arena, handle, db, 
 				   objectID, template, count);
     if (crv != CKR_OK) {
 	goto loser;
     }
     crv = (*db->sdb_Commit)(db);
 loser:
-    if (crv != CKR_OK) {
+    if (crv != CKR_OK && inTransaction) {
 	(*db->sdb_Abort)(db);
     }
     if (data) {
 	PORT_Free(ntemplate);
 	PORT_Free(data);
     }
-    PORT_FreeArena(arena, PR_FALSE);
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
     return crv;
 }
 
 CK_RV
 sftkdb_DestroyObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID)
 {
     CK_RV crv = CKR_OK;
     SDB *db;
@@ -2108,17 +2113,18 @@ sftkdb_updateObjectTemplate(PRArenaPool 
 	    case CKO_SECRET_KEY:
 		/* secret keys in the old database are all sdr keys, 
 		 * unfortunately they all appear to have the same CKA_ID, 
 		 * even though they are truly different keys, so we always 
 		 * want to update these keys, but we need to 
 		 * give them a new CKA_ID */
 		/* NOTE: this changes ptemplate */
 		attr = sftkdb_getAttributeFromTemplate(CKA_ID,ptemplate,*plen);
-		crv = sftkdb_incrementCKAID(arena, attr); 
+		crv = attr ? sftkdb_incrementCKAID(arena, attr) 
+		           : CKR_HOST_MEMORY; 
 		/* in the extremely rare event that we needed memory and
 		 * couldn't get it, just drop the key */
 		if (crv != CKR_OK) {
 		    return SFTKDB_DO_NOTHING;
 		}
 		done = PR_FALSE; /* repeat this find loop */
 		break;
 	    default:
--- a/security/nss/lib/softoken/sftkmod.c
+++ b/security/nss/lib/softoken/sftkmod.c
@@ -623,35 +623,41 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
 	if (!skip) {
 	    fputs(line,fd2);
 	}
 	/* we are definately not in a deleted block anymore */
 	skip = PR_FALSE;
     } 
     fclose(fd);
     fclose(fd2);
-    /* rename dbname2 to dbname */
     if (found) {
+	/* rename dbname2 to dbname */
 	PR_Delete(dbname);
 	PR_Rename(dbname2,dbname);
+    } else {
+	PR_Delete(dbname2);
     }
     PORT_Free(dbname2);
+    PORT_Free(lib);
+    PORT_Free(name);
     return SECSuccess;
 
 loser:
     if (fd != NULL) {
 	fclose(fd);
     }
     if (fd2 != NULL) {
 	fclose(fd2);
     }
     if (dbname2) {
 	PR_Delete(dbname2);
 	PORT_Free(dbname2);
     }
+    PORT_Free(lib);
+    PORT_Free(name);
     return SECFailure;
 }
 
 /*
  * Add a module to the Data base 
  */
 SECStatus
 sftkdb_AddSecmodDB(SDBType dbType, const char *appName, 
@@ -690,19 +696,19 @@ sftkdb_AddSecmodDB(SDBType dbType, const
 
 	if (PORT_Strncmp(module, "library=", 8) == 0) {
 	   libFound=PR_TRUE;
 	}
 	if (keyEnd == NULL) {
 	    block = sftkdb_DupCat(block, module);
 	    break;
 	}
-	value = sftk_argFetchValue(&keyEnd[1], &count);
 	block = sftkdb_DupnCat(block, module, keyEnd-module+1);
 	if (block == NULL) { goto loser; }
+	value = sftk_argFetchValue(&keyEnd[1], &count);
 	if (value) {
 	    block = sftkdb_DupCat(block, sftk_argStrip(value));
 	    PORT_Free(value);
 	}
 	if (block == NULL) { goto loser; }
 	block = sftkdb_DupnCat(block, "\n", 1);
 	module = keyEnd + 1 + count;
 	module = sftk_argStrip(module);
--- a/security/nss/lib/softoken/sftkpars.c
+++ b/security/nss/lib/softoken/sftkpars.c
@@ -69,17 +69,17 @@ static PRBool sftk_argGetPair(char c) {
     case '[': return ']';
     case '(': return ')';
     default: break;
     }
     return ' ';
 }
 
 static PRBool sftk_argIsBlank(char c) {
-   return isspace(c);
+   return isspace((unsigned char )c);
 }
 
 static PRBool sftk_argIsEscape(char c) {
     return c == '\\';
 }
 
 static PRBool sftk_argIsQuote(char c) {
     switch (c) {
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -605,23 +605,23 @@ sftkdb_GetUpdatePasswordKey(SFTKDBHandle
 /*
  * free the update password key from a handle.
  */
 void
 sftkdb_FreeUpdatePasswordKey(SFTKDBHandle *handle)
 {
     SECItem *key = NULL;
 
-    /* if we're a cert db, we don't have one */
-    if (handle->type == SFTK_CERTDB_TYPE) {
+    /* don't have one */
+    if (!handle) {
 	return;
     }
 
-    /* don't have one */
-    if (!handle) {
+    /* if we're a cert db, we don't have one */
+    if (handle->type == SFTK_CERTDB_TYPE) {
 	return;
     }
 
     PZ_Lock(handle->passwordLock);
     if (handle->updatePasswordKey) {
 	key = handle->updatePasswordKey;
 	handle->updatePasswordKey = NULL;
     }
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -52,15 +52,15 @@
 
 /*
  * Softoken's major version, minor version, patch level, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.12.4" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION  "3.12.4.4" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   12
 #define SOFTOKEN_VPATCH   4
 #define SOFTOKEN_BETA     PR_FALSE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/sqlite/config.mk
+++ b/security/nss/lib/sqlite/config.mk
@@ -50,22 +50,11 @@ endif
 ifeq ($(OS_TARGET),AIX)
 EXTRA_LIBS += -lpthreads
 ifdef BUILD_OPT
 OPTIMIZER=
 endif
 endif
 
 ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
 OS_LIBS += -lbsm 
 endif
 
-ifeq ($(OS_ARCH), HP-UX) 
-ifneq ($(OS_TEST), ia64)
-# pa-risc
-ifeq ($(USE_64), 1)
-MKSHLIB += +b '$$ORIGIN'
-endif
-endif
-endif
--- a/security/nss/lib/ssl/config.mk
+++ b/security/nss/lib/ssl/config.mk
@@ -102,24 +102,9 @@ EXTRA_SHARED_LIBS += \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 
 ifeq ($(OS_ARCH), BeOS)
 EXTRA_SHARED_LIBS += -lbe
 endif
 
-ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
 endif
-
-ifeq ($(OS_ARCH), HP-UX) 
-ifneq ($(OS_TEST), ia64)
-# pa-risc
-ifeq ($(USE_64), 1)
-MKSHLIB += +b '$$ORIGIN'
-endif
-endif
-endif
-
-endif
--- a/security/nss/lib/ssl/sslmutex.c
+++ b/security/nss/lib/ssl/sslmutex.c
@@ -28,17 +28,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslmutex.c,v 1.23 2008/12/02 06:36:59 nelson%bolyard.com Exp $ */
+/* $Id: sslmutex.c,v 1.24 2009/06/05 02:34:14 nelson%bolyard.com Exp $ */
 
 #include "seccomon.h"
 /* This ifdef should match the one in sslsnce.c */
 #if defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS)
 
 #include "sslmutex.h"
 #include "prerr.h"
 
@@ -84,17 +84,17 @@ static SECStatus single_process_sslMutex
     if (!pMutex->u.sslLock) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         return SECFailure;
     }
     PR_Lock(pMutex->u.sslLock);
     return SECSuccess;
 }
 
-#if defined(LINUX) || defined(AIX) || defined(VMS) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD)
+#if defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD)
 
 #include <unistd.h>
 #include <fcntl.h>
 #include <string.h>
 #include <errno.h>
 #include "unix_err.h"
 #include "pratom.h"
 
--- a/security/nss/lib/ssl/sslmutex.h
+++ b/security/nss/lib/ssl/sslmutex.h
@@ -28,17 +28,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslmutex.h,v 1.11 2008/12/02 06:36:59 nelson%bolyard.com Exp $ */
+/* $Id: sslmutex.h,v 1.12 2009/06/05 02:34:15 nelson%bolyard.com Exp $ */
 #ifndef __SSLMUTEX_H_
 #define __SSLMUTEX_H_ 1
 
 /* What SSL really wants is portable process-shared unnamed mutexes in 
  * shared memory, that have the property that if the process that holds
  * them dies, they are released automatically, and that (unlike fcntl 
  * record locking) lock to the thread, not to the process.  
  * NSPR doesn't provide that.  
@@ -78,17 +78,17 @@ typedef struct
 #endif
         PRLock* sslLock;
         HANDLE sslMutx;
     } u;
 } sslMutex;
 
 typedef int    sslPID;
 
-#elif defined(LINUX) || defined(AIX) || defined(VMS) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD)
+#elif defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD)
 
 #include <sys/types.h>
 #include "prtypes.h"
 
 typedef struct { 
     PRBool isMultiProcess;
     union {
         PRLock* sslLock;
--- a/security/nss/lib/ssl/sslsnce.c
+++ b/security/nss/lib/ssl/sslsnce.c
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsnce.c,v 1.49 2008/12/02 06:36:59 nelson%bolyard.com Exp $ */
+/* $Id: sslsnce.c,v 1.50 2009/06/05 02:34:15 nelson%bolyard.com Exp $ */
 
 /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server 
  * cache sids!
  *
  * About record locking among different server processes:
  *
  * All processes that are part of the same conceptual server (serving on 
  * the same address and port) MUST share a common SSL session cache. 
@@ -255,17 +255,17 @@ static PRBool isMultiProcess  = PR_FALSE
 #define DEF_SSL2_TIMEOUT	100   /* seconds */
 #define MAX_SSL2_TIMEOUT	100   /* seconds */
 #define MIN_SSL2_TIMEOUT	  5   /* seconds */
 
 #define DEF_SSL3_TIMEOUT      86400L  /* 24 hours */
 #define MAX_SSL3_TIMEOUT      86400L  /* 24 hours */
 #define MIN_SSL3_TIMEOUT          5   /* seconds  */
 
-#if defined(AIX) || defined(LINUX) || defined(VMS) || defined(NETBSD) || defined(OPENBSD)
+#if defined(AIX) || defined(LINUX) || defined(NETBSD) || defined(OPENBSD)
 #define MAX_SID_CACHE_LOCKS 8	/* two FDs per lock */
 #elif defined(OSF1)
 #define MAX_SID_CACHE_LOCKS 16	/* one FD per lock */
 #else
 #define MAX_SID_CACHE_LOCKS 256
 #endif
 
 #define SID_HOWMANY(val, size) (((val) + ((size) - 1)) / (size))
--- a/security/nss/lib/util/config.mk
+++ b/security/nss/lib/util/config.mk
@@ -75,30 +75,8 @@ EXTRA_SHARED_LIBS += \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 
 endif
 
-ifeq ($(OS_TARGET),SunOS)
-ifeq ($(BUILD_SUN_PKG), 1)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-ifeq ($(USE_64), 1)
-MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
-else
-MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps'
-endif
-else
-MKSHLIB += -R '$$ORIGIN'
-endif
-endif
-
-ifeq ($(OS_ARCH), HP-UX) 
-ifneq ($(OS_TEST), ia64)
-# pa-risc
-ifeq ($(USE_64), 1)
-MKSHLIB += +b '$$ORIGIN'
-endif
-endif
-endif
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -46,15 +46,15 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.12.4 Beta"
+#define NSSUTIL_VERSION  "3.12.4.4 Beta"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   12
 #define NSSUTIL_VPATCH   4
 #define NSSUTIL_BETA     PR_TRUE
 
 #endif /* __nssutil_h_ */
--- a/security/nss/pkg/solaris/SUNWtlsd/prototype
+++ b/security/nss/pkg/solaris/SUNWtlsd/prototype
@@ -33,17 +33,17 @@
 # use your version of this file under the terms of the MPL, indicate your
 # decision by deleting the provisions above and replace them with the notice
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 #
-#ident	"$Id: prototype,v 1.9 2009/03/02 23:21:03 christophe.ravel.bugs%sun.com Exp $"
+#ident	"$Id: prototype,v 1.10 2009/06/25 01:29:18 julien.pierre.boogz%sun.com Exp $"
 #
 # This required package information file contains a list of package contents.
 # The 'pkgmk' command uses this file to identify the contents of a package
 # and their location on the development machine when building the package.
 # Can be created via a text editor or through use of the 'pkgproto' command.
 
 #!search <pathname pathname ...>	# where to find pkg objects
 #!include <filename>			# include another 'prototype' file
@@ -154,8 +154,9 @@ f none usr/include/mps/secport.h 0644 ro
 #f none usr/include/mps/secrng.h 0644 root bin
 #f none usr/include/mps/secrngt.h 0644 root bin
 f none usr/include/mps/shsign.h 0644 root bin
 f none usr/include/mps/smime.h 0644 root bin
 f none usr/include/mps/ssl.h 0644 root bin
 f none usr/include/mps/sslerr.h 0644 root bin
 f none usr/include/mps/sslproto.h 0644 root bin
 f none usr/include/mps/sslt.h 0644 root bin
+f none usr/include/mps/utilrename.h 0644 root bin
--- a/security/nss/tests/chains/chains.sh
+++ b/security/nss/tests/chains/chains.sh
@@ -162,17 +162,18 @@ 9
 n
 y
 -1
 n
 5
 6
 7
 9
-n" > ${CU_DATA}
+n
+" > ${CU_DATA}
 
     TESTNAME="Creating Root CA ${ENTITY}"
     echo "${SCRIPTNAME}: ${TESTNAME}"
     echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}"
     print_cu_data
     ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}
     html_msg $? 0 "${SCENARIO}${TESTNAME}"
 
@@ -199,30 +200,35 @@ create_cert_req()
 
     CTYPE_OPT=
     if [ -n "${CTYPE}" ]; then
         CTYPE_OPT="-k ${CTYPE}"
     fi
 
     CA_FLAG=
     EXT_DATA=
+    OPTIONS=
+
     if [ "${TYPE}" != "EE" ]; then
         CA_FLAG="-2"
         EXT_DATA="y
 -1
-y"
+y
+"
     fi
 
+    process_crldp
+
     echo "${EXT_DATA}" > ${CU_DATA}
 
     TESTNAME="Creating ${TYPE} certifiate request ${REQ}"
     echo "${SCRIPTNAME}: ${TESTNAME}"
-    echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} < ${CU_DATA}"
+    echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}"
     print_cu_data
-    ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} < ${CU_DATA} 
+    ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA} 
     html_msg $? 0 "${SCENARIO}${TESTNAME}"
 }
 
 ############################ create_entity #############################
 # local shell function to create certificate chain entity
 ########################################################################
 create_entity()
 {
@@ -390,34 +396,96 @@ process_ocsp()
     if [ -n "${OCSP}" ]; then
         OPTIONS="${OPTIONS} --extAIA"
 
         DATA="${DATA}2
 7
 ${NSS_AIA_OCSP}:${OCSP}
 0
 n
-n"
+n
+"
+    fi
+}
+
+process_crldp()
+{
+    if [ -n "${CRLDP}" ]; then
+        OPTIONS="${OPTIONS} -4"
+
+        EXT_DATA="${EXT_DATA}1
+"
+
+        for ITEM in ${CRLDP}; do
+            CRL_PUBLIC="${HOST}-$$-${ITEM}.crl"
+
+            EXT_DATA="${EXT_DATA}7
+${NSS_AIA_HTTP}/${CRL_PUBLIC}
+"
+        done
+
+        EXT_DATA="${EXT_DATA}0
+0
+0
+n
+n
+"
     fi
 }
 
+process_ku_ns_eku()
+{
+    if [ -n "${EXT_KU}" ]; then
+        OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}"
+    fi
+    if [ -n "${EXT_NS}" ]; then
+        EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1)
+        EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2)
+
+        OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}"
+        DATA="${DATA}${EXT_NS_CODE}
+-1
+n
+"
+    fi
+    if [ -n "${EXT_EKU}" ]; then
+        OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}"
+    fi
+}
+
+copy_crl()
+
+{
+    if [ -z "${NSS_AIA_PATH}" ]; then
+        return;
+    fi
+
+    CRL_LOCAL="${COPYCRL}.crl"
+    CRL_PUBLIC="${HOST}-$$-${COPYCRL}.crl"
+
+    cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
+    chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
+    echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES}
+}
+
 ########################## process_extension ###########################
 # local shell function to process entity extension parameters and 
 # generate input for certutil
 ########################################################################
 process_extensions()
 {
     OPTIONS=
     DATA=
 
     process_policy
     process_mapping
     process_inhibit
     process_aia
     process_ocsp
+    process_ku_ns_eku
 }
 
 ############################## sign_cert ###############################
 # local shell function to sign certificate sign reuqest
 ########################################################################
 sign_cert()
 {
     ENTITY=$1
@@ -658,26 +726,29 @@ verify_cert()
             VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
         else
             CERT=${CERT_NICK}${CERT_ISSUER}.der
             VFY_CERTS="${VFY_CERTS} ${CERT}"
             VFY_LIST="${VFY_LIST} ${CERT}"
         fi
     done
 
-    TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+    VFY_OPTS_TNAME="${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+    VFY_OPTS_ALL="${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+
+    TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
     echo "${SCRIPTNAME}: ${TESTNAME}"
-    echo "vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+    echo "vfychain ${VFY_OPTS_ALL}"
 
     if [ -z "${MEMLEAK_DBG}" ]; then
-        VFY_OUT=$(${BINDIR}/vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>&1)
+        VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1)
         RESULT=$?
         echo "${VFY_OUT}"
     else 
-        VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${REV_OPTS} ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>> ${LOGFILE})
+        VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE})
         RESULT=$?
         echo "${VFY_OUT}"
     fi
 
     echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null
     E5990=$?
     echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null
     E8030=$?
@@ -694,17 +765,16 @@ verify_cert()
         html_passed "${SCENARIO}${TESTNAME}"
     elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then
         html_passed "${SCENARIO}${TESTNAME}"
     else
         html_failed "${SCENARIO}${TESTNAME}"
     fi
 }
 
-
 check_ocsp()
 {
     OCSP_CERT=$1
 
     CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1`
     CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2`
 
     if [ "${CERT_ISSUER}" = "x" ]; then
@@ -717,17 +787,17 @@ check_ocsp()
     fi
 
     OCSP_HOST=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
 
     if [ "${OS_ARCH}" = "WINNT" ]; then
         ping -n 1 ${OCSP_HOST}
         return $?
     elif [ "${OS_ARCH}" = "HP-UX" ]; then
-        ping ${OCSP_HOST} -c 1
+        ping ${OCSP_HOST} -n 1
         return $?
     else
         ping -c 1 ${OCSP_HOST}
         return $?
     fi
 }
 
 ############################ parse_result ##############################
@@ -775,19 +845,23 @@ parse_config()
             ENTITY="${VALUE}"
             TYPE=
             ISSUER=
             CTYPE=
             POLICY=
             MAPPING=
             INHIBIT=
             AIA=
+            CRLDP=
             OCSP=
             DB=
             EMAILS=
+            EXT_KU=
+            EXT_NS=
+            EXT_EKU=
             ;;
         "type")
             TYPE="${VALUE}"
             ;;
         "issuer")
             if [ -n "${ISSUER}" ]; then
                 if [ -z "${DB}" ]; then
                     create_entity "${ENTITY}" "${TYPE}"
@@ -795,32 +869,38 @@ parse_config()
                 sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
             fi
 
             ISSUER="${VALUE}"
             POLICY=
             MAPPING=
             INHIBIT=
             AIA=
+            EXT_KU=
+            EXT_NS=
+            EXT_EKU=
             ;;
         "ctype") 
             CTYPE="${VALUE}"
             ;;
         "policy")
             POLICY="${POLICY} ${VALUE}"
             ;;
         "mapping")
             MAPPING="${MAPPING} ${VALUE}"
             ;;
         "inhibit")
             INHIBIT="${VALUE}"
             ;;
         "aia")
             AIA="${AIA} ${VALUE}"
             ;;
+        "crldp")
+            CRLDP="${CRLDP} ${VALUE}"
+            ;;
         "ocsp")
             OCSP="${VALUE}"
             ;;
         "db")
             DB="${VALUE}DB"
             create_db "${DB}"
             ;;
         "import")
@@ -837,23 +917,28 @@ parse_config()
             create_crl "${ISSUER}"
             ;;
         "revoke")
             REVOKE="${VALUE}"
             ;;
         "serial")
             SERIAL="${VALUE}"
             ;;
+        "copycrl")
+            COPYCRL="${VALUE}"
+            copy_crl "${COPYCRL}"
+            ;;
         "verify")
             VERIFY="${VALUE}"
             TRUST=
             POLICY=
             FETCH=
             EXP_RESULT=
             REV_OPTS=
+            USAGE_OPT=
             ;;
         "cert")
             VERIFY="${VERIFY} ${VALUE}"
             ;;
         "testdb")
             if [ -n "${VALUE}" ]; then
                 DB="${VALUE}DB"
             else
@@ -902,16 +987,28 @@ parse_config()
             ;;
         "check_ocsp")
             check_ocsp ${VALUE}
             if [ $? -ne 0 ]; then
                 echo "OCSP server not accessible, skipping OCSP tests"
                 break;
             fi
             ;;
+        "ku")
+            EXT_KU="${VALUE}"
+            ;;
+        "ns")
+            EXT_NS="${VALUE}"
+            ;;
+        "eku")
+            EXT_EKU="${VALUE}"
+            ;;
+        "usage")
+            USAGE_OPT="-u ${VALUE}"
+            ;;
         "")
             if [ -n "${ENTITY}" ]; then
                 if [ -z "${DB}" ]; then
                     create_entity "${ENTITY}" "${TYPE}"
                 fi
                 sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
                 if [ "${TYPE}" = "Bridge" ]; then
                     create_pkcs7 "${ENTITY}"
--- a/security/nss/tests/dbtests/dbtests.sh
+++ b/security/nss/tests/dbtests/dbtests.sh
@@ -75,18 +75,16 @@ dbtest_init()
       . ./init.sh
   fi
   if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
       cd ../cert
       . ./cert.sh
   fi
 
   SCRIPTNAME="dbtests.sh"
-  DBTEST_LOG=${HOSTDIR}/dbtest.log    #we don't want all the errormessages 
-         # in the output.log, otherwise we can't tell what's a real error
   RONLY_DIR=${HOSTDIR}/ronlydir
   EMPTY_DIR=${HOSTDIR}/emptydir
   CONFLICT_DIR=${HOSTDIR}/conflictdir
 
   html_head "CERT and Key DB Tests"
 
 }
 
@@ -278,10 +276,10 @@ dbtest_main()
       html_passed "Nicknane conflict test-setting nickname conflict was correctly rejected"
     fi
 
 }
 
 ################## main #################################################
 
 dbtest_init 
-dbtest_main >$DBTEST_LOG 2>&1
+dbtest_main 2>&1
 dbtest_cleanup
index 1a8a0859330596e5b06b9f2899f7824077af6898..6e7f755542f4bf82aa4c6122d5da340fdcf4d14c
GIT binary patch
literal 1483
zc$|GydrT8|9PeGPErkNID+Q6qAwmGP{a(vk7-5A8K6n*s1*e?lfJ$juTPTPcsak^5
zz?k9|Hy$n#CL?3RxT%9VkN~=wi4Nn;f?>*ZW+O7iJz&`#0+B88{`!5tpYQYY{p7&L
z8w4BnNedT6P;}Xj&Glb!`UPFbkDe%M)%gAm&U|60J=y-u89{hF4pd(toj}OvW@CID
z%~p{f;LaM3xQm)L=~TKx!x|#Rpp}w-;KKq=xMTq!vP@-W3z14&tVUBYxelVA2gtK%
zQ;C@{77%4-nxHI1k;PJKj*-c%R;#p}Nj5XdQmwH>W-6tKU~LFQkYONalezfn#p+5u
zWi}HEBB{bc8}jLVLQUy)`IJRxG!QD)CPJA2z8=mH4Po*qnEP@(oJoK%Amxhi=<w(q
zupzD_4sLv>)qDg)Y>}}j!kyc4Ie5J2L~(~iT2EOi6HTsw<?JM`_$z8s3TxOg*fqkX
z!8=39W#GbsJY1jvGE5#3xs*J%7h|}I9iziZ1-VuZa&p1xfIBLg1qzHNgN`EIz?F3h
z#11OTKx{CYX;K1W)+H1>%b6@9l^_{%RTk16@VSeKMd?&!I;Ee#hc|f5(JjVP3{26I
zd15Nf7P`c|a7M1!g(ba|sw}1SEagz${GtL79*0|flu<z~T3yY#_aJig!I<06(u@;f
z2VyhoYM!(;kF^f<c3-*Hn0QqYpL->+UCwLv(M&ws|7z&?xae$;rhBkEHJ~djJu~;Q
zLb&y5O;prh>Af;zXXa4f$w}qDg#M~5dqT$W_1j<nnVjRU)!s+Sn}>&bJ|8@yYmh$L
zd+Xus-P#SeD;mna?JGvP2nYGlhWySPZgP%S9~?u0Gp9Ts7fgbQ&v#UrZnS0Bjd2Kn
z_akFdcP83m!HI=kF^r4yTHrO-@WU82LS##Li^5K_@?+GOq*l?|G84U4Ytk>3;Q}HD
zh>$WUB(gOKEDl&rJLTDv5&IuWh`@snp%Bb>V1&ct2~b4h{W4`gpE?j@?>e8tMHXKu
z__1&R<_VJh;+ezg7n;ro=2T@LN;}Tc);-h|D`C$<FoIyEV1Ts?HXwHY|1M?JnoF0A
z0C9`q=>IvObkxf@piN*{>@LD~LSF0kmTiy&8c<7wx)Q38mKEv>z#sfTz~`-Y;i6uc
zcw_PT;6}da;&+)*Cqq8oD0s`C=LtcQRrAgD#zN!LrsZbVM@rdJOaDt;8-j4`ABhUv
zW%0&mX#+(qLvG4*PvQp;@Y_G|n<}m;AMYIw=v;rcdtl=)^~X|tCu&41uZ$M$8x7iY
z`IfAyvG%D~dz0ak@8n3srqkt~vvJmB`s$Z6v*$w7yYf$9r(*V2wa46>YU)4u`sPzn
z_Cw9vrm2cOw!=TUkL<d5Y0Kk=`bL9DFqwCM%b5nZ!z=M~>L1Ra9evlozxnp~8(UjD
z)dBsx$W+a{@izsKRFM`@+b0~cy+3kr-Fs~@ej&NnPFMc3<IOvrxsRQ$#)WP>wEJ?=
zK*(9w$o5r<$|t#b)^~ne5!A8%(O0wHyE~~H)BW3fK)7P_r=Q{9)cyFYW~%jA;>_LY
Fe*yj$-W31<
index 28e971d684413f6336f2a1197e655cb1c2c9b4fc..459373be94872c6cf99e61b0550d14e82f28497d
GIT binary patch
literal 1512
zc$_n6Vtr!J#Byc<GZP~dlR$KN<T3G<hjGW%4;W3=)W|mAW#iOp^Jx3d%gD&e%3#oV
z%8=WDlZ`o)g-w_#G}utwKorE`66Om_Ey@heOwZF%@XSlrGn6-w1xauVi@_umLW)X@
zOBDQ4OUm<$vJI^aEFcODHIg+Ij0_CS6i|&&&{c5DFH%S>Ey>6)%B)IFQ7A1=RmjiF
zsWfyoa0cmR7Pf&K?wpfYT&!TM5Kx+wlbNg#P?VXQSX8OtoLW?pnU<NHSdy8ar{D-N
ztE3WWw!5i;oH(z6nW3S9g#j2uiSrtQxaLO2rk19bQ3j2>sO4E}151bkqmb01++v0N
zG_Yq9OB6CnN(zdt^!3Zj%k|2Dnu~#&^^)^*^@|D;6@VcFbfAfW5yZFJ7`}C_C`rvr
z0R~N2VoqiX#FN3nJ_^o`22G4g$dSj$%D~*j$j<;2=VEGNWMr6edqL>yIe*0~AJ57Y
zk=+<QL%Cfnuf1%}RtxK`3#zuTCv!?Z)9Ub8`F!p+gD8&aJa1M#5z8z}Ql9m@Dnw((
zQ6Amx*Oj)N_-P@2{O&D7w^>s}`sTf>Sg>8`if71l-=`(fllHvH(YgQp;5KQg(Cjo0
z=6culvy49q9LSmJHA%&gBlj+oU1C{9#kRL~=Ie4kcRt+y@Q&!2?P2p97Hnj#_cIs$
zzg=IhpUuKPV0)&<;;m`%W>P^O&S^pS7ftfNERnG9@vAt=Le~BBWO6c!RP#4i7oW`C
zEA)T1qfy+K7j;Lu7yG1K^xLDxk@{P5dPK!T<Na?l>^7>q<{x<UW_srLn9JV-nV1<F
z7#BA&UIK>5IdJ^R^0A1qi2Uga*fnpbYE*S-tN&Dn<o=ft+0F(+AZcMn#{VoF25dlz
ziIKs;79^&?VrBq}9~K~!!9dGEgN;L*4VY8dnHa@naK>$NK`}(TJVg5fg9UnRIw0jh
z)vjT|smY~9sk+HUIjGtSk`s+}(@ph&5(a!A?ff7Yu>f-}n}Hx3XF{6?W7`iWMn<Sm
zF3c^AJS>R@@e5-YL>ojJgd2p4aRM_(da8bUW}1PbfxH1b8>==SGm{jHNdMEzQf+H`
z`?3$8Z^*jhA)!+(sb`=nrVMpjPJVhms*}o!!D1kjG(j#BWKl9uSR!X2V<=@H0ZFxj
z;KXX|>}X_QVxeoOYhn)cJIrN_EQSX92D&i50b`pYdNAZC7Z;#dY9J4?Nts2$K&(Ne
z{&MQ_LwDco{$RlQ+1c_J(|Th=W3)nx8I;_oE&5ge%=YaS?Q`2j?GF?&$9L}%o1psr
zQ1gxBr6$Q4Lcu)2oz*A9IF}zbbMfQ5kd(B!?bnNivrW=_gO$YX{;qkKuIKzHw%)kq
z)1ra{c}>#~nEX{erd<E_*@mOx&Mlkn>3+QM%|l+KFnrS*!-vyVluruBmOOQP&sj6?
z;Y>p=j!NnN!ujH9CoImt>zTfdZD+CDlgm>MK26xFTB>_9)9}sNX@?h={e4m5vPNj9
z@BY9SJFmF-sh?h_aIsFSW?QoRys}->FNi(o&dL4moNvsnX;A)a?$57&JIXenmDuuA
q;l1tcXQ$TAzTkJMeI@TQm*RlC1<`NU)_Ltwy1GK`$)Q#S-kSh$LJTSZ