Bug 834741, NSPR_4_9_5_BETA2 and NSS_3_14_2_BETA2, r=wtc
authorKai Engert <kaie@kuix.de>
Fri, 25 Jan 2013 17:26:46 +0100
changeset 119876 afdf04262e61277a92c1cbce21c3fa2c47a3c941
parent 119875 5a2c4f450e07f554f5fddd8535ecb174b776544c
child 119877 cb38771328da7cd7049869f2268ea9d76a9183b1
push id24231
push userryanvm@gmail.com
push dateSun, 27 Jan 2013 00:13:14 +0000
treeherdermozilla-central@d802d6faa080 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswtc
bugs834741
milestone21.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 834741, NSPR_4_9_5_BETA2 and NSS_3_14_2_BETA2, r=wtc
dbm/src/mktemp.c
nsprpub/TAG-INFO
nsprpub/config/prdepend.h
nsprpub/configure
nsprpub/configure.in
nsprpub/pr/src/Makefile.in
nsprpub/pr/src/pthreads/ptio.c
security/coreconf/Android.mk
security/coreconf/Linux.mk
security/coreconf/SunOS5.mk
security/coreconf/arch.mk
security/coreconf/config.mk
security/coreconf/coreconf.dep
security/nss/Makefile
security/nss/TAG-INFO
security/nss/TAG-INFO-CKBI
security/nss/cmd/certutil/certutil.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/multinit/multinit.c
security/nss/cmd/ocspclnt/ocspclnt.c
security/nss/cmd/shlibsign/Makefile
security/nss/cmd/shlibsign/sign.sh
security/nss/cmd/ssltap/ssltap.c
security/nss/cmd/vfychain/vfychain.c
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/stanpcertdb.c
security/nss/lib/certhigh/certhigh.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/certvfypkix.c
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocspti.h
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/arcfour.c
security/nss/lib/freebl/desblapi.c
security/nss/lib/freebl/intel-gcm-wrap.c
security/nss/lib/freebl/intel-gcm.h
security/nss/lib/freebl/intel-gcm.s
security/nss/lib/freebl/manifest.mn
security/nss/lib/freebl/rijndael.c
security/nss/lib/freebl/unix_rand.c
security/nss/lib/libpkix/include/pkix_params.h
security/nss/lib/libpkix/pkix/params/pkix_procparams.c
security/nss/lib/libpkix/pkix/params/pkix_procparams.h
security/nss/lib/libpkix/pkix/top/pkix_build.c
security/nss/lib/libpkix/pkix/top/pkix_build.h
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11merge.c
security/nss/lib/pkcs7/certread.c
security/nss/lib/pki/pki3hack.c
security/nss/lib/softoken/sdb.c
security/nss/lib/ssl/ssl3con.c
security/nss/lib/util/secasn1t.h
security/nss/lib/util/secoid.c
security/nss/tests/cert/cert.sh
security/nss/tests/chains/chains.sh
security/nss/tests/chains/scenarios/scenarios
security/nss/tests/chains/scenarios/trustanchors.cfg
security/nss/tests/common/init.sh
security/nss/tests/dummy/dummy.sh
security/nss/tests/remote/Makefile
security/nss/tests/remote/manifest.mn
--- a/dbm/src/mktemp.c
+++ b/dbm/src/mktemp.c
@@ -79,19 +79,16 @@ mkstempflags(char *path, int extraFlags)
 }
 
 /* NB: This routine modifies its input string, and does not always restore it.
 ** returns 1 on success, 0 on failure.
 */
 static int 
 _gettemp(char *path, register int *doopen, int extraFlags)
 {    
-#if !defined(_WINDOWS) || defined(_WIN32)
-	extern int errno;                    
-#endif
 	register char *start, *trv;
 	struct stat sbuf;
 	unsigned int pid;
 
 	pid = getpid();
 	for (trv = path; *trv; ++trv);		/* extra X's get set to 0's */
 	while (*--trv == 'X') {
 		*trv = (pid % 10) + '0';
--- a/nsprpub/TAG-INFO
+++ b/nsprpub/TAG-INFO
@@ -1,1 +1,1 @@
-NSPR_4_9_5_BETA1
+NSPR_4_9_5_BETA2
--- a/nsprpub/config/prdepend.h
+++ b/nsprpub/config/prdepend.h
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSPR in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/nsprpub/configure
+++ b/nsprpub/configure
@@ -873,17 +873,17 @@ if test "${with_android_platform+set}" =
 fi
 
 
 case "$target" in
 arm-linux*-android*|*-linuxandroid*)
     android_tool_prefix="arm-linux-androideabi"
     ;;
 i?86-*android*)
-    android_tool_prefix="i686-android-linux"
+    android_tool_prefix="i686-linux-android"
     ;;
 mipsel-*android*)
     android_tool_prefix="mipsel-linux-android"
     ;;
 *)
     android_tool_prefix="$target_os"
     ;;
 esac
@@ -968,16 +968,24 @@ echo "configure:954: checking for androi
 
         if test -d "$android_platform" ; then
             echo "$ac_t""$android_platform" 1>&6
         else
             { echo "configure: error: not found. You have to specify --with-android-platform=/path/to/ndk/platform." 1>&2; exit 1; }
         fi
     fi
 
+            case "$target_cpu" in
+    i?86)
+        if ! test -e "$android_toolchain"/bin/"$android_tool_prefix"-gcc; then
+                        android_tool_prefix="i686-android-linux"
+        fi
+        ;;
+    esac
+
         AS="$android_toolchain"/bin/"$android_tool_prefix"-as
     CC="$android_toolchain"/bin/"$android_tool_prefix"-gcc
     CXX="$android_toolchain"/bin/"$android_tool_prefix"-g++
     CPP="$android_toolchain"/bin/"$android_tool_prefix"-cpp
     LD="$android_toolchain"/bin/"$android_tool_prefix"-ld
     AR="$android_toolchain"/bin/"$android_tool_prefix"-ar
     RANLIB="$android_toolchain"/bin/"$android_tool_prefix"-ranlib
     STRIP="$android_toolchain"/bin/"$android_tool_prefix"-strip
@@ -1299,17 +1307,17 @@ if test -z "$CXX"; then
 
     esac
 fi
 
 if test -z "$SKIP_PATH_CHECKS"; then
     # Extract the first word of "$WHOAMI whoami", so it can be a program name with args.
 set dummy $WHOAMI whoami; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1308: checking for $ac_word" >&5
+echo "configure:1316: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_WHOAMI'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   case "$WHOAMI" in
   /*)
   ac_cv_path_WHOAMI="$WHOAMI" # Let the user override the test with a path.
   ;;
   ?:/*)			 
@@ -1371,23 +1379,23 @@ if test "$target" != "$host" -o -n "$CRO
     echo "cross compiling from $host to $target"
     cross_compiling=yes
 
     _SAVE_CC="$CC"
     _SAVE_CFLAGS="$CFLAGS"
     _SAVE_LDFLAGS="$LDFLAGS"
 
     echo $ac_n "checking for $host compiler""... $ac_c" 1>&6
-echo "configure:1380: checking for $host compiler" >&5
+echo "configure:1388: checking for $host compiler" >&5
     for ac_prog in $HOST_CC gcc cc /usr/ucb/cc
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1386: checking for $ac_word" >&5
+echo "configure:1394: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_HOST_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$HOST_CC"; then
   ac_cv_prog_HOST_CC="$HOST_CC" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -1423,26 +1431,26 @@ test -n "$HOST_CC" || HOST_CC=""""
         HOST_LDFLAGS="$LDFLAGS"
     fi
 
     CC="$HOST_CC"
     CFLAGS="$HOST_CFLAGS"
     LDFLAGS="$HOST_LDFLAGS"
 
     echo $ac_n "checking whether the $host compiler ($HOST_CC $HOST_CFLAGS $HOST_LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:1432: checking whether the $host compiler ($HOST_CC $HOST_CFLAGS $HOST_LDFLAGS) works" >&5
+echo "configure:1440: checking whether the $host compiler ($HOST_CC $HOST_CFLAGS $HOST_LDFLAGS) works" >&5
     cat > conftest.$ac_ext <<EOF
-#line 1434 "configure"
+#line 1442 "configure"
 #include "confdefs.h"
 
 int main() {
 return(0);
 ; return 0; }
 EOF
-if { (eval echo configure:1441: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:1449: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   ac_cv_prog_host_cc_works=1 echo "$ac_t""yes" 1>&6
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
   { echo "configure: error: installation or configuration problem: $host compiler $HOST_CC cannot create executables." 1>&2; exit 1; } 
 fi
@@ -1467,17 +1475,17 @@ rm -f conftest*
         ;;
     esac
 
     for ac_prog in $CC "${target_alias}-gcc" "${target}-gcc"
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1476: checking for $ac_word" >&5
+echo "configure:1484: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -1501,17 +1509,17 @@ fi
 test -n "$CC" && break
 done
 test -n "$CC" || CC="echo"
 
     unset ac_cv_prog_CC
     # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1510: checking for $ac_word" >&5
+echo "configure:1518: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -1531,17 +1539,17 @@ if test -n "$CC"; then
 else
   echo "$ac_t""no" 1>&6
 fi
 
 if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1540: checking for $ac_word" >&5
+echo "configure:1548: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_prog_rejected=no
@@ -1582,17 +1590,17 @@ else
 fi
 
   if test -z "$CC"; then
     case "`uname -s`" in
     *win32* | *WIN32*)
       # Extract the first word of "cl", so it can be a program name with args.
 set dummy cl; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1591: checking for $ac_word" >&5
+echo "configure:1599: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -1614,33 +1622,33 @@ else
 fi
  ;;
     esac
   fi
   test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; }
 fi
 
 echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:1623: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+echo "configure:1631: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
 
 ac_ext=c
 # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
 ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
 cross_compiling=$ac_cv_prog_cc_cross
 
 cat > conftest.$ac_ext << EOF
 
-#line 1634 "configure"
+#line 1642 "configure"
 #include "confdefs.h"
 
 main(){return(0);}
 EOF
-if { (eval echo configure:1639: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1647: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   ac_cv_prog_cc_works=yes
   # If we can't run a trivial program, we are probably using a cross compiler.
   if (./conftest; exit) 2>/dev/null; then
     ac_cv_prog_cc_cross=no
   else
     ac_cv_prog_cc_cross=yes
   fi
 else
@@ -1656,31 +1664,31 @@ ac_compile='${CC-cc} -c $CFLAGS $CPPFLAG
 ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
 cross_compiling=$ac_cv_prog_cc_cross
 
 echo "$ac_t""$ac_cv_prog_cc_works" 1>&6
 if test $ac_cv_prog_cc_works = no; then
   { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
 fi
 echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:1665: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:1673: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
 cross_compiling=$ac_cv_prog_cc_cross
 
 echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
-echo "configure:1670: checking whether we are using GNU C" >&5
+echo "configure:1678: checking whether we are using GNU C" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.c <<EOF
 #ifdef __GNUC__
   yes;
 #endif
 EOF
-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1679: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1687: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
   ac_cv_prog_gcc=yes
 else
   ac_cv_prog_gcc=no
 fi
 fi
 
 echo "$ac_t""$ac_cv_prog_gcc" 1>&6
 
@@ -1689,17 +1697,17 @@ if test $ac_cv_prog_gcc = yes; then
 else
   GCC=
 fi
 
 ac_test_CFLAGS="${CFLAGS+set}"
 ac_save_CFLAGS="$CFLAGS"
 CFLAGS=
 echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
-echo "configure:1698: checking whether ${CC-cc} accepts -g" >&5
+echo "configure:1706: checking whether ${CC-cc} accepts -g" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   echo 'void f(){}' > conftest.c
 if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then
   ac_cv_prog_cc_g=yes
 else
   ac_cv_prog_cc_g=no
@@ -1726,17 +1734,17 @@ else
 fi
 
     if test -n "$USE_CPLUS"; then
         for ac_prog in $CXX "${target_alias}-g++" "${target}-g++"
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1735: checking for $ac_word" >&5
+echo "configure:1743: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CXX'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$CXX"; then
   ac_cv_prog_CXX="$CXX" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -1762,17 +1770,17 @@ done
 test -n "$CXX" || CXX="echo"
 
         unset ac_cv_prog_CXX
         for ac_prog in $CCC c++ g++ gcc CC cxx cc++ cl
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1771: checking for $ac_word" >&5
+echo "configure:1779: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CXX'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$CXX"; then
   ac_cv_prog_CXX="$CXX" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -1794,33 +1802,33 @@ else
 fi
 
 test -n "$CXX" && break
 done
 test -n "$CXX" || CXX="gcc"
 
 
 echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:1803: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
+echo "configure:1811: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
 
 ac_ext=C
 # CXXFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='${CXX-g++} -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
 ac_link='${CXX-g++} -o conftest${ac_exeext} $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
 cross_compiling=$ac_cv_prog_cxx_cross
 
 cat > conftest.$ac_ext << EOF
 
-#line 1814 "configure"
+#line 1822 "configure"
 #include "confdefs.h"
 
 int main(){return(0);}
 EOF
-if { (eval echo configure:1819: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1827: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   ac_cv_prog_cxx_works=yes
   # If we can't run a trivial program, we are probably using a cross compiler.
   if (./conftest; exit) 2>/dev/null; then
     ac_cv_prog_cxx_cross=no
   else
     ac_cv_prog_cxx_cross=yes
   fi
 else
@@ -1836,31 +1844,31 @@ ac_compile='${CC-cc} -c $CFLAGS $CPPFLAG
 ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
 cross_compiling=$ac_cv_prog_cc_cross
 
 echo "$ac_t""$ac_cv_prog_cxx_works" 1>&6
 if test $ac_cv_prog_cxx_works = no; then
   { echo "configure: error: installation or configuration problem: C++ compiler cannot create executables." 1>&2; exit 1; }
 fi
 echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:1845: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:1853: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
 echo "$ac_t""$ac_cv_prog_cxx_cross" 1>&6
 cross_compiling=$ac_cv_prog_cxx_cross
 
 echo $ac_n "checking whether we are using GNU C++""... $ac_c" 1>&6
-echo "configure:1850: checking whether we are using GNU C++" >&5
+echo "configure:1858: checking whether we are using GNU C++" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gxx'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.C <<EOF
 #ifdef __GNUC__
   yes;
 #endif
 EOF
-if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:1859: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:1867: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
   ac_cv_prog_gxx=yes
 else
   ac_cv_prog_gxx=no
 fi
 fi
 
 echo "$ac_t""$ac_cv_prog_gxx" 1>&6
 
@@ -1869,17 +1877,17 @@ if test $ac_cv_prog_gxx = yes; then
 else
   GXX=
 fi
 
 ac_test_CXXFLAGS="${CXXFLAGS+set}"
 ac_save_CXXFLAGS="$CXXFLAGS"
 CXXFLAGS=
 echo $ac_n "checking whether ${CXX-g++} accepts -g""... $ac_c" 1>&6
-echo "configure:1878: checking whether ${CXX-g++} accepts -g" >&5
+echo "configure:1886: checking whether ${CXX-g++} accepts -g" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_cxx_g'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   echo 'void f(){}' > conftest.cc
 if test -z "`${CXX-g++} -g -c conftest.cc 2>&1`"; then
   ac_cv_prog_cxx_g=yes
 else
   ac_cv_prog_cxx_g=no
@@ -1914,17 +1922,17 @@ fi
         ;;
     esac
 
     for ac_prog in $RANLIB "${target_alias}-ranlib" "${target}-ranlib"
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1923: checking for $ac_word" >&5
+echo "configure:1931: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$RANLIB"; then
   ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -1949,17 +1957,17 @@ test -n "$RANLIB" && break
 done
 test -n "$RANLIB" || RANLIB="echo"
 
     for ac_prog in $AR "${target_alias}-ar" "${target}-ar"
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1958: checking for $ac_word" >&5
+echo "configure:1966: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$AR"; then
   ac_cv_prog_AR="$AR" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -1984,17 +1992,17 @@ test -n "$AR" && break
 done
 test -n "$AR" || AR="echo"
 
     for ac_prog in $AS "${target_alias}-as" "${target}-as"
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1993: checking for $ac_word" >&5
+echo "configure:2001: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_AS'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$AS"; then
   ac_cv_prog_AS="$AS" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -2019,17 +2027,17 @@ test -n "$AS" && break
 done
 test -n "$AS" || AS="echo"
 
     for ac_prog in $LD "${target_alias}-ld" "${target}-ld"
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2028: checking for $ac_word" >&5
+echo "configure:2036: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_LD'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$LD"; then
   ac_cv_prog_LD="$LD" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -2054,17 +2062,17 @@ test -n "$LD" && break
 done
 test -n "$LD" || LD="echo"
 
     for ac_prog in $STRIP "${target_alias}-strip" "${target}-strip"
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2063: checking for $ac_word" >&5
+echo "configure:2071: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_STRIP'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$STRIP"; then
   ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -2089,17 +2097,17 @@ test -n "$STRIP" && break
 done
 test -n "$STRIP" || STRIP="echo"
 
     for ac_prog in $WINDRES "${target_alias}-windres" "${target}-windres"
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2098: checking for $ac_word" >&5
+echo "configure:2106: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_WINDRES'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$WINDRES"; then
   ac_cv_prog_WINDRES="$WINDRES" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -2124,17 +2132,17 @@ test -n "$WINDRES" && break
 done
 test -n "$WINDRES" || WINDRES="echo"
 
 
 else
     # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2133: checking for $ac_word" >&5
+echo "configure:2141: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -2154,17 +2162,17 @@ if test -n "$CC"; then
 else
   echo "$ac_t""no" 1>&6
 fi
 
 if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2163: checking for $ac_word" >&5
+echo "configure:2171: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_prog_rejected=no
@@ -2205,17 +2213,17 @@ else
 fi
 
   if test -z "$CC"; then
     case "`uname -s`" in
     *win32* | *WIN32*)
       # Extract the first word of "cl", so it can be a program name with args.
 set dummy cl; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2214: checking for $ac_word" >&5
+echo "configure:2222: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -2237,33 +2245,33 @@ else
 fi
  ;;
     esac
   fi
   test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; }
 fi
 
 echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:2246: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+echo "configure:2254: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
 
 ac_ext=c
 # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
 ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
 cross_compiling=$ac_cv_prog_cc_cross
 
 cat > conftest.$ac_ext << EOF
 
-#line 2257 "configure"
+#line 2265 "configure"
 #include "confdefs.h"
 
 main(){return(0);}
 EOF
-if { (eval echo configure:2262: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2270: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   ac_cv_prog_cc_works=yes
   # If we can't run a trivial program, we are probably using a cross compiler.
   if (./conftest; exit) 2>/dev/null; then
     ac_cv_prog_cc_cross=no
   else
     ac_cv_prog_cc_cross=yes
   fi
 else
@@ -2279,31 +2287,31 @@ ac_compile='${CC-cc} -c $CFLAGS $CPPFLAG
 ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
 cross_compiling=$ac_cv_prog_cc_cross
 
 echo "$ac_t""$ac_cv_prog_cc_works" 1>&6
 if test $ac_cv_prog_cc_works = no; then
   { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
 fi
 echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:2288: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:2296: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
 cross_compiling=$ac_cv_prog_cc_cross
 
 echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
-echo "configure:2293: checking whether we are using GNU C" >&5
+echo "configure:2301: checking whether we are using GNU C" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.c <<EOF
 #ifdef __GNUC__
   yes;
 #endif
 EOF
-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:2302: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:2310: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
   ac_cv_prog_gcc=yes
 else
   ac_cv_prog_gcc=no
 fi
 fi
 
 echo "$ac_t""$ac_cv_prog_gcc" 1>&6
 
@@ -2312,17 +2320,17 @@ if test $ac_cv_prog_gcc = yes; then
 else
   GCC=
 fi
 
 ac_test_CFLAGS="${CFLAGS+set}"
 ac_save_CFLAGS="$CFLAGS"
 CFLAGS=
 echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
-echo "configure:2321: checking whether ${CC-cc} accepts -g" >&5
+echo "configure:2329: checking whether ${CC-cc} accepts -g" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   echo 'void f(){}' > conftest.c
 if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then
   ac_cv_prog_cc_g=yes
 else
   ac_cv_prog_cc_g=no
@@ -2352,17 +2360,17 @@ fi
         if test "$CC" = "cl" -a -z "$CXX"; then
             CXX=$CC
         else        
             for ac_prog in $CCC c++ g++ gcc CC cxx cc++ cl
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2361: checking for $ac_word" >&5
+echo "configure:2369: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CXX'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$CXX"; then
   ac_cv_prog_CXX="$CXX" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -2384,33 +2392,33 @@ else
 fi
 
 test -n "$CXX" && break
 done
 test -n "$CXX" || CXX="gcc"
 
 
 echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:2393: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
+echo "configure:2401: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
 
 ac_ext=C
 # CXXFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='${CXX-g++} -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
 ac_link='${CXX-g++} -o conftest${ac_exeext} $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
 cross_compiling=$ac_cv_prog_cxx_cross
 
 cat > conftest.$ac_ext << EOF
 
-#line 2404 "configure"
+#line 2412 "configure"
 #include "confdefs.h"
 
 int main(){return(0);}
 EOF
-if { (eval echo configure:2409: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2417: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   ac_cv_prog_cxx_works=yes
   # If we can't run a trivial program, we are probably using a cross compiler.
   if (./conftest; exit) 2>/dev/null; then
     ac_cv_prog_cxx_cross=no
   else
     ac_cv_prog_cxx_cross=yes
   fi
 else
@@ -2426,31 +2434,31 @@ ac_compile='${CC-cc} -c $CFLAGS $CPPFLAG
 ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
 cross_compiling=$ac_cv_prog_cc_cross
 
 echo "$ac_t""$ac_cv_prog_cxx_works" 1>&6
 if test $ac_cv_prog_cxx_works = no; then
   { echo "configure: error: installation or configuration problem: C++ compiler cannot create executables." 1>&2; exit 1; }
 fi
 echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:2435: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:2443: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
 echo "$ac_t""$ac_cv_prog_cxx_cross" 1>&6
 cross_compiling=$ac_cv_prog_cxx_cross
 
 echo $ac_n "checking whether we are using GNU C++""... $ac_c" 1>&6
-echo "configure:2440: checking whether we are using GNU C++" >&5
+echo "configure:2448: checking whether we are using GNU C++" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gxx'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.C <<EOF
 #ifdef __GNUC__
   yes;
 #endif
 EOF
-if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:2449: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:2457: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
   ac_cv_prog_gxx=yes
 else
   ac_cv_prog_gxx=no
 fi
 fi
 
 echo "$ac_t""$ac_cv_prog_gxx" 1>&6
 
@@ -2459,17 +2467,17 @@ if test $ac_cv_prog_gxx = yes; then
 else
   GXX=
 fi
 
 ac_test_CXXFLAGS="${CXXFLAGS+set}"
 ac_save_CXXFLAGS="$CXXFLAGS"
 CXXFLAGS=
 echo $ac_n "checking whether ${CXX-g++} accepts -g""... $ac_c" 1>&6
-echo "configure:2468: checking whether ${CXX-g++} accepts -g" >&5
+echo "configure:2476: checking whether ${CXX-g++} accepts -g" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_cxx_g'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   echo 'void f(){}' > conftest.cc
 if test -z "`${CXX-g++} -g -c conftest.cc 2>&1`"; then
   ac_cv_prog_cxx_g=yes
 else
   ac_cv_prog_cxx_g=no
@@ -2493,72 +2501,72 @@ else
   else
     CXXFLAGS=
   fi
 fi
 
         fi
     fi
     echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
-echo "configure:2502: checking how to run the C preprocessor" >&5
+echo "configure:2510: checking how to run the C preprocessor" >&5
 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
   CPP=
 fi
 if test -z "$CPP"; then
 if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
     # This must be in double quotes, not single quotes, because CPP may get
   # substituted into the Makefile and "${CC-cc}" will confuse make.
   CPP="${CC-cc} -E"
   # On the NeXT, cc -E runs the code through the compiler's parser,
   # not just through cpp.
   cat > conftest.$ac_ext <<EOF
-#line 2517 "configure"
+#line 2525 "configure"
 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:2523: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:2531: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
 else
   echo "$ac_err" >&5
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
   CPP="${CC-cc} -E -traditional-cpp"
   cat > conftest.$ac_ext <<EOF
-#line 2534 "configure"
+#line 2542 "configure"
 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:2540: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:2548: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
 else
   echo "$ac_err" >&5
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
   CPP="${CC-cc} -nologo -E"
   cat > conftest.$ac_ext <<EOF
-#line 2551 "configure"
+#line 2559 "configure"
 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:2557: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:2565: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
 else
   echo "$ac_err" >&5
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
@@ -2575,17 +2583,17 @@ fi
 else
   ac_cv_prog_CPP="$CPP"
 fi
 echo "$ac_t""$CPP" 1>&6
 
     # Extract the first word of "ranlib", so it can be a program name with args.
 set dummy ranlib; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2584: checking for $ac_word" >&5
+echo "configure:2592: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   if test -n "$RANLIB"; then
   ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
 else
   IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
   ac_dummy="$PATH"
@@ -2607,17 +2615,17 @@ else
   echo "$ac_t""no" 1>&6
 fi
 
     for ac_prog in as
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2616: checking for $ac_word" >&5
+echo "configure:2624: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_AS'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   case "$AS" in
   /*)
   ac_cv_path_AS="$AS" # Let the user override the test with a path.
   ;;
   ?:/*)			 
@@ -2648,17 +2656,17 @@ test -n "$AS" && break
 done
 test -n "$AS" || AS="$CC"
 
     for ac_prog in ar
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2657: checking for $ac_word" >&5
+echo "configure:2665: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_AR'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   case "$AR" in
   /*)
   ac_cv_path_AR="$AR" # Let the user override the test with a path.
   ;;
   ?:/*)			 
@@ -2689,17 +2697,17 @@ test -n "$AR" && break
 done
 test -n "$AR" || AR="echo not_ar"
 
     for ac_prog in ld link
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2698: checking for $ac_word" >&5
+echo "configure:2706: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_LD'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   case "$LD" in
   /*)
   ac_cv_path_LD="$LD" # Let the user override the test with a path.
   ;;
   ?:/*)			 
@@ -2730,17 +2738,17 @@ test -n "$LD" && break
 done
 test -n "$LD" || LD="echo not_ld"
 
     for ac_prog in strip
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2739: checking for $ac_word" >&5
+echo "configure:2747: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_STRIP'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   case "$STRIP" in
   /*)
   ac_cv_path_STRIP="$STRIP" # Let the user override the test with a path.
   ;;
   ?:/*)			 
@@ -2771,17 +2779,17 @@ test -n "$STRIP" && break
 done
 test -n "$STRIP" || STRIP="echo not_strip"
 
     for ac_prog in windres
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2780: checking for $ac_word" >&5
+echo "configure:2788: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_WINDRES'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   case "$WINDRES" in
   /*)
   ac_cv_path_WINDRES="$WINDRES" # Let the user override the test with a path.
   ;;
   ?:/*)			 
@@ -2839,39 +2847,39 @@ esac
 
 if test "$cross_compiling"  = "yes"; then
     CROSS_COMPILE=1
 else
     CROSS_COMPILE=
 fi
 
 echo $ac_n "checking for gcc -pipe support""... $ac_c" 1>&6
-echo "configure:2848: checking for gcc -pipe support" >&5
+echo "configure:2856: checking for gcc -pipe support" >&5
 if test -n "$GNU_CC" && test -n "$GNU_CXX" && test -n "$GNU_AS"; then
     echo '#include <stdio.h>' > dummy-hello.c
     echo 'int main() { printf("Hello World\n"); return 0; }' >> dummy-hello.c
     ${CC} -S dummy-hello.c -o dummy-hello.s 2>&5
     cat dummy-hello.s | ${AS} -o dummy-hello.S - 2>&5
     if test $? = 0; then
         _res_as_stdin="yes"
     else
         _res_as_stdin="no"
     fi
     if test "$_res_as_stdin" = "yes"; then
         _SAVE_CFLAGS=$CFLAGS
         CFLAGS="$CFLAGS -pipe"
         cat > conftest.$ac_ext <<EOF
-#line 2863 "configure"
+#line 2871 "configure"
 #include "confdefs.h"
  #include <stdio.h> 
 int main() {
 printf("Hello World\n");
 ; return 0; }
 EOF
-if { (eval echo configure:2870: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2878: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   _res_gcc_pipe="yes"
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
   _res_gcc_pipe="no" 
 fi
@@ -2891,26 +2899,26 @@ else
     echo "$ac_t""no" 1>&6
 fi
 
 
 _SAVE_CFLAGS="$CFLAGS"
 CFLAGS="$CFLAGS -fprofile-generate -fprofile-correction"
 
 echo $ac_n "checking whether C compiler supports -fprofile-generate""... $ac_c" 1>&6
-echo "configure:2900: checking whether C compiler supports -fprofile-generate" >&5
+echo "configure:2908: checking whether C compiler supports -fprofile-generate" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2902 "configure"
+#line 2910 "configure"
 #include "confdefs.h"
 
 int main() {
 return 0;
 ; return 0; }
 EOF
-if { (eval echo configure:2909: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2917: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
    PROFILE_GEN_CFLAGS="-fprofile-generate"
                  result="yes" 
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
   result="no"
@@ -2923,17 +2931,17 @@ if test $result = "yes"; then
    PROFILE_USE_CFLAGS="-fprofile-use -fprofile-correction -Wcoverage-mismatch"
    PROFILE_USE_LDFLAGS="-fprofile-use"
 fi
 
 CFLAGS="$_SAVE_CFLAGS"
 
 if test "$GNU_CC"; then
     echo $ac_n "checking for visibility(hidden) attribute""... $ac_c" 1>&6
-echo "configure:2932: checking for visibility(hidden) attribute" >&5
+echo "configure:2940: checking for visibility(hidden) attribute" >&5
 if eval "test \"`echo '$''{'ac_cv_visibility_hidden'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.c <<EOF
         int foo __attribute__ ((visibility ("hidden"))) = 1;
 EOF
         ac_cv_visibility_hidden=no
         if ${CC-cc} -Werror -S conftest.c -o conftest.s >/dev/null 2>&1; then
@@ -2947,17 +2955,17 @@ fi
 
 echo "$ac_t""$ac_cv_visibility_hidden" 1>&6
     if test "$ac_cv_visibility_hidden" = "yes"; then
         cat >> confdefs.h <<\EOF
 #define HAVE_VISIBILITY_HIDDEN_ATTRIBUTE 1
 EOF
 
         echo $ac_n "checking for visibility pragma support""... $ac_c" 1>&6
-echo "configure:2956: checking for visibility pragma support" >&5
+echo "configure:2964: checking for visibility pragma support" >&5
 if eval "test \"`echo '$''{'ac_cv_visibility_pragma'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.c <<EOF
 #pragma GCC visibility push(hidden)
             int foo_hidden = 1;
 #pragma GCC visibility push(default)
             int foo_default = 1;
@@ -3000,17 +3008,17 @@ fi # GNU_CC
 fi # SKIP_COMPILER_CHECKS
 
 if test -z "$SKIP_PATH_CHECKS"; then
     for ac_prog in perl5 perl
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:3009: checking for $ac_word" >&5
+echo "configure:3017: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   case "$PERL" in
   /*)
   ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
   ;;
   ?:/*)			 
@@ -3322,24 +3330,24 @@ yes)
 no)
     MOZ_THUMB2=
     thumb_flag="-marm"
     ;;
 *)
     _SAVE_CFLAGS="$CFLAGS"
     CFLAGS="$arch_flag"
     cat > conftest.$ac_ext <<EOF
-#line 3331 "configure"
+#line 3339 "configure"
 #include "confdefs.h"
 
 int main() {
 return sizeof(__thumb2__);
 ; return 0; }
 EOF
-if { (eval echo configure:3338: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:3346: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   MOZ_THUMB2=1
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
   MOZ_THUMB2=
 fi
@@ -3391,26 +3399,26 @@ no)
     ;;
 esac
 
 all_flags=`echo $arch_flag $thumb_flag $thumb_interwork_flag $fpu_flag $float_abi_flag $soft_float_flag`
 if test -n "$all_flags"; then
     _SAVE_CFLAGS="$CFLAGS"
     CFLAGS="$all_flags"
     echo $ac_n "checking whether the chosen combination of compiler flags ($all_flags) works""... $ac_c" 1>&6
-echo "configure:3400: checking whether the chosen combination of compiler flags ($all_flags) works" >&5
+echo "configure:3408: checking whether the chosen combination of compiler flags ($all_flags) works" >&5
     cat > conftest.$ac_ext <<EOF
-#line 3402 "configure"
+#line 3410 "configure"
 #include "confdefs.h"
 
 int main() {
 return 0;
 ; return 0; }
 EOF
-if { (eval echo configure:3409: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:3417: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
   { echo "configure: error: no" 1>&2; exit 1; }
 fi
@@ -3457,27 +3465,27 @@ EOF
 
     cat >> confdefs.h <<\EOF
 #define SYSV 1
 EOF
 
     DSO_LDOPTS='-brtl -bnortllib -bM:SRE -bnoentry -bexpall -blibpath:/usr/lib:/lib'
     ac_safe=`echo "sys/atomic_op.h" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for sys/atomic_op.h""... $ac_c" 1>&6
-echo "configure:3466: checking for sys/atomic_op.h" >&5
+echo "configure:3474: checking for sys/atomic_op.h" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 3471 "configure"
+#line 3479 "configure"
 #include "confdefs.h"
 #include <sys/atomic_op.h>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:3476: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:3484: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
   eval "ac_cv_header_$ac_safe=yes"
 else
   echo "$ac_err" >&5
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
@@ -3624,36 +3632,36 @@ EOF
     PR_MD_ARCH_DIR=beos
     RESOLVE_LINK_SYMBOLS=1
     case "${target_cpu}" in
     i*86)
         _OPTIMIZE_FLAGS=-O2
         _DEBUG_FLAGS='-gdwarf-2 -O0'
         MKSHLIB='$(CCC) $(DSO_LDOPTS) -o $@'
         echo $ac_n "checking for gethostbyaddr in -lbind""... $ac_c" 1>&6
-echo "configure:3633: checking for gethostbyaddr in -lbind" >&5
+echo "configure:3641: checking for gethostbyaddr in -lbind" >&5
 ac_lib_var=`echo bind'_'gethostbyaddr | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   ac_save_LIBS="$LIBS"
 LIBS="-lbind  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 3641 "configure"
+#line 3649 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
     builtin and then its argument prototype would still apply.  */
 char gethostbyaddr();
 
 int main() {
 gethostbyaddr()
 ; return 0; }
 EOF
-if { (eval echo configure:3652: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:3660: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=no"
 fi
@@ -3852,27 +3860,27 @@ EOF
             CPU_ARCH=ppc
             ;;
     esac
     if test "`echo $CC | grep -c '\-arch '`" = "0"; then
         CC="$CC -arch $CPU_ARCH"
     fi
     ac_safe=`echo "crt_externs.h" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for crt_externs.h""... $ac_c" 1>&6
-echo "configure:3861: checking for crt_externs.h" >&5
+echo "configure:3869: checking for crt_externs.h" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 3866 "configure"
+#line 3874 "configure"
 #include "confdefs.h"
 #include <crt_externs.h>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:3871: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:3879: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
   eval "ac_cv_header_$ac_safe=yes"
 else
   echo "$ac_err" >&5
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
@@ -4906,27 +4914,27 @@ EOF
     if test -z "$GNU_CC"; then
         CC="$CC -std1 -ieee_with_inexact"
         if test "$OS_RELEASE" != "V2.0"; then
             CC="$CC -readonly_strings"
         fi
         _OPTIMIZE_FLAGS="$_OPTIMIZE_FLAGS -Olimit 4000"
         ac_safe=`echo "machine/builtins.h" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for machine/builtins.h""... $ac_c" 1>&6
-echo "configure:4915: checking for machine/builtins.h" >&5
+echo "configure:4923: checking for machine/builtins.h" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 4920 "configure"
+#line 4928 "configure"
 #include "confdefs.h"
 #include <machine/builtins.h>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:4925: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:4933: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
   eval "ac_cv_header_$ac_safe=yes"
 else
   echo "$ac_err" >&5
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
@@ -5475,63 +5483,63 @@ if test -z "$SKIP_LIBRARY_CHECKS"; then
 
 
 
 case $target in
 *-darwin*|*-beos*|*-os2*)
     ;;
 *)
     echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6
-echo "configure:5484: checking for dlopen in -ldl" >&5
+echo "configure:5492: checking for dlopen in -ldl" >&5
 ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   ac_save_LIBS="$LIBS"
 LIBS="-ldl  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 5492 "configure"
+#line 5500 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
     builtin and then its argument prototype would still apply.  */
 char dlopen();
 
 int main() {
 dlopen()
 ; return 0; }
 EOF
-if { (eval echo configure:5503: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:5511: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=no"
 fi
 rm -f conftest*
 LIBS="$ac_save_LIBS"
 
 fi
 if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
   echo "$ac_t""yes" 1>&6
   ac_safe=`echo "dlfcn.h" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for dlfcn.h""... $ac_c" 1>&6
-echo "configure:5520: checking for dlfcn.h" >&5
+echo "configure:5528: checking for dlfcn.h" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 5525 "configure"
+#line 5533 "configure"
 #include "confdefs.h"
 #include <dlfcn.h>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:5530: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:5538: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
   eval "ac_cv_header_$ac_safe=yes"
 else
   echo "$ac_err" >&5
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
@@ -5554,23 +5562,23 @@ fi
     ;;
 esac
 
 
 
 
 if test $ac_cv_prog_gcc = yes; then
     echo $ac_n "checking whether ${CC-cc} needs -traditional""... $ac_c" 1>&6
-echo "configure:5563: checking whether ${CC-cc} needs -traditional" >&5
+echo "configure:5571: checking whether ${CC-cc} needs -traditional" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gcc_traditional'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
     ac_pattern="Autoconf.*'x'"
   cat > conftest.$ac_ext <<EOF
-#line 5569 "configure"
+#line 5577 "configure"
 #include "confdefs.h"
 #include <sgtty.h>
 Autoconf TIOCGETP
 EOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "$ac_pattern" >/dev/null 2>&1; then
   rm -rf conftest*
   ac_cv_prog_gcc_traditional=yes
@@ -5578,17 +5586,17 @@ else
   rm -rf conftest*
   ac_cv_prog_gcc_traditional=no
 fi
 rm -f conftest*
 
 
   if test $ac_cv_prog_gcc_traditional = no; then
     cat > conftest.$ac_ext <<EOF
-#line 5587 "configure"
+#line 5595 "configure"
 #include "confdefs.h"
 #include <termio.h>
 Autoconf TCGETA
 EOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   egrep "$ac_pattern" >/dev/null 2>&1; then
   rm -rf conftest*
   ac_cv_prog_gcc_traditional=yes
@@ -5604,22 +5612,22 @@ echo "$ac_t""$ac_cv_prog_gcc_traditional
   fi
 fi
 
 _SAVE_LIBS="$LIBS"
 LIBS="$LIBS $OS_LIBS"
 for ac_func in lchown strerror dladdr
 do
 echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:5613: checking for $ac_func" >&5
+echo "configure:5621: checking for $ac_func" >&5
 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 5618 "configure"
+#line 5626 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char $ac_func(); below.  */
 #include <assert.h>
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
     builtin and then its argument prototype would still apply.  */
 char $ac_func();
@@ -5632,17 +5640,17 @@ int main() {
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
 $ac_func();
 #endif
 
 ; return 0; }
 EOF
-if { (eval echo configure:5641: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:5649: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_$ac_func=yes"
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
   eval "ac_cv_func_$ac_func=no"
 fi
@@ -5684,17 +5692,17 @@ if test "$CCACHE" != "no"; then
             fi
         fi
     fi
     for ac_prog in $CCACHE ccache
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:5693: checking for $ac_word" >&5
+echo "configure:5701: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_CCACHE'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   case "$CCACHE" in
   /*)
   ac_cv_path_CCACHE="$CCACHE" # Let the user override the test with a path.
   ;;
   ?:/*)			 
@@ -5743,17 +5751,17 @@ if test "${enable_strip+set}" = set; the
 fi
 
 
 case "${target_os}" in
 hpux*)
 if test -z "$GNU_CC"; then
 
     echo $ac_n "checking for +Olit support""... $ac_c" 1>&6
-echo "configure:5752: checking for +Olit support" >&5
+echo "configure:5760: checking for +Olit support" >&5
 if eval "test \"`echo '$''{'ac_cv_hpux_usable_olit_option'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
                   ac_cv_hpux_usable_olit_option=no
         rm -f conftest*
         echo 'int main() { return 0; }' | cat > conftest.c
         ${CC-cc} ${CFLAGS} +Olit=all -o conftest conftest.c > conftest.out 2>&1
         if test $? -eq 0; then
@@ -5785,17 +5793,17 @@ darwin*)
     _HAVE_PTHREADS=1
     ;;
 wince*)
     _HAVE_PTHREADS=
     ;;
 *)
     
 echo $ac_n "checking for pthread_create in -lpthreads""... $ac_c" 1>&6
-echo "configure:5794: checking for pthread_create in -lpthreads" >&5
+echo "configure:5802: checking for pthread_create in -lpthreads" >&5
 echo "
     #include <pthread.h> 
     void *foo(void *v) { return v; } 
     int main() { 
         pthread_t t;
         if (!pthread_create(&t, 0, &foo, 0)) {
             pthread_join(t, 0);
         }
@@ -5807,17 +5815,17 @@ echo "
     rm -f dummy.c dummy${ac_exeext} ;
     if test "$_res" = "0"; then
         echo "$ac_t""yes" 1>&6
         _HAVE_PTHREADS=1 _PTHREAD_LDFLAGS="-lpthreads"
     else
         echo "$ac_t""no" 1>&6
         
 echo $ac_n "checking for pthread_create in -lpthread""... $ac_c" 1>&6
-echo "configure:5816: checking for pthread_create in -lpthread" >&5
+echo "configure:5824: checking for pthread_create in -lpthread" >&5
 echo "
     #include <pthread.h> 
     void *foo(void *v) { return v; } 
     int main() { 
         pthread_t t;
         if (!pthread_create(&t, 0, &foo, 0)) {
             pthread_join(t, 0);
         }
@@ -5829,17 +5837,17 @@ echo "
     rm -f dummy.c dummy${ac_exeext} ;
     if test "$_res" = "0"; then
         echo "$ac_t""yes" 1>&6
         _HAVE_PTHREADS=1 _PTHREAD_LDFLAGS="-lpthread"
     else
         echo "$ac_t""no" 1>&6
         
 echo $ac_n "checking for pthread_create in -lc_r""... $ac_c" 1>&6
-echo "configure:5838: checking for pthread_create in -lc_r" >&5
+echo "configure:5846: checking for pthread_create in -lc_r" >&5
 echo "
     #include <pthread.h> 
     void *foo(void *v) { return v; } 
     int main() { 
         pthread_t t;
         if (!pthread_create(&t, 0, &foo, 0)) {
             pthread_join(t, 0);
         }
@@ -5851,17 +5859,17 @@ echo "
     rm -f dummy.c dummy${ac_exeext} ;
     if test "$_res" = "0"; then
         echo "$ac_t""yes" 1>&6
         _HAVE_PTHREADS=1 _PTHREAD_LDFLAGS="-lc_r"
     else
         echo "$ac_t""no" 1>&6
         
 echo $ac_n "checking for pthread_create in -lc""... $ac_c" 1>&6
-echo "configure:5860: checking for pthread_create in -lc" >&5
+echo "configure:5868: checking for pthread_create in -lc" >&5
 echo "
     #include <pthread.h> 
     void *foo(void *v) { return v; } 
     int main() { 
         pthread_t t;
         if (!pthread_create(&t, 0, &foo, 0)) {
             pthread_join(t, 0);
         }
@@ -5969,17 +5977,17 @@ if test "${enable_ipv6+set}" = set; then
       fi
 fi
 
 
 if test -n "$USE_PTHREADS"; then
       rm -f conftest*
    ac_cv_have_dash_pthread=no
    echo $ac_n "checking whether ${CC-cc} accepts -pthread""... $ac_c" 1>&6
-echo "configure:5978: checking whether ${CC-cc} accepts -pthread" >&5
+echo "configure:5986: checking whether ${CC-cc} accepts -pthread" >&5
    echo 'int main() { return 0; }' | cat > conftest.c
    ${CC-cc} -pthread -o conftest conftest.c > conftest.out 2>&1
    if test $? -eq 0; then
 	if test -z "`egrep -i '(unrecognize|unknown)' conftest.out | grep pthread`" && test -z "`egrep -i '(error|incorrect)' conftest.out`" ; then
 	    ac_cv_have_dash_pthread=yes
 		case "$target_os" in
 	    freebsd*)
 # Freebsd doesn't use -pthread for compiles, it uses them for linking
@@ -5992,17 +6000,17 @@ echo "configure:5978: checking whether $
 	fi
     fi
     rm -f conftest*
     echo "$ac_t""$ac_cv_have_dash_pthread" 1>&6
 
 			    ac_cv_have_dash_pthreads=no
     if test "$ac_cv_have_dash_pthread" = "no"; then
 	    echo $ac_n "checking whether ${CC-cc} accepts -pthreads""... $ac_c" 1>&6
-echo "configure:6001: checking whether ${CC-cc} accepts -pthreads" >&5
+echo "configure:6009: checking whether ${CC-cc} accepts -pthreads" >&5
     	echo 'int main() { return 0; }' | cat > conftest.c
 	    ${CC-cc} -pthreads -o conftest conftest.c > conftest.out 2>&1
     	if test $? -eq 0; then
 	    	if test -z "`egrep -i '(unrecognize|unknown)' conftest.out | grep pthreads`" && test -z "`egrep -i '(error|incorrect)' conftest.out`" ; then
 			    ac_cv_have_dash_pthreads=yes
 			    CFLAGS="$CFLAGS -pthreads"
 			    CXXFLAGS="$CXXFLAGS -pthreads"
 		    fi
--- a/nsprpub/configure.in
+++ b/nsprpub/configure.in
@@ -122,17 +122,17 @@ AC_ARG_WITH(android-platform,
                           location of platform dir],
     android_platform=$withval)
 
 case "$target" in
 arm-linux*-android*|*-linuxandroid*)
     android_tool_prefix="arm-linux-androideabi"
     ;;
 i?86-*android*)
-    android_tool_prefix="i686-android-linux"
+    android_tool_prefix="i686-linux-android"
     ;;
 mipsel-*android*)
     android_tool_prefix="mipsel-linux-android"
     ;;
 *)
     android_tool_prefix="$target_os"
     ;;
 esac
@@ -216,16 +216,27 @@ case "$target" in
 
         if test -d "$android_platform" ; then
             AC_MSG_RESULT([$android_platform])
         else
             AC_MSG_ERROR([not found. You have to specify --with-android-platform=/path/to/ndk/platform.])
         fi
     fi
 
+    dnl Old NDK support. If minimum requirement is changed to NDK r8b,
+    dnl please remove this.
+    case "$target_cpu" in
+    i?86)
+        if ! test -e "$android_toolchain"/bin/"$android_tool_prefix"-gcc; then
+            dnl Old NDK toolchain name
+            android_tool_prefix="i686-android-linux"
+        fi
+        ;;
+    esac
+
     dnl set up compilers
     AS="$android_toolchain"/bin/"$android_tool_prefix"-as
     CC="$android_toolchain"/bin/"$android_tool_prefix"-gcc
     CXX="$android_toolchain"/bin/"$android_tool_prefix"-g++
     CPP="$android_toolchain"/bin/"$android_tool_prefix"-cpp
     LD="$android_toolchain"/bin/"$android_tool_prefix"-ld
     AR="$android_toolchain"/bin/"$android_tool_prefix"-ar
     RANLIB="$android_toolchain"/bin/"$android_tool_prefix"-ranlib
--- a/nsprpub/pr/src/Makefile.in
+++ b/nsprpub/pr/src/Makefile.in
@@ -113,29 +113,33 @@ ifeq ($(OS_ARCH),OSF1)
 ifeq ($(USE_PTHREADS), 1)
 OS_LIBS 	= -lpthread -lrt
 endif
 ifneq ($(OS_RELEASE),V2.0)
 OS_LIBS		+= -lc_r
 endif
 endif
 
-ifeq ($(OS_ARCH),Linux)
+# Linux, GNU/Hurd, and GNU/kFreeBSD systems
+ifneq (,$(filter Linux GNU%,$(OS_ARCH)))
 ifeq ($(USE_PTHREADS), 1)
 ifeq ($(OS_TARGET),Android)
 # Android has no libpthread.so in NDK
 OS_LIBS		= -ldl
 else
 OS_LIBS		= -lpthread -ldl
 endif
 else
 OS_LIBS		= -ldl
 endif
+ifneq ($(OS_TARGET),Android)
+# Android has no librt - realtime functions are in libc
 OS_LIBS		+= -lrt
 endif
+endif
 
 ifeq ($(OS_ARCH),HP-UX)
 ifeq ($(USE_PTHREADS), 1)
 ifeq (,$(filter-out B.10.10 B.10.20,$(OS_RELEASE)))
 OS_LIBS 	= -ldce
 else
 OS_LIBS 	= -lpthread -lrt
 endif
--- a/nsprpub/pr/src/pthreads/ptio.c
+++ b/nsprpub/pr/src/pthreads/ptio.c
@@ -1145,17 +1145,17 @@ void _PR_InitIO(void)
      * 5.3 says.  So we have to turn it off.  Find out whether we
      * are running on such a system.
      */
     {
         int osfd;
         osfd = socket(AF_INET6, SOCK_STREAM, 0);
         if (osfd != -1) {
             int on;
-            int optlen = sizeof(on);
+            socklen_t optlen = sizeof(on);
             if (getsockopt(osfd, IPPROTO_IPV6, IPV6_V6ONLY,
                     &on, &optlen) == 0) {
                 _pr_ipv6_v6only_on_by_default = on;
             }
             close(osfd);
         }
     }
 #endif
new file mode 100644
--- /dev/null
+++ b/security/coreconf/Android.mk
@@ -0,0 +1,6 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+include $(CORE_DEPTH)/coreconf/Linux.mk
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -3,28 +3,50 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 include $(CORE_DEPTH)/coreconf/UNIX.mk
 
 #
 # The default implementation strategy for Linux is now pthreads
 #
-USE_PTHREADS = 1
+ifneq ($(OS_TARGET),Android)
+	USE_PTHREADS = 1
+endif
 
 ifeq ($(USE_PTHREADS),1)
 	IMPL_STRATEGY = _PTH
 endif
 
 CC			= gcc
 CCC			= g++
 RANLIB			= ranlib
 
 DEFAULT_COMPILER = gcc
 
+ifeq ($(OS_TARGET),Android)
+ifndef ANDROID_NDK
+	$(error Must set ANDROID_NDK to the path to the android NDK first)
+endif
+	ANDROID_PREFIX=$(OS_TEST)-linux-androideabi
+	ANDROID_TARGET=$(ANDROID_PREFIX)-4.4.3
+	# should autodetect which linux we are on, currently android only
+	# supports linux-x86 prebuilts
+	ANDROID_TOOLCHAIN=$(ANDROID_NDK)/toolchains/$(ANDROID_TARGET)/prebuilt/linux-x86
+	ANDROID_SYSROOT=$(ANDROID_NDK)/platforms/android-$(OS_TARGET_RELEASE)/arch-$(OS_TEST)
+	ANDROID_CC=$(ANDROID_TOOLCHAIN)/bin/$(ANDROID_PREFIX)-gcc
+# internal tools need to be built with the native compiler
+ifndef INTERNAL_TOOLS
+	CC = $(ANDROID_CC) --sysroot=$(ANDROID_SYSROOT)
+	DEFAULT_COMPILER=$(ANDROID_PREFIX)-gcc
+	ARCHFLAG = --sysroot=$(ANDROID_SYSROOT)
+	DEFINES += -DNO_SYSINFO -DNO_FORK_CHECK -DANDROID
+	CROSS_COMPILE = 1
+endif
+endif
 ifeq ($(OS_TEST),ppc64)
 	CPU_ARCH	= ppc
 ifeq ($(USE_64),1)
 	ARCHFLAG	= -m64
 endif
 else
 ifeq ($(OS_TEST),alpha)
         OS_REL_CFLAGS   = -D_ALPHA_
@@ -62,17 +84,19 @@ endif
 endif
 endif
 endif
 endif
 endif
 endif
 
 
+ifneq ($(OS_TARGET),Android)
 LIBC_TAG		= _glibc
+endif
 
 ifeq ($(OS_RELEASE),2.0)
 	OS_REL_CFLAGS	+= -DLINUX2_0
 	MKSHLIB		= $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
 	ifdef MAPFILE
 		MKSHLIB += -Wl,--version-script,$(MAPFILE)
 	endif
 	PROCESS_MAP_FILE = grep -v ';-' $< | \
@@ -98,17 +122,17 @@ endif
 ifeq ($(USE_PTHREADS),1)
 OS_PTHREAD = -lpthread 
 endif
 
 # See bug 537829, in particular comment 23.
 # Place -ansi and *_SOURCE before $(DSO_CFLAGS) so DSO_CFLAGS can override
 # -ansi on platforms like Android where the system headers are C99 and do
 # not build with -ansi.
-STANDARDS_CFLAGS	= -ansi -D_POSIX_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE
+STANDARDS_CFLAGS	= -D_POSIX_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE
 OS_CFLAGS		= $(STANDARDS_CFLAGS) $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR
 OS_LIBS			= $(OS_PTHREAD) -ldl -lc
 
 ifdef USE_PTHREADS
 	DEFINES		+= -D_REENTRANT
 endif
 
 ARCH			= linux
@@ -136,22 +160,24 @@ G++INCLUDES		= -I/usr/include/g++
 #
 CPU_TAG = _$(CPU_ARCH)
 
 #
 # On Linux 2.6 or later, build libfreebl3.so with no NSPR and libnssutil3.so
 # dependencies by default.  Set FREEBL_NO_DEPEND to 0 in the environment to
 # override this.
 #
+ifneq ($(OS_TARGET),Android)
 ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
 ifndef FREEBL_NO_DEPEND
 FREEBL_NO_DEPEND = 1
 FREEBL_LOWHASH = 1
 endif
 endif
+endif
 
 USE_SYSTEM_ZLIB = 1
 ZLIB_LIBS = -lz
 
 # The -rpath '$$ORIGIN' linker option instructs this library to search for its
 # dependencies in the same directory where it resides.
 ifeq ($(BUILD_SUN_PKG), 1)
 ifeq ($(USE_64), 1)
--- a/security/coreconf/SunOS5.mk
+++ b/security/coreconf/SunOS5.mk
@@ -58,18 +58,16 @@ else
 		OPTIMIZER = -xO4
 	endif
 	ifdef USE_TCOV
 		CC += -xprofile=tcov
 		CCC += -xprofile=tcov
 	endif
 endif
 
-INCLUDES   += -I/usr/dt/include -I/usr/openwin/include
-
 RANLIB      = echo
 CPU_ARCH    = sparc
 OS_DEFINES += -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT
 
 # Purify doesn't like -MDupdate
 NOMD_OS_CFLAGS += $(DSO_CFLAGS) $(OS_DEFINES) $(SOL_CFLAGS)
 
 MKSHLIB  = $(CC) $(DSO_LDOPTS) $(RPATH)
--- a/security/coreconf/arch.mk
+++ b/security/coreconf/arch.mk
@@ -244,16 +244,27 @@ ifeq (MINGW32_NT,$(findstring MINGW32_NT
 	# MSYS's uname -m returns "i686" on a Pentium Pro machine.
 	#
 	ifneq (,$(findstring 86,$(CPU_ARCH)))
 	    CPU_ARCH = x386
 	endif
     endif
 endif
 
+ifeq ($(OS_TARGET),Android)
+#
+# this should be  configurable from the user
+#
+   OS_TEST := arm
+   OS_ARCH = Android
+   ifndef OS_TARGET_RELEASE
+	OS_TARGET_RELEASE := 8
+   endif
+endif
+
 ifndef OS_TARGET
     OS_TARGET = $(OS_ARCH)
 endif
 
 ifeq ($(OS_TARGET), WIN95)
     OS_RELEASE = 4.0
 endif
 
--- a/security/coreconf/config.mk
+++ b/security/coreconf/config.mk
@@ -26,17 +26,17 @@ endif
 #       (dependent upon <architecture> tags)                          #
 #                                                                     #
 #       We are moving towards just having a $(OS_TARGET).mk file      #
 #       as opposed to multiple $(OS_TARGET)$(OS_RELEASE).mk files,    #
 #       one for each OS release.                                      #
 #######################################################################
 
 TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \
-              AIX RISCOS WINNT WIN95 Linux
+              AIX RISCOS WINNT WIN95 Linux Android
 
 ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
 else
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk
 endif
 
 #######################################################################
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -5,10 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
-
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@@ -56,16 +56,19 @@ clobber_coreconf:
 
 NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)/config.status
 NSPR_CONFIGURE = $(CORE_DEPTH)/../nsprpub/configure
 
 #
 # Translate coreconf build options to NSPR configure options.
 #
 
+ifeq ($(OS_TARGET),Android)
+NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) --target=arm-linux-androideabi --with-android-version=$(OS_TARGET_RELEASE)
+endif
 ifdef BUILD_OPT
 NSPR_CONFIGURE_OPTS += --disable-debug --enable-optimize
 endif
 ifdef USE_64
 NSPR_CONFIGURE_OPTS += --enable-64bit
 endif
 ifeq ($(OS_TARGET),WIN95)
 NSPR_CONFIGURE_OPTS += --enable-win32-target=WIN95
@@ -145,36 +148,8 @@ else
 endif
 endif
 
 nss_RelEng_bld: build_coreconf import build_dbm all
 
 package:
 	$(MAKE) -C pkg publish
 
-TESTPACKAGE="nss-$(OS_TARGET)$(CPU_TAG).tgz"
-package_for_testing:
-	echo "export OBJDIR=$(OBJDIR_NAME)"     > $(DIST)/platform.cfg
-	echo "export OS_ARCH=$(ANDROID)"       >> $(DIST)/platform.cfg
-	echo "export DLL_PREFIX=$(DLL_PREFIX)" >> $(DIST)/platform.cfg
-	echo "export DLL_SUFFIX=$(DLL_SUFFIX)" >> $(DIST)/platform.cfg
-ifeq ($(OS_TARGET),Android)
-	# Android doesn't support FIPS tests, so don't run them
-	echo "export NSS_TEST_DISABLE_FIPS=1"  >> $(DIST)/platform.cfg
-endif
-	echo 'echo "set HOST and DOMSUF if your system is not registered in DNS"; sleep 5' > $(DIST)/../../runtests.sh
-	echo 'export NSS_TESTS=$(NSS_TESTS)'         >> $(DIST)/../../runtests.sh
-	echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(DIST)/../../runtests.sh
-	echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)'     >> $(DIST)/../../runtests.sh
-	echo 'export NSS_CYCLES=$(NSS_CYCLES)'       >> $(DIST)/../../runtests.sh
-	echo 'export OBJDIR=$(OBJDIR_NAME)'          >> $(DIST)/../../runtests.sh
-	echo 'export USE_64=$(USE_64)'               >> $(DIST)/../../runtests.sh
-	echo 'export BUILD_OPT=$(BUILD_OPT)'         >> $(DIST)/../../runtests.sh
-	echo 'rm -rf test_results'                   >> $(DIST)/../../runtests.sh
-	echo 'echo "running tests"'                  >> $(DIST)/../../runtests.sh
-	echo 'cd security/nss/tests; ./all.sh > ../../../logfile 2>&1 ; cd ../../../' >> $(DIST)/../../runtests.sh
-	echo 'tar czf tests_results.tgz tests_results' >> $(DIST)/../../runtests.sh
-	echo 'echo "created tests_results.tgz"' >> $(DIST)/../../runtests.sh
-	echo 'echo "results are in directory: "`ls -1d tests_results/security/*.1`' >> $(DIST)/../../runtests.sh
-	echo 'echo -n "number of PASSED tests: "; grep -cw PASSED logfile;'  >> $(DIST)/../../runtests.sh
-	echo 'echo -n "number of FAILED tests: "; grep -cw FAILED logfile;'  >> $(DIST)/../../runtests.sh
-	rm -f $(TESTPACKAGE)
-	(cd $(DIST)/../.. ; tar czhf dist/$(TESTPACKAGE) runtests.sh dist/$(OBJDIR_NAME) dist/public security/nss/tests security/nss/cmd/bltest/tests; echo "created "`pwd`"/dist/$(TESTPACKAGE)")
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_14_2_BETA1
+NSS_3_14_2_BETA2
--- a/security/nss/TAG-INFO-CKBI
+++ b/security/nss/TAG-INFO-CKBI
@@ -1,1 +1,1 @@
-NSS_3_14_CKBI_1_93_RTM
+NSS_3_14_2_BETA2
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -472,18 +472,17 @@ listCerts(CERTCertDBHandle *handle, char
 	    } else if (raw) {
 		numBytes = PR_Write(outfile, data.data, data.len);
 		if (numBytes != (PRInt32) data.len) {
 		   SECU_PrintSystemError(progName, "error writing raw cert");
 		    rv = SECFailure;
 		}
 		rv = SECSuccess;
 	    } else {
-		rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate",
-                                                  the_cert->trust);
+		rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate", NULL);
 		if (rv != SECSuccess) {
 		    SECU_PrintError(progName, "problem printing certificate");
 		}
 
 	    }
 	    if (rv != SECSuccess) {
 		break;
 	    }
@@ -511,18 +510,17 @@ listCerts(CERTCertDBHandle *handle, char
 	    } else if (raw) {
 		numBytes = PR_Write(outfile, data.data, data.len);
 		rv = SECSuccess;
 		if (numBytes != (PRInt32) data.len) {
 		    SECU_PrintSystemError(progName, "error writing raw cert");
 		    rv = SECFailure;
 		}
 	    } else {
-		rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate",
-                                                  the_cert->trust);
+		rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate", NULL);
 		if (rv != SECSuccess) {
 		    SECU_PrintError(progName, "problem printing certificate");
 		}
 	    }
 	    if (rv != SECSuccess) {
 		break;
 	    }
 	}
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -2138,17 +2138,17 @@ printflags(char *trusts, unsigned int fl
 	PORT_Strcat(trusts, "G");
     return;
 }
 
 /* callback for listing certs through pkcs11 */
 SECStatus
 SECU_PrintCertNickname(CERTCertListNode *node, void *data)
 {
-    CERTCertTrust *trust;
+    CERTCertTrust trust;
     CERTCertificate* cert;
     FILE *out;
     char trusts[30];
     char *name;
 
     cert = node->cert;
 
     PORT_Memset (trusts, 0, sizeof (trusts));
@@ -2160,23 +2160,22 @@ SECU_PrintCertNickname(CERTCertListNode 
     }
     if (!name || !name[0]) {
         name = cert->emailAddr;
     }
     if (!name || !name[0]) {
         name = "(NULL)";
     }
 
-    trust = cert->trust;
-    if (trust) {
-        printflags(trusts, trust->sslFlags);
+    if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
+        printflags(trusts, trust.sslFlags);
         PORT_Strcat(trusts, ",");
-        printflags(trusts, trust->emailFlags);
+        printflags(trusts, trust.emailFlags);
         PORT_Strcat(trusts, ",");
-        printflags(trusts, trust->objectSigningFlags);
+        printflags(trusts, trust.objectSigningFlags);
     } else {
         PORT_Memcpy(trusts,",,",3);
     }
     fprintf(out, "%-60s %-5s\n", name, trusts);
 
     return (SECSuccess);
 }
 
@@ -3063,30 +3062,31 @@ int SECU_PrintSignedContent(FILE *out, S
 
 SECStatus
 SEC_PrintCertificateAndTrust(CERTCertificate *cert,
                              const char *label,
                              CERTCertTrust *trust)
 {
     SECStatus rv;
     SECItem data;
+    CERTCertTrust certTrust;
     
     data.data = cert->derCert.data;
     data.len = cert->derCert.len;
 
     rv = SECU_PrintSignedData(stdout, &data, label, 0,
 			      SECU_PrintCertificate);
     if (rv) {
 	return(SECFailure);
     }
     if (trust) {
 	SECU_PrintTrustFlags(stdout, trust,
 	                     "Certificate Trust Flags", 1);
-    } else if (cert->trust) {
-	SECU_PrintTrustFlags(stdout, cert->trust,
+    } else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
+	SECU_PrintTrustFlags(stdout, &certTrust,
 	                     "Certificate Trust Flags", 1);
     }
 
     printf("\n");
 
     return(SECSuccess);
 }
 
@@ -3458,16 +3458,17 @@ SECU_FindCRLAuthKeyIDExten (PRArenaPool 
  * Find the issuer of a Crl.  Use the authorityKeyID if it exists.
  */
 CERTCertificate *
 SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject,
                    CERTAuthKeyID* authorityKeyID, PRTime validTime)
 {
     CERTCertificate *issuerCert = NULL;
     CERTCertList *certList = NULL;
+    CERTCertTrust trust;
 
     if (!subject) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
 
     certList =
         CERT_CreateSubjectCertList(NULL, dbhandle, subject,
@@ -3476,17 +3477,17 @@ SECU_FindCrlIssuer(CERTCertDBHandle *dbh
         CERTCertListNode *node = CERT_LIST_HEAD(certList);
     
         /* XXX and authoritykeyid in the future */
         while ( ! CERT_LIST_END(node, certList) ) {
             CERTCertificate *cert = node->cert;
             /* check cert CERTCertTrust data is allocated, check cert
                usage extension, check that cert has pkey in db. Select
                the first (newest) user cert */
-            if (cert->trust &&
+            if (CERT_GetCertTrust(cert, &trust) == SECSuccess &&
                 CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess &&
                 CERT_IsUserCert(cert)) {
                 
                 issuerCert = CERT_DupCertificate(cert);
                 break;
             }
             node = CERT_LIST_NEXT(node);   
         }
--- a/security/nss/cmd/multinit/multinit.c
+++ b/security/nss/cmd/multinit/multinit.c
@@ -487,16 +487,17 @@ sort_CN(CERTCertificate *certa, CERTCert
  * list all the certs
  */
 void
 do_list_certs(const char *progName, int log)
 {
    CERTCertList *list;
    CERTCertList *sorted;
    CERTCertListNode *node;
+   CERTCertTrust trust;
    int i;
 
    list = PK11_ListCerts(PK11CertListUnique, NULL);
    if (list == NULL) {
 	fprintf(stderr,"ERROR: no certs found %s\n", 
 		SECU_Strerror(PORT_GetError()));
 	appendLabel('C');
 	appendString("none");
@@ -538,20 +539,20 @@ do_list_certs(const char *progName, int 
 		fprintf(stderr, "%02x",cert->serialNumber.data[0]);
 	    }
 	    fprintf(stderr," *\n");
 	}
 	appendLabel('C');
 	commonName = CERT_GetCommonName(&cert->subject);
 	appendString(commonName?commonName:"*NoName*");
 	PORT_Free(commonName);
-	if (cert->trust) {
-	    appendFlags(cert->trust->sslFlags);
-	    appendFlags(cert->trust->emailFlags);
-	    appendFlags(cert->trust->objectSigningFlags);
+	if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
+	    appendFlags(trust.sslFlags);
+	    appendFlags(trust.emailFlags);
+	    appendFlags(trust.objectSigningFlags);
 	}
    }
    CERT_DestroyCertList(list);
 
 }
 
 /*
  * need to implement yet... try to add a new certificate
--- a/security/nss/cmd/ocspclnt/ocspclnt.c
+++ b/security/nss/cmd/ocspclnt/ocspclnt.c
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Test program for client-side OCSP.
  *
- * $Id: ocspclnt.c,v 1.13 2012/03/20 14:47:10 gerv%gerv.net Exp $
+ * $Id: ocspclnt.c,v 1.14 2013/01/23 23:05:50 kaie%kuix.de Exp $
  */
 
 #include "secutil.h"
 #include "nspr.h"
 #include "plgetopt.h"
 #include "nss.h"
 #include "cert.h"
 #include "ocsp.h"
@@ -823,18 +823,17 @@ print_basic_response (FILE *out_file, oc
  */
 static char *responseStatusNames[] = {
     "successful (Response has valid confirmations)",
     "malformedRequest (Illegal confirmation request)",
     "internalError (Internal error in issuer)",
     "tryLater (Try again later)",
     "unused ((4) is not used)",
     "sigRequired (Must sign the request)",
-    "unauthorized (Request unauthorized)",
-    "other (Status value out of defined range)"
+    "unauthorized (Request unauthorized)"
 };
 
 /*
  * Decode the DER/BER-encoded item "data" as an OCSP response
  * and pretty-print the subfields.
  */
 static SECStatus
 print_response (FILE *out_file, SECItem *data, CERTCertDBHandle *handle)
@@ -848,19 +847,25 @@ print_response (FILE *out_file, SECItem 
 	PORT_SetError (SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
 
     response = CERT_DecodeOCSPResponse (data);
     if (response == NULL)
 	return SECFailure;
 
-    PORT_Assert (response->statusValue <= ocspResponse_other);
-    fprintf (out_file, "Response Status: %s\n",
-	     responseStatusNames[response->statusValue]);
+    if (response->statusValue >= ocspResponse_min &&
+	response->statusValue <= ocspResponse_max) {
+	fprintf (out_file, "Response Status: %s\n",
+		 responseStatusNames[response->statusValue]);
+    } else {
+	fprintf (out_file,
+		 "Response Status: other (Status value %d out of defined range)\n",
+		 (int)response->statusValue);
+    }
 
     if (response->statusValue == ocspResponse_successful) {
 	ocspResponseBytes *responseBytes = response->responseBytes;
 	SECStatus sigStatus;
 	CERTCertificate *signerCert = NULL;
 
 	PORT_Assert (responseBytes != NULL);
 
--- a/security/nss/cmd/shlibsign/Makefile
+++ b/security/nss/cmd/shlibsign/Makefile
@@ -78,15 +78,19 @@ include ../platrules.mk
 SRCDIR = $(call core_abspath,.)
 
 %.chk: %.$(DLL_SUFFIX) 
 ifeq ($(OS_TARGET), OS2)
 	cd $(OBJDIR) ; cmd.exe /c $(SRCDIR)/sign.cmd $(DIST) \
 	$(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
 	$(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
 else
+    ifeq ($(CROSS_COMPILE),1)
+	# do nothing
+    else
 	cd $(OBJDIR) ; sh $(SRCDIR)/sign.sh $(call core_abspath,$(DIST)) \
 	$(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
 	$(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
+    endif
 endif
 
 libs install :: $(CHECKLOC)
 
--- a/security/nss/cmd/shlibsign/sign.sh
+++ b/security/nss/cmd/shlibsign/sign.sh
@@ -1,13 +1,20 @@
 #!/bin/sh
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
+# arguments:
+# 1: full path to DIST/OBJDIR (parent dir of "lib")
+# 2: full path to shlibsign executable (DIST/OBJDIR/bin)
+# 3: OS_TARGET
+# 4: full path to DIST/OBJDIR/lib
+# 5: full path to library that is to be signed
+
 case "${3}" in
 WIN*)
     if echo "${PATH}" | grep -c \; >/dev/null; then
         PATH=${1}/lib\;${1}/bin\;${4}\;${PATH}
     else
         # ARG1 is ${1} with the drive letter escaped.
         if echo "${1}" | grep -c : >/dev/null; then
             ARG1=`(cd ${1}; pwd)`
--- a/security/nss/cmd/ssltap/ssltap.c
+++ b/security/nss/cmd/ssltap/ssltap.c
@@ -29,17 +29,17 @@
 #include <string.h>
 #include <time.h>
 
 #include "plgetopt.h"
 #include "nss.h"
 #include "cert.h"
 #include "sslproto.h"
 
-#define VERSIONSTRING "$Revision: 1.22 $ ($Date: 2012/06/14 18:16:05 $) $Author: wtc%google.com $"
+#define VERSIONSTRING "$Revision: 1.23 $ ($Date: 2013/01/23 20:53:58 $) $Author: wtc%google.com $"
 
 
 struct _DataBufferList;
 struct _DataBuffer;
 
 typedef struct _DataBufferList {
   struct _DataBuffer *first,*last;
   int size;
@@ -328,18 +328,21 @@ const char * V2CipherString(int cs_int)
 
   case 0x000035:    cs_str = "TLS/RSA/AES256-CBC/SHA";  	break;
   case 0x000036:    cs_str = "TLS/DH-DSS/AES256-CBC/SHA";	break;
   case 0x000037:    cs_str = "TLS/DH-RSA/AES256-CBC/SHA";	break;
   case 0x000038:    cs_str = "TLS/DHE-DSS/AES256-CBC/SHA";	break;
   case 0x000039:    cs_str = "TLS/DHE-RSA/AES256-CBC/SHA";	break;
   case 0x00003A:    cs_str = "TLS/DH-ANON/AES256-CBC/SHA";	break;
 
+  case 0x00003B:    cs_str = "TLS/RSA/NULL/SHA256";		break;
   case 0x00003C:    cs_str = "TLS/RSA/AES128-CBC/SHA256";  	break;
   case 0x00003D:    cs_str = "TLS/RSA/AES256-CBC/SHA256";  	break;
+  case 0x00003E:    cs_str = "TLS/DH-DSS/AES128-CBC/SHA256";  	break;
+  case 0x00003F:    cs_str = "TLS/DH-RSA/AES128-CBC/SHA256";  	break;
   case 0x000040:    cs_str = "TLS/DHE-DSS/AES128-CBC/SHA256";	break;
 
   case 0x000041:    cs_str = "TLS/RSA/CAMELLIA128-CBC/SHA";	break;
   case 0x000042:    cs_str = "TLS/DH-DSS/CAMELLIA128-CBC/SHA";	break;
   case 0x000043:    cs_str = "TLS/DH-RSA/CAMELLIA128-CBC/SHA";	break;
   case 0x000044:    cs_str = "TLS/DHE-DSS/CAMELLIA128-CBC/SHA";	break;
   case 0x000045:    cs_str = "TLS/DHE-RSA/CAMELLIA128-CBC/SHA";	break;
   case 0x000046:    cs_str = "TLS/DH-ANON/CAMELLIA128-CBC/SHA";	break;
--- a/security/nss/cmd/vfychain/vfychain.c
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -61,16 +61,19 @@ Usage(const char *progName)
 	"\t-p \t\t Use PKIX Library to validate certificate by calling:\n"
 	"\t\t\t   * CERT_VerifyCertificate if specified once,\n"
 	"\t\t\t   * CERT_PKIXVerifyCert if specified twice and more.\n"
 	"\t-r\t\t Following certfile is raw binary DER (default)\n"
         "\t-t\t\t Following cert is explicitly trusted (overrides db trust).\n"
 	"\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"
 	"\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"
 	"\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"
+	"\t-T\t\t Trust both explicit trust anchors (-t) and the database.\n"
+	"\t\t\t (Default is to only trust certificates marked -t, if there are any,\n"
+	"\t\t\t or to trust the database if there are certificates marked -t.)\n"
 	"\t-v\t\t Verbose mode. Prints root cert subject(double the\n"
 	"\t\t\t argument for whole root cert info)\n"
 	"\t-w password\t Database password.\n"
 	"\t-W pwfile\t Password file.\n\n"
         "\tRevocation options for PKIX API(invoked with -pp options) is a\n"
         "\tcollection of the following flags:\n"
         "\t\t[-g type [-h flags] [-m type [-s flags]] ...] ...\n"
         "\tWhere:\n"
@@ -418,23 +421,24 @@ main(int argc, char *argv[], char *envp[
     int                  rv           = 1;
     int                  usage;
     CERTVerifyLog        log;
     CERTCertList        *builtChain = NULL;
     PRBool               certFetching = PR_FALSE;
     int                  revDataIndex = 0;
     PRBool               ocsp_fetchingFailureIsAFailure = PR_TRUE;
     PRBool               useDefaultRevFlags = PR_TRUE;
+    PRBool               onlyTrustAnchors = PR_TRUE;
     int                  vfyCounts = 1;
 
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
     progName = PL_strdup(argv[0]);
 
-    optstate = PL_CreateOptState(argc, argv, "ab:c:d:efg:h:i:m:o:prs:tu:vw:W:");
+    optstate = PL_CreateOptState(argc, argv, "ab:c:d:efg:h:i:m:o:prs:tTu:vw:W:");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch(optstate->option) {
 	case  0  : /* positional parameter */  goto breakout;
 	case 'a' : isAscii  = PR_TRUE;                        break;
 	case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
 	           if (secStatus != SECSuccess) Usage(progName); break;
 	case 'd' : certDir  = PL_strdup(optstate->value);     break;
 	case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE;  break;
@@ -473,16 +477,17 @@ main(int argc, char *argv[], char *envp[
                        methodTypeStr = PL_strdup(optstate->value); break;
 	case 'o' : oidStr = PL_strdup(optstate->value);       break;
 	case 'p' : usePkix += 1;                              break;
 	case 'r' : isAscii  = PR_FALSE;                       break;
 	case 's' : 
                    revMethodsData[revDataIndex].
                        methodFlagsStr = PL_strdup(optstate->value); break;
 	case 't' : trusted  = PR_TRUE;                        break;
+	case 'T' : onlyTrustAnchors = PR_FALSE;               break;
 	case 'u' : usage    = PORT_Atoi(optstate->value);
 	           if (usage < 0 || usage > 62) Usage(progName);
 		   certUsage = ((SECCertificateUsage)1) << usage; 
 		   if (certUsage > certificateUsageHighest) Usage(progName);
 		   break;
         case 'w':
                   pwdata.source = PW_PLAINTEXT;
                   pwdata.data = PORT_Strdup(optstate->value);
@@ -506,16 +511,21 @@ breakout:
                     " CERT_PKIXVerifyCert(-pp) function.\n");
             Usage(progName);
         }
         if (trusted) {
             fprintf(stderr, "Cert trust flag can be used only with"
                     " CERT_PKIXVerifyCert(-pp) function.\n");
             Usage(progName);
         }
+        if (!onlyTrustAnchors) {
+            fprintf(stderr, "Cert trust anchor exclusiveness can be"
+                    " used only with CERT_PKIXVerifyCert(-pp)"
+                    " function.\n");
+        }
     }
 
     if (!useDefaultRevFlags && parseRevMethodsAndFlags()) {
         fprintf(stderr, "Invalid revocation configuration specified.\n");
         goto punt;
     }
 
     /* Set our password function callback. */
@@ -588,17 +598,17 @@ breakout:
                                                PR_TRUE /* check sig */,
                                                certUsage, 
                                                time,
                                                &pwdata, /* wincx  */
                                                &log, /* error log */
                                            NULL);/* returned usages */
         } else do {
                 static CERTValOutParam cvout[4];
-                static CERTValInParam cvin[6];
+                static CERTValInParam cvin[7];
                 SECOidTag oidTag;
                 int inParamIndex = 0;
                 static PRUint64 revFlagsLeaf[2];
                 static PRUint64 revFlagsChain[2];
                 static CERTRevocationFlags rev;
                 
                 if (oidStr) {
                     PRArenaPool *arena;
@@ -662,16 +672,22 @@ breakout:
                 cvin[inParamIndex].value.pointer.revocation = &rev;
                 inParamIndex++;
                 
                 if (time) {
                     cvin[inParamIndex].type = cert_pi_date;
                     cvin[inParamIndex].value.scalar.time = time;
                     inParamIndex++;
                 }
+
+                if (!onlyTrustAnchors) {
+                    cvin[inParamIndex].type = cert_pi_useOnlyTrustAnchors;
+                    cvin[inParamIndex].value.scalar.b = onlyTrustAnchors;
+                    inParamIndex++;
+                }
                 
                 cvin[inParamIndex].type = cert_pi_end;
                 
                 cvout[0].type = cert_po_trustAnchor;
                 cvout[0].value.pointer.cert = NULL;
                 cvout[1].type = cert_po_certList;
                 cvout[1].value.pointer.chain = NULL;
                 
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Certificate handling code
  *
- * $Id: certdb.c,v 1.123 2012/04/25 14:49:26 gerv%gerv.net Exp $
+ * $Id: certdb.c,v 1.124 2013/01/07 04:11:50 ryan.sleevi%gmail.com Exp $
  */
 
 #include "nssilock.h"
 #include "prmon.h"
 #include "prtime.h"
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
@@ -2046,45 +2046,48 @@ cert_Version(CERTCertificate *cert)
 	    version = 0;
     }
     return version;
 }
 
 static unsigned int
 cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
 {
-    CERTCertTrust *trust = cert->trust;
-
-    if (trust && (trust->sslFlags |
-		  trust->emailFlags |
-		  trust->objectSigningFlags)) {
-
-	if (trust->sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
+    CERTCertTrust trust;
+    SECStatus rv = SECFailure;
+
+    rv = CERT_GetCertTrust(cert, &trust);
+
+    if (rv == SECSuccess && (trust.sslFlags |
+		  trust.emailFlags |
+		  trust.objectSigningFlags)) {
+
+	if (trust.sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT;
-	if (trust->sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
+	if (trust.sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_SSL_CA;
 #if defined(CERTDB_NOT_TRUSTED)
-	if (trust->sslFlags & CERTDB_NOT_TRUSTED) 
+	if (trust.sslFlags & CERTDB_NOT_TRUSTED) 
 	    cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT|
 	               NS_CERT_TYPE_SSL_CA);
 #endif
-	if (trust->emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
+	if (trust.emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_EMAIL;
-	if (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
+	if (trust.emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_EMAIL_CA;
 #if defined(CERTDB_NOT_TRUSTED)
-	if (trust->emailFlags & CERTDB_NOT_TRUSTED) 
+	if (trust.emailFlags & CERTDB_NOT_TRUSTED) 
 	    cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA);
 #endif
-	if (trust->objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
+	if (trust.objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_OBJECT_SIGNING;
-	if (trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
+	if (trust.objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
 #if defined(CERTDB_NOT_TRUSTED)
-	if (trust->objectSigningFlags & CERTDB_NOT_TRUSTED) 
+	if (trust.objectSigningFlags & CERTDB_NOT_TRUSTED) 
 	    cType &= ~(NS_CERT_TYPE_OBJECT_SIGNING|
 	               NS_CERT_TYPE_OBJECT_SIGNING_CA);
 #endif
     }
     return cType;
 }
 
 /*
@@ -2813,20 +2816,24 @@ CERT_FilterCertListByUsage(CERTCertList 
     return(SECSuccess);
     
 loser:
     return(SECFailure);
 }
 
 PRBool CERT_IsUserCert(CERTCertificate* cert)
 {
-    if ( cert->trust &&
-        ((cert->trust->sslFlags & CERTDB_USER ) ||
-         (cert->trust->emailFlags & CERTDB_USER ) ||
-         (cert->trust->objectSigningFlags & CERTDB_USER )) ) {
+    CERTCertTrust trust;
+    SECStatus rv = SECFailure;
+
+    rv = CERT_GetCertTrust(cert, &trust);
+    if (rv == SECSuccess &&
+        ((trust.sslFlags & CERTDB_USER ) ||
+         (trust.emailFlags & CERTDB_USER ) ||
+         (trust.objectSigningFlags & CERTDB_USER )) ) {
         return PR_TRUE;
     } else {
         return PR_FALSE;
     }
 }
 
 SECStatus
 CERT_FilterCertListForUserCerts(CERTCertList *certList)
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -1,15 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * certt.h - public data structures for the certificate library
  *
- * $Id: certt.h,v 1.57 2012/09/28 23:40:14 rrelyea%redhat.com Exp $
+ * $Id: certt.h,v 1.58 2013/01/07 03:56:12 ryan.sleevi%gmail.com Exp $
  */
 #ifndef _CERTT_H_
 #define _CERTT_H_
 
 #include "prclist.h"
 #include "pkcs11t.h"
 #include "seccomon.h"
 #include "secmodt.h"
@@ -950,24 +950,36 @@ typedef enum {
    cert_pi_trustAnchors    = 11,/* Specify the list of trusted roots to 
 				 * validate against. 
 				 * The default set of trusted roots, these are
 				 * root CA certs from libnssckbi.so or CA
 				 * certs trusted by user, are used in any of
 				 * the following cases:
 				 *      * when the parameter is not set.
 				 *      * when the list of trust anchors is empty.
+				 * Note that this handling can be further altered by altering the
+				 * cert_pi_useOnlyTrustAnchors flag
 				 * Specified in value.pointer.chain */
    cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
 				 * In NSS 3.12.1 or later. Default is off.
 				 * Value is in value.scalar.b */
    cert_pi_chainVerifyCallback = 13,
                                 /* The callback container for doing extra
                                  * validation on the currently calculated chain.
                                  * Value is in value.pointer.chainVerifyCallback */
+   cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any
+				 * certificates other than the ones passed in via cert_pi_trustAnchors.
+				 * If false, then the certificates specified via cert_pi_trustAnchors
+				 * will be combined with the pre-existing trusted roots, but only for
+				 * the certificate validation being performed.
+				 * If no value has been supplied via cert_pi_trustAnchors, this has no
+				 * effect.
+				 * The default value is true, meaning if this is not supplied, only
+				 * trust anchors supplied via cert_pi_trustAnchors are trusted.
+				 * Specified in value.scalar.b */
    cert_pi_max                  /* SPECIAL: signifies maximum allowed value,
 				 *  can increase in future releases */
 } CERTValParamInType;
 
 /*
  * for all out parameters:
  *  out parameters are only returned if the caller asks for them in
  *  the CERTValOutParam array. Caller is responsible for the CERTValOutParam
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -235,19 +235,17 @@ CERT_MapStanError()
 
 SECStatus
 CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert,
 		    CERTCertTrust *trust)
 {
     SECStatus rv = SECSuccess;
     PRStatus ret;
 
-    CERT_LockCertTrust(cert);
     ret = STAN_ChangeCertTrust(cert, trust);
-    CERT_UnlockCertTrust(cert);
     if (ret != PR_SUCCESS) {
 	rv = SECFailure;
 	CERT_MapStanError();
     }
     return rv;
 }
 
 extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
--- a/security/nss/lib/certhigh/certhigh.c
+++ b/security/nss/lib/certhigh/certhigh.c
@@ -537,27 +537,25 @@ CERT_FreeDistNames(CERTDistNames *names)
     return;
 }
 
 static SECStatus
 CollectDistNames( CERTCertificate *cert, SECItem *k, void *data)
 {
     CERTDistNames *names;
     PRBool saveit = PR_FALSE;
-    CERTCertTrust *trust;
+    CERTCertTrust trust;
     dnameNode *node;
     int len;
     
     names = (CERTDistNames *)data;
     
-    if ( cert->trust ) {
-	trust = cert->trust;
-	
+    if ( CERT_GetCertTrust(cert, &trust) == SECSuccess ) {
 	/* only collect names of CAs trusted for issuing SSL clients */
-	if (  trust->sslFlags &  CERTDB_TRUSTED_CLIENT_CA )  {
+	if (  trust.sslFlags &  CERTDB_TRUSTED_CLIENT_CA )  {
 	    saveit = PR_TRUE;
 	}
     }
 
     if ( saveit ) {
 	/* allocate the node */
 	node = (dnameNode*)PORT_ArenaAlloc(names->arena, sizeof(dnameNode));
 	if ( node == NULL ) {
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -323,16 +323,17 @@ cert_VerifyCertChainOld(CERTCertDBHandle
     unsigned int requiredCAKeyUsage;
     unsigned int requiredFlags;
     PRArenaPool *arena = NULL;
     CERTGeneralName *namesList = NULL;
     CERTCertificate **certsList      = NULL;
     int certsListLen = 16;
     int namesCount = 0;
     PRBool subjectCertIsSelfIssued;
+    CERTCertTrust issuerTrust;
 
     if (revoked) {
         *revoked = PR_FALSE;
     }
 
     if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
 					 &requiredCAKeyUsage,
 					 &caCertType)
@@ -523,17 +524,17 @@ cert_VerifyCertChainOld(CERTCertDBHandle
              * worse has happened... so keep cranking the loop */
             rvFinal = SECFailure;
             if (revoked) {
                 *revoked = PR_TRUE;
             }
             LOG_ERROR(log,subjectCert,count,0);
         }
 
-	if ( issuerCert->trust ) {
+	if ( CERT_GetCertTrust(issuerCert, &issuerTrust) == SECSuccess) {
 	    /* we have some trust info, but this does NOT imply that this
 	     * cert is actually trusted for any purpose.  The cert may be
 	     * explicitly UNtrusted.  We won't know until we examine the
 	     * trust bits.
 	     */
 	    unsigned int flags;
 
 	    if (certUsage != certUsageAnyCA &&
@@ -547,17 +548,17 @@ cert_VerifyCertChainOld(CERTCertDBHandle
 	                trustType = trustEmail;
 	            } else if ( subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
 	                trustType = trustSSL;
 	            } else {
 	                trustType = trustObjectSigning;
 	            }
 	        }
 
-	        flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+	        flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
 	        if (( flags & requiredFlags ) == requiredFlags) {
 	            /* we found a trusted one, so return */
 	            rv = rvFinal; 
 	            goto done;
 	        }
 	        if (flags & CERTDB_VALID_CA) {
 	            validCAOverride = PR_TRUE;
 	        }
@@ -569,31 +570,31 @@ cert_VerifyCertChainOld(CERTCertDBHandle
 		    PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
 		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
 		}
 	    } else {
                 /* Check if we have any valid trust when cheching for
                  * certUsageAnyCA or certUsageStatusResponder. */
                 for (trustType = trustSSL; trustType < trustTypeNone;
                      trustType++) {
-                    flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+                    flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
                     if ((flags & requiredFlags) == requiredFlags) {
 	                rv = rvFinal; 
 	                goto done;
                     }
                     if (flags & CERTDB_VALID_CA)
                         validCAOverride = PR_TRUE;
                 }
 		/* We have 2 separate loops because we want any single trust
 		 * bit to allow this usage to return trusted. Only if none of
 		 * the trust bits are on do we check to see if the cert is 
 		 * untrusted */
                 for (trustType = trustSSL; trustType < trustTypeNone;
                      trustType++) {
-                    flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+                    flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
 		    /* is it explicitly distrusted? */
 		    if ((flags & CERTDB_TERMINAL_RECORD) && 
 			((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0)) {
 			/* untrusted -- the cert is explicitly untrusted, not
 			 * just that it doesn't chain to a trusted cert */
 			PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
 			LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
 		    }
@@ -724,16 +725,17 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
     PRBool validCAOverride = PR_FALSE;
     SECStatus rv;
     SECStatus rvFinal = SECSuccess;
     unsigned int flags;
     unsigned int caCertType;
     unsigned int requiredCAKeyUsage;
     unsigned int requiredFlags;
     CERTCertificate *issuerCert;
+    CERTCertTrust certTrust;
 
 
     if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
 					 &requiredCAKeyUsage,
 					 &caCertType) != SECSuccess ) {
 	PORT_Assert(0);
 	EXIT_IF_NOT_LOGGING(log);
 	requiredCAKeyUsage = 0;
@@ -789,17 +791,17 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
 	    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
 	    LOG_ERROR_OR_EXIT(log,cert,0,0);
 	}
 
 	/* can't check path length if we don't know the previous path */
 	isca = PR_TRUE;
     }
 	
-    if ( cert->trust ) {
+    if ( CERT_GetCertTrust(cert, &certTrust) == SECSuccess ) {
 	/* we have some trust info, but this does NOT imply that this
 	 * cert is actually trusted for any purpose.  The cert may be
 	 * explicitly UNtrusted.  We won't know until we examine the
 	 * trust bits.
 	 */
         if (certUsage == certUsageStatusResponder) {
 	    /* Check the special case of certUsageStatusResponder */
             issuerCert = CERT_FindCertIssuer(cert, t, certUsage);
@@ -818,17 +820,17 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
 	     */
 	    rv = rvFinal; 
 	    goto done;
         }
 
 	/*
 	 * check the trust params of the issuer
 	 */
-	flags = SEC_GET_TRUST_FLAGS(cert->trust, trustType);
+	flags = SEC_GET_TRUST_FLAGS(&certTrust, trustType);
 	if ( ( flags & requiredFlags ) == requiredFlags) {
 	    /* we found a trusted one, so return */
 	    rv = rvFinal; 
 	    goto done;
 	}
 	if (flags & CERTDB_VALID_CA) {
 	    validCAOverride = PR_TRUE;
 	}
@@ -910,138 +912,139 @@ done:
  *   returns failure if the cert is distrusted. If failure, flags
  *       will return the flag bits that indicated distrust.
  */
 SECStatus
 cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
 	            unsigned int *failedFlags, PRBool *trusted)
 {
     unsigned int flags;
+    CERTCertTrust trust;
 
     *failedFlags = 0;
     *trusted = PR_FALSE;
 			
     /* check trust flags to see if this cert is directly trusted */
-    if ( cert->trust ) { 
+    if ( CERT_GetCertTrust(cert, &trust) == SECSuccess ) { 
 	switch ( certUsage ) {
 	  case certUsageSSLClient:
 	  case certUsageSSLServer:
-	    flags = cert->trust->sslFlags;
+	    flags = trust.sslFlags;
 	    
 	    /* is the cert directly trusted or not trusted ? */
 	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
 						    * authoritative */
 		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
 		    *trusted = PR_TRUE;
 		    return SECSuccess;
 		} else { /* don't trust this cert */
 		    *failedFlags = flags;
 		    return SECFailure;
 		}
 	    }
 	    break;
 	  case certUsageSSLServerWithStepUp:
 	    /* XXX - step up certs can't be directly trusted, only distrust */
-	    flags = cert->trust->sslFlags;
+	    flags = trust.sslFlags;
 	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
 						    * authoritative */
 		if (( flags & CERTDB_TRUSTED ) == 0) {	
 		    /* don't trust this cert */
 		    *failedFlags = flags;
 		    return SECFailure;
 		}
 	    }
 	    break;
 	  case certUsageSSLCA:
-	    flags = cert->trust->sslFlags;
+	    flags = trust.sslFlags;
 	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
 						    * authoritative */
 		if (( flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA) ) == 0) {	
 		    /* don't trust this cert */
 		    *failedFlags = flags;
 		    return SECFailure;
 		}
 	    }
 	    break;
 	  case certUsageEmailSigner:
 	  case certUsageEmailRecipient:
-	    flags = cert->trust->emailFlags;
+	    flags = trust.emailFlags;
 	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
 						    * authoritative */
 		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
 		    *trusted = PR_TRUE;
 		    return SECSuccess;
 		} 
 		else { /* don't trust this cert */
 		    *failedFlags = flags;
 		    return SECFailure;
 		}
 	    }
 	    
 	    break;
 	  case certUsageObjectSigner:
-	    flags = cert->trust->objectSigningFlags;
+	    flags = trust.objectSigningFlags;
 
 	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
 						    * authoritative */
 		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
 		    *trusted = PR_TRUE;
 		    return SECSuccess;
 		} else { /* don't trust this cert */
 		    *failedFlags = flags;
 		    return SECFailure;
 		}
 	    }
 	    break;
 	  case certUsageVerifyCA:
 	  case certUsageStatusResponder:
-	    flags = cert->trust->sslFlags;
+	    flags = trust.sslFlags;
 	    /* is the cert directly trusted or not trusted ? */
 	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
 		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
 		*trusted = PR_TRUE;
 		return SECSuccess;
 	    }
-	    flags = cert->trust->emailFlags;
+	    flags = trust.emailFlags;
 	    /* is the cert directly trusted or not trusted ? */
 	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
 		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
 		*trusted = PR_TRUE;
 		return SECSuccess;
 	    }
-	    flags = cert->trust->objectSigningFlags;
+	    flags = trust.objectSigningFlags;
 	    /* is the cert directly trusted or not trusted ? */
 	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
 		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
 		*trusted = PR_TRUE;
 		return SECSuccess;
 	    }
 	    /* fall through to test distrust */
 	  case certUsageAnyCA:
 	  case certUsageUserCertImport:
 	    /* do we distrust these certs explicitly */
-	    flags = cert->trust->sslFlags;
+	    flags = trust.sslFlags;
 	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
 						    * authoritative */
 		if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
 		    *failedFlags = flags;
 		    return SECFailure;
 		}
 	    }
-	    flags = cert->trust->emailFlags;
+	    flags = trust.emailFlags;
 	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
 						    * authoritative */
 		if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
 		    *failedFlags = flags;
 		    return SECFailure;
 		}
 	    }
 	    /* fall through */
 	  case certUsageProtectedObjectSigner:
-	    flags = cert->trust->objectSigningFlags;
+	    flags = trust.objectSigningFlags;
 	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
 						    * authoritative */
 		if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
 		    *failedFlags = flags;
 		    return SECFailure;
 		}
 	    }
 	    break;
@@ -1382,16 +1385,17 @@ CERT_VerifyCertNow(CERTCertDBHandle *han
 
 CERTCertificate *
 CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
 		      CERTCertOwner owner, SECCertUsage usage,
 		      PRBool preferTrusted, int64 validTime, PRBool validOnly)
 {
     CERTCertList *certList = NULL;
     CERTCertificate *cert = NULL;
+    CERTCertTrust certTrust;
     unsigned int requiredTrustFlags;
     SECTrustType requiredTrustType;
     unsigned int flags;
     
     PRBool lookingForCA = PR_FALSE;
     SECStatus rv;
     CERTCertListNode *node;
     CERTCertificate *saveUntrustedCA = NULL;
@@ -1423,20 +1427,20 @@ CERT_FindMatchingCert(CERTCertDBHandle *
 	
 	while ( !CERT_LIST_END(node, certList) ) {
 	    cert = node->cert;
 
 	    /* looking for a trusted CA cert */
 	    if ( ( owner == certOwnerCA ) && preferTrusted &&
 		( requiredTrustType != trustTypeNone ) ) {
 
-		if ( cert->trust == NULL ) {
+		if ( CERT_GetCertTrust(cert, &certTrust) != SECSuccess ) {
 		    flags = 0;
 		} else {
-		    flags = SEC_GET_TRUST_FLAGS(cert->trust, requiredTrustType);
+		    flags = SEC_GET_TRUST_FLAGS(&certTrust, requiredTrustType);
 		}
 
 		if ( ( flags & requiredTrustFlags ) != requiredTrustFlags ) {
 		    /* cert is not trusted */
 		    /* if this is the first cert to get this far, then save
 		     * it, so we can use it if we can't find a trusted one
 		     */
 		    if ( saveUntrustedCA == NULL ) {
--- a/security/nss/lib/certhigh/certvfypkix.c
+++ b/security/nss/lib/certhigh/certvfypkix.c
@@ -1706,16 +1706,23 @@ cert_pkixSetParam(PKIX_ProcessingParams 
                 r = SECFailure;
                 break;
             }
 
             nssContext->chainVerifyCallback = *chainVerifyCallback;
         }
         break;
 
+        case cert_pi_useOnlyTrustAnchors:
+            error =
+                PKIX_ProcessingParams_SetUseOnlyTrustAnchors(procParams,
+                                      (PRBool)(param->value.scalar.b != 0),
+                                                             plContext);
+            break;
+
         default:
             PORT_SetError(errCode);
             r = SECFailure;
             break;
     }
 
     if (policyOIDList != NULL)
         PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext);
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -1,17 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.76 2012/12/12 19:29:40 wtc%google.com Exp $
+ * $Id: ocsp.c,v 1.77 2013/01/23 23:05:50 kaie%kuix.de Exp $
  */
 
 #include "prerror.h"
 #include "prprf.h"
 #include "plarena.h"
 #include "prnetdb.h"
 
 #include "seccomon.h"
@@ -5686,16 +5686,15 @@ CERT_GetOCSPResponseStatus(CERTOCSPRespo
 	break;
       case ocspResponse_sigRequired:
 	/* XXX We *should* retry with a signature, if possible. */
 	PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
 	break;
       case ocspResponse_unauthorized:
 	PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
 	break;
-      case ocspResponse_other:
       case ocspResponse_unused:
       default:
 	PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
 	break;
     }
     return SECFailure;
 }
--- a/security/nss/lib/certhigh/ocspti.h
+++ b/security/nss/lib/certhigh/ocspti.h
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Private header defining OCSP types.
  *
- * $Id: ocspti.h,v 1.9 2012/12/12 16:03:44 wtc%google.com Exp $
+ * $Id: ocspti.h,v 1.11 2013/01/23 23:05:51 kaie%kuix.de Exp $
  */
 
 #ifndef _OCSPTI_H_
 #define _OCSPTI_H_
 
 #include "ocspt.h"
 
 #include "certt.h"
@@ -184,24 +184,28 @@ struct CERTOCSPCertIDStr {
  *	internalError		(2),	--Internal error in issuer
  *	tryLater		(3),	--Try again later
  *					--(4) is not used
  *	sigRequired		(5),	--Must sign the request
  *	unauthorized		(6),	--Request unauthorized
  * }
  */
 typedef enum {
-    ocspResponse_other = -1,		/* unknown/unrecognized value */
+    ocspResponse_min = 0,
     ocspResponse_successful = 0,
     ocspResponse_malformedRequest = 1,
     ocspResponse_internalError = 2,
     ocspResponse_tryLater = 3,
     ocspResponse_unused = 4,
     ocspResponse_sigRequired = 5,
-    ocspResponse_unauthorized = 6
+    ocspResponse_unauthorized = 6,
+    ocspResponse_max = 6 /* Please update max when adding values.
+                          * Remember to also update arrays, e.g.
+                          * "responseStatusNames" in ocspclnt.c
+                          * and potentially other places. */
 } ocspResponseStatus;
 
 /*
  * An OCSPResponse is what is sent (encoded) by an OCSP responder.
  *
  * The field "responseStatus" is the ASN.1 encoded value; the field
  * "statusValue" is simply that same value translated into our local
  * type ocspResponseStatus.
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -86,17 +86,17 @@ ifdef FREEBL_USE_PRELINK
 ifdef LINUX
 	DEFINES += -D__GNU_SOURCE=1
 endif
 endif
 ifdef FREEBL_PRELINK_COMMAND
 	DEFINES +=-DFREEBL_PRELINK_COMMAND=\"$(FREEBL_PRELINK_COMMAND)\"
 endif
 # NSS_X86 means the target is a 32-bits x86 CPU architecture
-# NSS_X64 means the target is a 64-bits x64 CPU architecture
+# NSS_X64 means the target is a 64-bits 64 CPU architecture
 # NSS_X86_OR_X64 means the target is either x86 or x64
 ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH)))
         DEFINES += -DNSS_X86_OR_X64
 ifdef USE_64
         DEFINES += -DNSS_X64
 else
         DEFINES += -DNSS_X86
 endif
@@ -182,17 +182,19 @@ ifeq ($(CPU_ARCH),x86_64)
     ASFILES  = arcfour-amd64-gas.s mpi_amd64_gas.s
     ASFLAGS += -march=opteron -m64 -fPIC -Wa,--noexecstack
     DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
     DEFINES += -DNSS_USE_COMBA
     DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
 #   DEFINES += -DMPI_AMD64_ADD
     # comment the next two lines to turn off intel HW accelleration
     DEFINES += -DUSE_HW_AES
-    ASFILES += intel-aes.s
+    ASFILES += intel-aes.s intel-gcm.s
+    EXTRA_SRCS +=  intel-gcm-wrap.c
+    INTEL_GCM=1
     MPI_SRCS += mpi_amd64.c mp_comba.c
 endif
 ifeq ($(CPU_ARCH),x86)
     ASFILES  = mpi_x86.s
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
     DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
     DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
     # The floating point ECC code doesn't work on Linux x86 (bug 311432).
@@ -437,17 +439,19 @@ else
             SOL_CFLAGS += -xprefetch=no
 	    SHA_SRCS =
  	    MPCPU_SRCS =
 	endif
 	DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
 	DEFINES += -DNSS_USE_COMBA -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
 	# comment the next two lines to turn off intel HW accelleration
 	DEFINES += -DUSE_HW_AES
-	ASFILES += intel-aes.s
+	ASFILES += intel-aes.s intel-gcm.s
+        EXTRA_SRCS +=  intel-gcm-wrap.c
+        INTEL_GCM=1
 	MPI_SRCS += mpi_amd64.c
     else
 	# Solaris x86
 	DEFINES += -DMP_USE_UINT_DIGIT
 	DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
 	DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
 	ASFILES  = mpi_i86pc.s
  	ifndef NS_USE_GCC
@@ -638,8 +642,21 @@ ifneq ($(CPU_ARCH),x86)
 	@$(MAKE_OBJDIR)
 ifdef NEED_ABSOLUTE_PATH
 	$(CC) -o $@ -c $(CFLAGS) -fno-strict-aliasing $(call core_abspath,$<)
 else
 	$(CC) -o $@ -c $(CFLAGS) -fno-strict-aliasing $<
 endif
 endif
 endif
+
+ifdef INTEL_GCM
+#
+# GCM binary needs -msse4
+#
+$(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): intel-gcm-wrap.c
+	@$(MAKE_OBJDIR)
+ifdef NEED_ABSOLUTE_PATH
+	$(CC) -o $@ -c -mssse3 $(CFLAGS) $(call core_abspath,$<)
+else
+	$(CC) -o $@ -c -mssse3 $(CFLAGS) $<
+endif
+endif
--- a/security/nss/lib/freebl/arcfour.c
+++ b/security/nss/lib/freebl/arcfour.c
@@ -121,17 +121,17 @@ RC4_InitContext(RC4Context *cx, const un
 {
 	int i;
 	PRUint8 j, tmp;
 	PRUint8 K[256];
 	PRUint8 *L;
 
 	/* verify the key length. */
 	PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE);
-	if (len < 0 || len >= ARCFOUR_STATE_SIZE) {
+	if (len == 0 || len >= ARCFOUR_STATE_SIZE) {
 		PORT_SetError(SEC_ERROR_INVALID_ARGS);
 		return SECFailure;
 	}
 	if (cx == NULL) {
 	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	    return SECFailure;
 	}
 	/* Initialize the state using array indices. */
--- a/security/nss/lib/freebl/desblapi.c
+++ b/security/nss/lib/freebl/desblapi.c
@@ -238,34 +238,34 @@ DES_DestroyContext(DESContext *cx, PRBoo
     }
 }
 
 SECStatus
 DES_Encrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
             unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
 {
 
-    if (inLen < 0 || (inLen % 8) != 0 || maxOutLen < inLen || !cx || 
+    if ((inLen % 8) != 0 || maxOutLen < inLen || !cx || 
         cx->direction != DES_ENCRYPT) {
     	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
 
     cx->worker(cx, out, in, inLen);
     if (outLen)
 	*outLen = inLen;
     return SECSuccess;
 }
 
 SECStatus
 DES_Decrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
             unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
 {
 
-    if (inLen < 0 || (inLen % 8) != 0 || maxOutLen < inLen || !cx || 
+    if ((inLen % 8) != 0 || maxOutLen < inLen || !cx || 
         cx->direction != DES_DECRYPT) {
     	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
 
     cx->worker(cx, out, in, inLen);
     if (outLen)
 	*outLen = inLen;
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/intel-gcm-wrap.c
@@ -0,0 +1,235 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Wrapper funcions for Intel optimized implementation of AES-GCM */
+
+#ifdef USE_HW_AES
+
+#ifdef FREEBL_NO_DEPEND
+#include "stubs.h"
+#endif
+
+#include "blapii.h"
+#include "blapit.h"
+#include "gcm.h"
+#include "ctr.h"
+#include "secerr.h"
+#include "prtypes.h"
+#include "pkcs11t.h"
+
+#include <limits.h>
+
+#include "intel-gcm.h"
+#include "rijndael.h"
+
+#if defined(__INTEL_COMPILER)
+#include <ia32intrin.h> 
+#elif defined(__GNUC__)
+#include <emmintrin.h>
+#include <tmmintrin.h>
+#endif
+
+
+struct intel_AES_GCMContextStr{
+    unsigned char Htbl[16*AES_BLOCK_SIZE];
+    unsigned char X0[AES_BLOCK_SIZE];
+    unsigned char T[AES_BLOCK_SIZE];
+    unsigned char CTR[AES_BLOCK_SIZE];
+    AESContext *aes_context;
+    unsigned long tagBits;
+    unsigned long Alen;
+    unsigned long Mlen;
+};
+
+intel_AES_GCMContext *intel_AES_GCM_CreateContext(void *context, 
+               freeblCipherFunc cipher,
+               const unsigned char *params, 
+               unsigned int blocksize)
+{
+    intel_AES_GCMContext *gcm = NULL;
+    AESContext *aes = (AESContext*)context;
+    const CK_GCM_PARAMS *gcmParams = (const CK_GCM_PARAMS *)params;
+    unsigned char buff[AES_BLOCK_SIZE]; /* aux buffer */
+    
+    int IV_whole_len = gcmParams->ulIvLen&(~0xf);
+    int IV_remainder_len = gcmParams->ulIvLen&0xf;
+    int AAD_whole_len = gcmParams->ulAADLen&(~0xf);
+    int AAD_remainder_len = gcmParams->ulAADLen&0xf;
+    
+    __m128i BSWAP_MASK = _mm_setr_epi8(15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0);
+    __m128i ONE = _mm_set_epi32(0,0,0,1);
+    unsigned int j;
+    SECStatus rv;
+
+    if (blocksize != AES_BLOCK_SIZE) {
+      PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+      return NULL;
+    }
+    gcm = PORT_ZNew(intel_AES_GCMContext);
+    
+    if (gcm == NULL) {
+        return NULL;
+    }
+    /* initialize context fields */
+    gcm->aes_context = aes;
+    gcm->tagBits = gcmParams->ulTagBits;
+    gcm->Alen = 0;
+    gcm->Mlen = 0;
+    /* first prepare H and its derivatives for ghash */
+    intel_aes_gcmINIT(gcm->Htbl, (unsigned char*)aes->expandedKey, aes->Nr);
+    /* Initial TAG value is zero*/
+    _mm_storeu_si128((__m128i*)gcm->T, _mm_setzero_si128());
+    _mm_storeu_si128((__m128i*)gcm->X0, _mm_setzero_si128());
+    /* Init the counter */
+    if(gcmParams->ulIvLen == 12) {
+        _mm_storeu_si128((__m128i*)gcm->CTR, _mm_setr_epi32(((unsigned int*)gcmParams->pIv)[0], ((unsigned int*)gcmParams->pIv)[1], ((unsigned int*)gcmParams->pIv)[2], 0x01000000));
+    } else {
+        /* If IV size is not 96 bits, then the initial counter value is GHASH of the IV */
+        intel_aes_gcmAAD(gcm->Htbl, gcmParams->pIv, IV_whole_len, gcm->T);
+        /* Partial block */
+        if(IV_remainder_len) {
+            PORT_Memset(buff, 0, AES_BLOCK_SIZE);
+            PORT_Memcpy(buff, gcmParams->pIv + IV_whole_len, IV_remainder_len);
+            intel_aes_gcmAAD(gcm->Htbl, buff, AES_BLOCK_SIZE, gcm->T);
+         }
+         
+         intel_aes_gcmTAG
+         (
+            gcm->Htbl,
+            gcm->T,
+            gcmParams->ulIvLen,
+            0,
+            gcm->X0,
+            gcm->CTR
+         );
+        /* TAG should be zero again */
+        _mm_storeu_si128((__m128i*)gcm->T, _mm_setzero_si128());
+    }
+    /* Encrypt the initial counter, will be used to encrypt the GHASH value, in the end */
+    rv = (*cipher)(context, gcm->X0, &j, AES_BLOCK_SIZE, gcm->CTR, AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* Promote the counter by 1 */
+    _mm_storeu_si128((__m128i*)gcm->CTR, _mm_shuffle_epi8(_mm_add_epi32(ONE, _mm_shuffle_epi8(_mm_loadu_si128((__m128i*)gcm->CTR), BSWAP_MASK)), BSWAP_MASK));
+
+/*     Now hash AAD - it would actually make sense to seperate the context creation from the AAD, 
+ *     because that would allow to reuse the H, which only changes when the AES key changes, 
+ *     and not every package, like the IV and AAD */
+    intel_aes_gcmAAD(gcm->Htbl, gcmParams->pAAD, AAD_whole_len, gcm->T);
+    if(AAD_remainder_len) {
+        PORT_Memset(buff, 0, AES_BLOCK_SIZE);
+        PORT_Memcpy(buff, gcmParams->pAAD + AAD_whole_len, AAD_remainder_len);
+        intel_aes_gcmAAD(gcm->Htbl, buff, AES_BLOCK_SIZE, gcm->T);
+    }
+    gcm->Alen += gcmParams->ulAADLen;
+    return gcm;
+    
+    loser:
+    if (gcm) {
+        PORT_Free(gcm);
+    }
+    return NULL;
+}
+
+void intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
+{
+    if (freeit) {
+        PORT_Free(gcm);
+    }
+}
+
+SECStatus intel_AES_GCM_EncryptUpdate(intel_AES_GCMContext *gcm, 
+            unsigned char *outbuf,
+			unsigned int *outlen, unsigned int maxout,
+			const unsigned char *inbuf, unsigned int inlen,
+			unsigned int blocksize)
+{
+    unsigned int tagBytes;
+    unsigned char T[AES_BLOCK_SIZE];
+    int j;
+
+    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE;
+    if (UINT_MAX - inlen < tagBytes) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    if (maxout < inlen + tagBytes) {
+        *outlen = inlen + tagBytes;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    intel_aes_gcmENC(
+        inbuf,
+        outbuf,
+        gcm,
+        inlen);
+
+    gcm->Mlen += inlen;
+      
+    intel_aes_gcmTAG(
+        gcm->Htbl,
+        gcm->T,
+        gcm->Mlen,
+        gcm->Alen,
+        gcm->X0,
+        T);
+
+    *outlen = inlen + tagBytes;
+
+    for(j=0; j<tagBytes; j++)
+    {
+        outbuf[inlen+j] = T[j];
+    }
+    return SECSuccess;
+}
+
+SECStatus intel_AES_GCM_DecryptUpdate(intel_AES_GCMContext *gcm, 
+            unsigned char *outbuf,
+			unsigned int *outlen, unsigned int maxout,
+			const unsigned char *inbuf, unsigned int inlen,
+			unsigned int blocksize)
+{
+    unsigned int tagBytes;
+    unsigned char T[AES_BLOCK_SIZE];
+    const unsigned char *intag;
+
+    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE;
+ 
+    /* get the authentication block */
+    if (inlen < tagBytes) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    inlen -= tagBytes;
+    intag = inbuf + inlen;
+
+    intel_aes_gcmDEC(
+         inbuf,
+         outbuf,
+         gcm,
+         inlen);
+
+    gcm->Mlen += inlen;
+    intel_aes_gcmTAG(
+         gcm->Htbl,
+         gcm->T,
+         gcm->Mlen,
+         gcm->Alen,
+         gcm->X0,
+         T);
+
+    if (NSS_SecureMemcmp(T, intag, tagBytes) != 0) {
+        /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        return SECFailure;
+    }
+    *outlen = inlen;
+
+    return SECSuccess;
+}
+
+#endif
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/intel-gcm.h
@@ -0,0 +1,62 @@
+#ifndef INTEL_GCM_H
+#define INTEL_GCM_H 1
+
+#include "blapii.h"
+
+typedef struct intel_AES_GCMContextStr intel_AES_GCMContext;
+
+intel_AES_GCMContext *intel_AES_GCM_CreateContext(void *context, freeblCipherFunc cipher,
+			const unsigned char *params, unsigned int blocksize);
+
+void intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit);
+
+SECStatus intel_AES_GCM_EncryptUpdate(intel_AES_GCMContext  *gcm, unsigned char *outbuf,
+			unsigned int *outlen, unsigned int maxout,
+			const unsigned char *inbuf, unsigned int inlen,
+			unsigned int blocksize);
+
+SECStatus intel_AES_GCM_DecryptUpdate(intel_AES_GCMContext *gcm, unsigned char *outbuf,
+			unsigned int *outlen, unsigned int maxout,
+			const unsigned char *inbuf, unsigned int inlen,
+			unsigned int blocksize);
+
+/* Prorotypes of functions in the assembler file for fast AES-GCM, using 
+   Intel AES-NI and CLMUL-NI, as described in [1]
+   [1] Shay Gueron, Michael E. Kounavis: IntelĀ® Carry-Less Multiplication 
+       Instruction and its Usage for Computing the GCM Mode                */
+       
+/* Prepares the constants used in the aggregated reduction method */
+void intel_aes_gcmINIT(unsigned char Htbl[16*16],
+                       unsigned char *KS,
+                       int NR);
+
+/* Produces the final GHASH value */
+void intel_aes_gcmTAG(unsigned char Htbl[16*16], 
+                      unsigned char *Tp, 
+                      unsigned long Mlen, 
+                      unsigned long Alen, 
+                      unsigned char* X0, 
+                      unsigned char* TAG);
+
+/* Hashes the Additional Authenticated Data, should be used before enc/dec.
+   Operates on whole blocks only. Partial blocks should be padded externally. */
+void intel_aes_gcmAAD(unsigned char Htbl[16*16], 
+                      unsigned char *AAD, 
+                      unsigned long Alen, 
+                      unsigned char *Tp);
+
+/* Encrypts and hashes the Plaintext. 
+   Operates on any length of data, however partial block should only be encrypted
+   at the last call, otherwise the result will be incorrect. */
+void intel_aes_gcmENC(const unsigned char* PT, 
+                      unsigned char* CT, 
+                      void *Gctx, 
+                      unsigned long len);
+                  
+/* Similar to ENC, but decrypts the Ciphertext. */
+void intel_aes_gcmDEC(const unsigned char* CT, 
+                      unsigned char* PT, 
+                      void *Gctx, 
+                      unsigned long len);
+
+#endif
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/intel-gcm.s
@@ -0,0 +1,1335 @@
+
+
+.align  16
+.Lone:
+.quad 1,0
+.Ltwo:
+.quad 2,0
+.Lbswap_mask:
+.byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
+.Lshuff_mask:
+.quad 0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f
+.Lpoly:
+.quad 0x1, 0xc200000000000000 
+
+
+################################################################################
+# Generates the final GCM tag
+# void intel_aes_gcmTAG(uint8_t Htbl[16*16], uint8_t *Tp, uint64_t Mlen, uint64_t Alen, uint8_t* X0, uint8_t* TAG);
+.type intel_aes_gcmTAG,@function
+.globl intel_aes_gcmTAG
+.align 16
+intel_aes_gcmTAG:
+
+.set  Htbl, %rdi
+.set  Tp, %rsi
+.set  Mlen, %rdx
+.set  Alen, %rcx
+.set  X0, %r8
+.set  TAG, %r9
+
+.set T,%xmm0
+.set TMP0,%xmm1
+
+   vmovdqu  (Tp), T
+   vpshufb  .Lbswap_mask(%rip), T, T
+   vpxor    TMP0, TMP0, TMP0
+   shl      $3, Mlen
+   shl      $3, Alen
+   vpinsrq  $0, Mlen, TMP0, TMP0
+   vpinsrq  $1, Alen, TMP0, TMP0
+   vpxor    TMP0, T, T
+   vmovdqu  (Htbl), TMP0
+   call     GFMUL
+   vpshufb  .Lbswap_mask(%rip), T, T
+   vpxor    (X0), T, T
+   vmovdqu  T, (TAG)
+   
+ret
+.size intel_aes_gcmTAG, .-intel_aes_gcmTAG
+################################################################################
+# Generates the H table
+# void intel_aes_gcmINIT(uint8_t Htbl[16*16], uint8_t *KS, int NR);
+.type intel_aes_gcmINIT,@function
+.globl intel_aes_gcmINIT
+.align 16
+intel_aes_gcmINIT:
+   
+.set  Htbl, %rdi
+.set  KS, %rsi
+.set  NR, %edx
+
+.set T,%xmm0
+.set TMP0,%xmm1
+
+CALCULATE_POWERS_OF_H:
+    vmovdqu      16*0(KS), T
+    vaesenc      16*1(KS), T, T
+    vaesenc      16*2(KS), T, T
+    vaesenc      16*3(KS), T, T
+    vaesenc      16*4(KS), T, T
+    vaesenc      16*5(KS), T, T
+    vaesenc      16*6(KS), T, T
+    vaesenc      16*7(KS), T, T
+    vaesenc      16*8(KS), T, T
+    vaesenc      16*9(KS), T, T
+    vmovdqu      16*10(KS), TMP0
+    cmp          $10, NR
+    je           .LH0done
+    vaesenc      16*10(KS), T, T
+    vaesenc      16*11(KS), T, T
+    vmovdqu      16*12(KS), TMP0
+    cmp          $12, NR
+    je           .LH0done
+    vaesenc      16*12(KS), T, T
+    vaesenc      16*13(KS), T, T
+    vmovdqu      16*14(KS), TMP0
+  
+.LH0done:
+    vaesenclast  TMP0, T, T
+
+    vpshufb      .Lbswap_mask(%rip), T, T  
+
+    vmovdqu	T, TMP0
+    # Calculate H` = GFMUL(H, 2)
+    vpsrld	$7 , T , %xmm3
+    vmovdqu	.Lshuff_mask(%rip), %xmm4
+    vpshufb	%xmm4, %xmm3 , %xmm3
+    movq	$0xff00 , %rax
+    vmovq	%rax, %xmm4
+    vpshufb	%xmm3, %xmm4 , %xmm4
+    vmovdqu	.Lpoly(%rip), %xmm5
+    vpand	%xmm4, %xmm5, %xmm5
+    vpsrld	$31, T, %xmm3
+    vpslld	$1, T, %xmm4
+    vpslldq	$4, %xmm3, %xmm3
+    vpxor	%xmm3, %xmm4, T  #xmm1 holds now p(x)<<1
+
+    #adding p(x)<<1 to xmm5
+    vpxor     %xmm5, T , T
+    vmovdqu   T, TMP0
+    vmovdqu   T, (Htbl)     # H * 2
+    call  GFMUL
+    vmovdqu  T, 16(Htbl)    # H^2 * 2
+    call  GFMUL
+    vmovdqu  T, 32(Htbl)    # H^3 * 2
+    call  GFMUL
+    vmovdqu  T, 48(Htbl)    # H^4 * 2
+    call  GFMUL
+    vmovdqu  T, 64(Htbl)    # H^5 * 2
+    call  GFMUL
+    vmovdqu  T, 80(Htbl)    # H^6 * 2
+    call  GFMUL
+    vmovdqu  T, 96(Htbl)    # H^7 * 2
+    call  GFMUL
+    vmovdqu  T, 112(Htbl)   # H^8 * 2  
+
+    # Precalculations for the reduce 4 step
+    vpshufd  $78, (Htbl), %xmm8
+    vpshufd  $78, 16(Htbl), %xmm9
+    vpshufd  $78, 32(Htbl), %xmm10
+    vpshufd  $78, 48(Htbl), %xmm11
+    vpshufd  $78, 64(Htbl), %xmm12
+    vpshufd  $78, 80(Htbl), %xmm13
+    vpshufd  $78, 96(Htbl), %xmm14
+    vpshufd  $78, 112(Htbl), %xmm15
+
+    vpxor  (Htbl), %xmm8, %xmm8
+    vpxor  16(Htbl), %xmm9, %xmm9
+    vpxor  32(Htbl), %xmm10, %xmm10
+    vpxor  48(Htbl), %xmm11, %xmm11
+    vpxor  64(Htbl), %xmm12, %xmm12
+    vpxor  80(Htbl), %xmm13, %xmm13
+    vpxor  96(Htbl), %xmm14, %xmm14
+    vpxor  112(Htbl), %xmm15, %xmm15
+
+    vmovdqu   %xmm8, 128(Htbl)
+    vmovdqu   %xmm9, 144(Htbl)
+    vmovdqu   %xmm10, 160(Htbl)
+    vmovdqu   %xmm11, 176(Htbl)
+    vmovdqu   %xmm12, 192(Htbl)
+    vmovdqu   %xmm13, 208(Htbl)
+    vmovdqu   %xmm14, 224(Htbl)
+    vmovdqu   %xmm15, 240(Htbl)
+
+    ret
+.size intel_aes_gcmINIT, .-intel_aes_gcmINIT
+################################################################################
+# Authenticate only
+# void intel_aes_gcmAAD(uint8_t Htbl[16*16], uint8_t *AAD, uint64_t Alen, uint8_t *Tp);
+
+.globl  intel_aes_gcmAAD
+.type   intel_aes_gcmAAD,@function
+.align  16
+intel_aes_gcmAAD:
+
+.set DATA, %xmm0
+.set T, %xmm1
+.set BSWAP_MASK, %xmm2
+.set TMP0, %xmm3
+.set TMP1, %xmm4
+.set TMP2, %xmm5
+.set TMP3, %xmm6
+.set TMP4, %xmm7
+.set Xhi, %xmm9
+
+.set Htbl, %rdi
+.set inp, %rsi
+.set len, %rdx
+.set Tp, %rcx
+
+.set hlp0, %r11
+
+.macro KARATSUBA_AAD i
+    vpclmulqdq  $0x00, 16*\i(Htbl), DATA, TMP3
+    vpxor       TMP3, TMP0, TMP0
+    vpclmulqdq  $0x11, 16*\i(Htbl), DATA, TMP3
+    vpxor       TMP3, TMP1, TMP1
+    vpshufd     $78,  DATA, TMP3
+    vpxor       DATA, TMP3, TMP3
+    vpclmulqdq  $0x00, 16*(\i+8)(Htbl), TMP3, TMP3
+    vpxor       TMP3, TMP2, TMP2
+.endm
+
+    test  len, len
+    jnz   .LbeginAAD
+    ret
+
+.LbeginAAD:
+
+   push  hlp0
+   vzeroupper
+   
+   vmovdqa  .Lbswap_mask(%rip), BSWAP_MASK
+   
+   vpxor    Xhi, Xhi, Xhi
+   
+   vmovdqu  (Tp),T
+   vpshufb  BSWAP_MASK,T,T
+
+   # we hash 8 block each iteration, if the total amount of blocks is not a multiple of 8, we hash the first n%8 blocks first
+    mov     len, hlp0
+    and	    $~-128, hlp0
+
+    jz      .Lmod_loop
+
+    sub     hlp0, len
+    sub     $16, hlp0
+
+   #hash first prefix block
+	vmovdqu (inp), DATA
+	vpshufb  BSWAP_MASK, DATA, DATA
+	vpxor    T, DATA, DATA
+	
+	vpclmulqdq  $0x00, (Htbl, hlp0), DATA, TMP0
+	vpclmulqdq  $0x11, (Htbl, hlp0), DATA, TMP1
+	vpshufd     $78, DATA, TMP2
+	vpxor       DATA, TMP2, TMP2
+	vpclmulqdq  $0x00, 16*8(Htbl, hlp0), TMP2, TMP2
+	
+	lea	    16(inp), inp
+	test    hlp0, hlp0
+	jnz	    .Lpre_loop
+	jmp	    .Lred1
+
+    #hash remaining prefix bocks (up to 7 total prefix blocks)
+.align 64
+.Lpre_loop:
+
+    sub	$16, hlp0
+
+    vmovdqu     (inp),DATA           # next data block
+    vpshufb     BSWAP_MASK,DATA,DATA
+
+    vpclmulqdq  $0x00, (Htbl,hlp0), DATA, TMP3
+    vpxor       TMP3, TMP0, TMP0
+    vpclmulqdq  $0x11, (Htbl,hlp0), DATA, TMP3
+    vpxor       TMP3, TMP1, TMP1
+    vpshufd	    $78, DATA, TMP3
+    vpxor       DATA, TMP3, TMP3
+    vpclmulqdq  $0x00, 16*8(Htbl,hlp0), TMP3, TMP3
+    vpxor       TMP3, TMP2, TMP2
+
+    test	hlp0, hlp0
+
+    lea	16(inp), inp
+
+    jnz	.Lpre_loop
+	
+.Lred1:
+    vpxor       TMP0, TMP2, TMP2
+    vpxor       TMP1, TMP2, TMP2
+    vpsrldq     $8, TMP2, TMP3
+    vpslldq     $8, TMP2, TMP2
+
+    vpxor       TMP3, TMP1, Xhi
+    vpxor       TMP2, TMP0, T
+	
+.align 64
+.Lmod_loop:
+    sub	$0x80, len
+    jb	.Ldone
+
+    vmovdqu     16*7(inp),DATA		# Ii
+    vpshufb     BSWAP_MASK,DATA,DATA
+
+    vpclmulqdq  $0x00, (Htbl), DATA, TMP0
+    vpclmulqdq  $0x11, (Htbl), DATA, TMP1
+    vpshufd     $78, DATA, TMP2
+    vpxor       DATA, TMP2, TMP2
+    vpclmulqdq  $0x00, 16*8(Htbl), TMP2, TMP2
+    #########################################################
+    vmovdqu     16*6(inp),DATA
+    vpshufb     BSWAP_MASK,DATA,DATA
+    KARATSUBA_AAD 1
+    #########################################################
+    vmovdqu     16*5(inp),DATA
+    vpshufb     BSWAP_MASK,DATA,DATA
+
+    vpclmulqdq  $0x10, .Lpoly(%rip), T, TMP4         #reduction stage 1a
+    vpalignr    $8, T, T, T
+
+    KARATSUBA_AAD 2
+
+    vpxor       TMP4, T, T                 #reduction stage 1b
+    #########################################################
+    vmovdqu		16*4(inp),DATA
+    vpshufb	    BSWAP_MASK,DATA,DATA
+
+    KARATSUBA_AAD 3
+    #########################################################
+    vmovdqu     16*3(inp),DATA
+    vpshufb     BSWAP_MASK,DATA,DATA
+
+    vpclmulqdq  $0x10, .Lpoly(%rip), T, TMP4         #reduction stage 2a
+    vpalignr    $8, T, T, T
+
+    KARATSUBA_AAD 4
+
+    vpxor       TMP4, T, T                 #reduction stage 2b
+    #########################################################
+    vmovdqu     16*2(inp),DATA
+    vpshufb     BSWAP_MASK,DATA,DATA
+
+    KARATSUBA_AAD 5
+
+    vpxor       Xhi, T, T                  #reduction finalize
+    #########################################################
+    vmovdqu     16*1(inp),DATA
+    vpshufb     BSWAP_MASK,DATA,DATA
+
+    KARATSUBA_AAD 6
+    #########################################################
+    vmovdqu     16*0(inp),DATA
+    vpshufb     BSWAP_MASK,DATA,DATA
+    vpxor       T,DATA,DATA
+
+    KARATSUBA_AAD 7
+    #########################################################
+    vpxor       TMP0, TMP2, TMP2              # karatsuba fixup
+    vpxor       TMP1, TMP2, TMP2
+    vpsrldq     $8, TMP2, TMP3
+    vpslldq     $8, TMP2, TMP2
+
+    vpxor       TMP3, TMP1, Xhi
+    vpxor       TMP2, TMP0, T
+
+    lea	16*8(inp), inp
+    jmp .Lmod_loop
+    #########################################################
+
+.Ldone:
+    vpclmulqdq  $0x10, .Lpoly(%rip), T, TMP3
+    vpalignr    $8, T, T, T
+    vpxor       TMP3, T, T
+
+    vpclmulqdq  $0x10, .Lpoly(%rip), T, TMP3
+    vpalignr    $8, T, T, T
+    vpxor       TMP3, T, T
+
+    vpxor       Xhi, T, T
+   
+.Lsave:
+    vpshufb     BSWAP_MASK,T, T
+    vmovdqu     T,(Tp)
+    vzeroupper
+
+    pop hlp0
+    ret
+.size   intel_aes_gcmAAD,.-intel_aes_gcmAAD
+
+################################################################################
+# Encrypt and Authenticate
+# void intel_aes_gcmENC(uint8_t* PT, uint8_t* CT, void *Gctx,uint64_t len);
+.type intel_aes_gcmENC,@function
+.globl intel_aes_gcmENC
+.align 16
+intel_aes_gcmENC:
+
+.set PT,%rdi
+.set CT,%rsi
+.set Htbl, %rdx
+.set len, %rcx
+.set KS,%r9
+.set NR,%r10d
+
+.set Gctx, %rdx
+
+.set T,%xmm0
+.set TMP0,%xmm1
+.set TMP1,%xmm2
+.set TMP2,%xmm3
+.set TMP3,%xmm4
+.set TMP4,%xmm5
+.set TMP5,%xmm6
+.set CTR0,%xmm7
+.set CTR1,%xmm8
+.set CTR2,%xmm9
+.set CTR3,%xmm10
+.set CTR4,%xmm11
+.set CTR5,%xmm12
+.set CTR6,%xmm13
+.set CTR7,%xmm14
+.set CTR,%xmm15
+
+.macro ROUND i
+    vmovdqu \i*16(KS), TMP3
+    vaesenc TMP3, CTR0, CTR0
+    vaesenc TMP3, CTR1, CTR1
+    vaesenc TMP3, CTR2, CTR2
+    vaesenc TMP3, CTR3, CTR3
+    vaesenc TMP3, CTR4, CTR4
+    vaesenc TMP3, CTR5, CTR5
+    vaesenc TMP3, CTR6, CTR6
+    vaesenc TMP3, CTR7, CTR7
+.endm
+
+.macro ROUNDMUL i
+
+    vmovdqu \i*16(%rsp), TMP5
+    vmovdqu \i*16(KS), TMP3
+
+    vaesenc TMP3, CTR0, CTR0
+    vaesenc TMP3, CTR1, CTR1
+    vaesenc TMP3, CTR2, CTR2
+    vaesenc TMP3, CTR3, CTR3
+
+    vpshufd $78, TMP5, TMP4
+    vpxor   TMP5, TMP4, TMP4
+
+    vaesenc TMP3, CTR4, CTR4
+    vaesenc TMP3, CTR5, CTR5
+    vaesenc TMP3, CTR6, CTR6
+    vaesenc TMP3, CTR7, CTR7
+
+    vpclmulqdq  $0x00, 128+\i*16(Htbl), TMP4, TMP3
+    vpxor       TMP3, TMP0, TMP0
+    vmovdqa     \i*16(Htbl), TMP4
+    vpclmulqdq  $0x11, TMP4, TMP5, TMP3
+    vpxor       TMP3, TMP1, TMP1
+    vpclmulqdq  $0x00, TMP4, TMP5, TMP3
+    vpxor       TMP3, TMP2, TMP2
+  
+.endm
+
+.macro KARATSUBA i
+    vmovdqu \i*16(%rsp), TMP5
+
+    vpclmulqdq  $0x11, 16*\i(Htbl), TMP5, TMP3
+    vpxor       TMP3, TMP1, TMP1
+    vpclmulqdq  $0x00, 16*\i(Htbl), TMP5, TMP3
+    vpxor       TMP3, TMP2, TMP2
+    vpshufd     $78, TMP5, TMP3
+    vpxor       TMP5, TMP3, TMP5
+    vpclmulqdq  $0x00, 128+\i*16(Htbl), TMP5, TMP3
+    vpxor       TMP3, TMP0, TMP0
+.endm
+
+    test len, len
+    jnz  .Lbegin
+    ret
+   
+.Lbegin:
+
+    vzeroupper
+    push %rbp
+    push %rbx
+
+    movq %rsp, %rbp   
+    sub  $128, %rsp
+    andq $-16, %rsp
+
+    vmovdqu  288(Gctx), CTR
+    vmovdqu  272(Gctx), T
+    mov  304(Gctx), KS
+    mov  4(KS), NR
+    lea  48(KS), KS
+
+    vpshufb  .Lbswap_mask(%rip), CTR, CTR
+    vpshufb  .Lbswap_mask(%rip), T, T
+
+    cmp  $128, len
+    jb   .LDataSingles
+   
+# Encrypt the first eight blocks
+    sub     $128, len
+    vmovdqa CTR, CTR0
+    vpaddd  .Lone(%rip), CTR0, CTR1
+    vpaddd  .Ltwo(%rip), CTR0, CTR2
+    vpaddd  .Lone(%rip), CTR2, CTR3
+    vpaddd  .Ltwo(%rip), CTR2, CTR4
+    vpaddd  .Lone(%rip), CTR4, CTR5
+    vpaddd  .Ltwo(%rip), CTR4, CTR6
+    vpaddd  .Lone(%rip), CTR6, CTR7
+    vpaddd  .Ltwo(%rip), CTR6, CTR
+
+    vpshufb .Lbswap_mask(%rip), CTR0, CTR0
+    vpshufb .Lbswap_mask(%rip), CTR1, CTR1
+    vpshufb .Lbswap_mask(%rip), CTR2, CTR2
+    vpshufb .Lbswap_mask(%rip), CTR3, CTR3
+    vpshufb .Lbswap_mask(%rip), CTR4, CTR4
+    vpshufb .Lbswap_mask(%rip), CTR5, CTR5
+    vpshufb .Lbswap_mask(%rip), CTR6, CTR6
+    vpshufb .Lbswap_mask(%rip), CTR7, CTR7
+
+    vpxor   (KS), CTR0, CTR0
+    vpxor   (KS), CTR1, CTR1
+    vpxor   (KS), CTR2, CTR2
+    vpxor   (KS), CTR3, CTR3
+    vpxor   (KS), CTR4, CTR4
+    vpxor   (KS), CTR5, CTR5
+    vpxor   (KS), CTR6, CTR6
+    vpxor   (KS), CTR7, CTR7
+
+    ROUND 1
+    ROUND 2
+    ROUND 3
+    ROUND 4
+    ROUND 5
+    ROUND 6
+    ROUND 7
+    ROUND 8
+    ROUND 9
+
+    vmovdqu 160(KS), TMP5
+    cmp $12, NR
+    jb  .LLast1
+
+    ROUND 10
+    ROUND 11
+
+    vmovdqu 192(KS), TMP5
+    cmp $14, NR
+    jb  .LLast1
+
+    ROUND 12
+    ROUND 13
+
+    vmovdqu 224(KS), TMP5
+  
+.LLast1:
+
+    vpxor       (PT), TMP5, TMP3
+    vaesenclast TMP3, CTR0, CTR0
+    vpxor       16(PT), TMP5, TMP3
+    vaesenclast TMP3, CTR1, CTR1
+    vpxor       32(PT), TMP5, TMP3
+    vaesenclast TMP3, CTR2, CTR2
+    vpxor       48(PT), TMP5, TMP3
+    vaesenclast TMP3, CTR3, CTR3
+    vpxor       64(PT), TMP5, TMP3
+    vaesenclast TMP3, CTR4, CTR4
+    vpxor       80(PT), TMP5, TMP3
+    vaesenclast TMP3, CTR5, CTR5
+    vpxor       96(PT), TMP5, TMP3
+    vaesenclast TMP3, CTR6, CTR6
+    vpxor       112(PT), TMP5, TMP3
+    vaesenclast TMP3, CTR7, CTR7
+    
+    vmovdqu     .Lbswap_mask(%rip), TMP3
+   
+    vmovdqu CTR0, (CT)
+    vpshufb TMP3, CTR0, CTR0
+    vmovdqu CTR1, 16(CT)
+    vpshufb TMP3, CTR1, CTR1
+    vmovdqu CTR2, 32(CT)
+    vpshufb TMP3, CTR2, CTR2
+    vmovdqu CTR3, 48(CT)
+    vpshufb TMP3, CTR3, CTR3
+    vmovdqu CTR4, 64(CT)
+    vpshufb TMP3, CTR4, CTR4
+    vmovdqu CTR5, 80(CT)
+    vpshufb TMP3, CTR5, CTR5
+    vmovdqu CTR6, 96(CT)
+    vpshufb TMP3, CTR6, CTR6
+    vmovdqu CTR7, 112(CT)
+    vpshufb TMP3, CTR7, CTR7
+
+    lea 128(CT), CT
+    lea 128(PT), PT
+    jmp .LDataOctets
+
+# Encrypt 8 blocks each time while hashing previous 8 blocks
+.align 64
+.LDataOctets:
+        cmp $128, len
+        jb  .LEndOctets
+        sub $128, len
+
+        vmovdqa CTR7, TMP5
+        vmovdqa CTR6, 1*16(%rsp)
+        vmovdqa CTR5, 2*16(%rsp)
+        vmovdqa CTR4, 3*16(%rsp)
+        vmovdqa CTR3, 4*16(%rsp)
+        vmovdqa CTR2, 5*16(%rsp)
+        vmovdqa CTR1, 6*16(%rsp)
+        vmovdqa CTR0, 7*16(%rsp)
+
+        vmovdqa CTR, CTR0
+        vpaddd  .Lone(%rip), CTR0, CTR1
+        vpaddd  .Ltwo(%rip), CTR0, CTR2
+        vpaddd  .Lone(%rip), CTR2, CTR3
+        vpaddd  .Ltwo(%rip), CTR2, CTR4
+        vpaddd  .Lone(%rip), CTR4, CTR5
+        vpaddd  .Ltwo(%rip), CTR4, CTR6
+        vpaddd  .Lone(%rip), CTR6, CTR7
+        vpaddd  .Ltwo(%rip), CTR6, CTR
+
+        vmovdqu (KS), TMP4
+        vpshufb TMP3, CTR0, CTR0
+        vpxor   TMP4, CTR0, CTR0
+        vpshufb TMP3, CTR1, CTR1
+        vpxor   TMP4, CTR1, CTR1
+        vpshufb TMP3, CTR2, CTR2
+        vpxor   TMP4, CTR2, CTR2
+        vpshufb TMP3, CTR3, CTR3
+        vpxor   TMP4, CTR3, CTR3
+        vpshufb TMP3, CTR4, CTR4
+        vpxor   TMP4, CTR4, CTR4
+        vpshufb TMP3, CTR5, CTR5
+        vpxor   TMP4, CTR5, CTR5
+        vpshufb TMP3, CTR6, CTR6
+        vpxor   TMP4, CTR6, CTR6
+        vpshufb TMP3, CTR7, CTR7
+        vpxor   TMP4, CTR7, CTR7
+
+        vmovdqu     16*0(Htbl), TMP3
+        vpclmulqdq  $0x11, TMP3, TMP5, TMP1
+        vpclmulqdq  $0x00, TMP3, TMP5, TMP2      
+        vpshufd     $78, TMP5, TMP3
+        vpxor       TMP5, TMP3, TMP5
+        vmovdqu     128+0*16(Htbl), TMP3      
+        vpclmulqdq  $0x00, TMP3, TMP5, TMP0
+
+        ROUNDMUL 1
+
+        ROUNDMUL 2
+
+        ROUNDMUL 3
+
+        ROUNDMUL 4
+
+        ROUNDMUL 5
+
+        ROUNDMUL 6
+
+        vpxor   7*16(%rsp), T, TMP5
+        vmovdqu 7*16(KS), TMP3
+
+        vaesenc TMP3, CTR0, CTR0
+        vaesenc TMP3, CTR1, CTR1
+        vaesenc TMP3, CTR2, CTR2
+        vaesenc TMP3, CTR3, CTR3
+
+        vpshufd $78, TMP5, TMP4
+        vpxor   TMP5, TMP4, TMP4
+
+        vaesenc TMP3, CTR4, CTR4
+        vaesenc TMP3, CTR5, CTR5
+        vaesenc TMP3, CTR6, CTR6
+        vaesenc TMP3, CTR7, CTR7
+
+        vpclmulqdq  $0x11, 7*16(Htbl), TMP5, TMP3
+        vpxor       TMP3, TMP1, TMP1
+        vpclmulqdq  $0x00, 7*16(Htbl), TMP5, TMP3
+        vpxor       TMP3, TMP2, TMP2
+        vpclmulqdq  $0x00, 128+7*16(Htbl), TMP4, TMP3
+        vpxor       TMP3, TMP0, TMP0
+
+        ROUND 8    
+        vmovdqa .Lpoly(%rip), TMP5
+
+        vpxor   TMP1, TMP0, TMP0
+        vpxor   TMP2, TMP0, TMP0
+        vpsrldq $8, TMP0, TMP3
+        vpxor   TMP3, TMP1, TMP4
+        vpslldq $8, TMP0, TMP3
+        vpxor   TMP3, TMP2, T
+
+        vpclmulqdq  $0x10, TMP5, T, TMP1
+        vpalignr    $8, T, T, T
+        vpxor       T, TMP1, T
+
+        ROUND 9
+
+        vpclmulqdq  $0x10, TMP5, T, TMP1
+        vpalignr    $8, T, T, T
+        vpxor       T, TMP1, T
+
+        vmovdqu 160(KS), TMP5
+        cmp     $10, NR
+        jbe     .LLast2
+
+        ROUND 10
+        ROUND 11
+
+        vmovdqu 192(KS), TMP5
+        cmp     $12, NR
+        jbe     .LLast2
+
+        ROUND 12
+        ROUND 13
+
+        vmovdqu 224(KS), TMP5
+
+.LLast2:
+      
+        vpxor       (PT), TMP5, TMP3
+        vaesenclast TMP3, CTR0, CTR0
+        vpxor       16(PT), TMP5, TMP3
+        vaesenclast TMP3, CTR1, CTR1
+        vpxor       32(PT), TMP5, TMP3
+        vaesenclast TMP3, CTR2, CTR2
+        vpxor       48(PT), TMP5, TMP3
+        vaesenclast TMP3, CTR3, CTR3
+        vpxor       64(PT), TMP5, TMP3
+        vaesenclast TMP3, CTR4, CTR4
+        vpxor       80(PT), TMP5, TMP3
+        vaesenclast TMP3, CTR5, CTR5
+        vpxor       96(PT), TMP5, TMP3
+        vaesenclast TMP3, CTR6, CTR6
+        vpxor       112(PT), TMP5, TMP3
+        vaesenclast TMP3, CTR7, CTR7
+
+        vmovdqu .Lbswap_mask(%rip), TMP3
+
+        vmovdqu CTR0, (CT)
+        vpshufb TMP3, CTR0, CTR0
+        vmovdqu CTR1, 16(CT)
+        vpshufb TMP3, CTR1, CTR1
+        vmovdqu CTR2, 32(CT)
+        vpshufb TMP3, CTR2, CTR2
+        vmovdqu CTR3, 48(CT)
+        vpshufb TMP3, CTR3, CTR3
+        vmovdqu CTR4, 64(CT)
+        vpshufb TMP3, CTR4, CTR4
+        vmovdqu CTR5, 80(CT)
+        vpshufb TMP3, CTR5, CTR5
+        vmovdqu CTR6, 96(CT)
+        vpshufb TMP3, CTR6, CTR6
+        vmovdqu CTR7,112(CT)
+        vpshufb TMP3, CTR7, CTR7
+
+        vpxor   TMP4, T, T
+
+        lea 128(CT), CT
+        lea 128(PT), PT
+    jmp  .LDataOctets
+
+.LEndOctets:
+    
+    vmovdqa CTR7, TMP5
+    vmovdqa CTR6, 1*16(%rsp)
+    vmovdqa CTR5, 2*16(%rsp)
+    vmovdqa CTR4, 3*16(%rsp)
+    vmovdqa CTR3, 4*16(%rsp)
+    vmovdqa CTR2, 5*16(%rsp)
+    vmovdqa CTR1, 6*16(%rsp)
+    vmovdqa CTR0, 7*16(%rsp)
+
+    vmovdqu     16*0(Htbl), TMP3
+    vpclmulqdq  $0x11, TMP3, TMP5, TMP1
+    vpclmulqdq  $0x00, TMP3, TMP5, TMP2      
+    vpshufd     $78, TMP5, TMP3
+    vpxor       TMP5, TMP3, TMP5
+    vmovdqu     128+0*16(Htbl), TMP3      
+    vpclmulqdq  $0x00, TMP3, TMP5, TMP0
+
+    KARATSUBA 1
+    KARATSUBA 2
+    KARATSUBA 3      
+    KARATSUBA 4
+    KARATSUBA 5
+    KARATSUBA 6
+
+    vmovdqu     7*16(%rsp), TMP5
+    vpxor       T, TMP5, TMP5
+    vmovdqu     16*7(Htbl), TMP4            
+    vpclmulqdq  $0x11, TMP4, TMP5, TMP3
+    vpxor       TMP3, TMP1, TMP1
+    vpclmulqdq  $0x00, TMP4, TMP5, TMP3
+    vpxor       TMP3, TMP2, TMP2      
+    vpshufd     $78, TMP5, TMP3
+    vpxor       TMP5, TMP3, TMP5
+    vmovdqu     128+7*16(Htbl), TMP4      
+    vpclmulqdq  $0x00, TMP4, TMP5, TMP3
+    vpxor       TMP3, TMP0, TMP0
+
+    vpxor       TMP1, TMP0, TMP0
+    vpxor       TMP2, TMP0, TMP0
+
+    vpsrldq     $8, TMP0, TMP3
+    vpxor       TMP3, TMP1, TMP4
+    vpslldq     $8, TMP0, TMP3
+    vpxor       TMP3, TMP2, T
+
+    vmovdqa     .Lpoly(%rip), TMP2
+
+    vpalignr    $8, T, T, TMP1
+    vpclmulqdq  $0x10, TMP2, T, T
+    vpxor       T, TMP1, T
+
+    vpalignr    $8, T, T, TMP1
+    vpclmulqdq  $0x10, TMP2, T, T
+    vpxor       T, TMP1, T
+
+    vpxor       TMP4, T, T
+
+#Here we encrypt any remaining whole block
+.LDataSingles:
+
+    cmp $16, len
+    jb  .LDataTail
+    sub $16, len
+
+    vpshufb .Lbswap_mask(%rip), CTR, TMP1
+    vpaddd  .Lone(%rip), CTR, CTR
+
+    vpxor   (KS), TMP1, TMP1
+    vaesenc 16*1(KS), TMP1, TMP1
+    vaesenc 16*2(KS), TMP1, TMP1
+    vaesenc 16*3(KS), TMP1, TMP1
+    vaesenc 16*4(KS), TMP1, TMP1
+    vaesenc 16*5(KS), TMP1, TMP1
+    vaesenc 16*6(KS), TMP1, TMP1
+    vaesenc 16*7(KS), TMP1, TMP1
+    vaesenc 16*8(KS), TMP1, TMP1
+    vaesenc 16*9(KS), TMP1, TMP1
+    vmovdqu 16*10(KS), TMP2
+    cmp     $10, NR
+    je      .LLast3
+    vaesenc 16*10(KS), TMP1, TMP1
+    vaesenc 16*11(KS), TMP1, TMP1
+    vmovdqu 16*12(KS), TMP2
+    cmp     $12, NR
+    je      .LLast3
+    vaesenc 16*12(KS), TMP1, TMP1
+    vaesenc 16*13(KS), TMP1, TMP1
+    vmovdqu 16*14(KS), TMP2
+
+.LLast3:
+    vaesenclast TMP2, TMP1, TMP1
+
+    vpxor   (PT), TMP1, TMP1
+    vmovdqu TMP1, (CT)
+    addq    $16, CT
+    addq    $16, PT
+
+    vpshufb .Lbswap_mask(%rip), TMP1, TMP1
+    vpxor   TMP1, T, T
+    vmovdqu (Htbl), TMP0
+    call    GFMUL
+
+    jmp .LDataSingles
+
+#Here we encypt the final partial block, if there is one
+.LDataTail:
+
+    test    len, len
+    jz      DATA_END
+# First prepare the counter block
+    vpshufb .Lbswap_mask(%rip), CTR, TMP1
+    vpaddd  .Lone(%rip), CTR, CTR
+
+    vpxor   (KS), TMP1, TMP1
+    vaesenc 16*1(KS), TMP1, TMP1
+    vaesenc 16*2(KS), TMP1, TMP1
+    vaesenc 16*3(KS), TMP1, TMP1
+    vaesenc 16*4(KS), TMP1, TMP1
+    vaesenc 16*5(KS), TMP1, TMP1
+    vaesenc 16*6(KS), TMP1, TMP1
+    vaesenc 16*7(KS), TMP1, TMP1
+    vaesenc 16*8(KS), TMP1, TMP1
+    vaesenc 16*9(KS), TMP1, TMP1
+    vmovdqu 16*10(KS), TMP2
+    cmp     $10, NR
+    je      .LLast4
+    vaesenc 16*10(KS), TMP1, TMP1
+    vaesenc 16*11(KS), TMP1, TMP1
+    vmovdqu 16*12(KS), TMP2
+    cmp     $12, NR
+    je      .LLast4
+    vaesenc 16*12(KS), TMP1, TMP1
+    vaesenc 16*13(KS), TMP1, TMP1
+    vmovdqu 16*14(KS), TMP2
+  
+.LLast4:
+    vaesenclast TMP2, TMP1, TMP1
+#Zero a temp location
+    vpxor   TMP2, TMP2, TMP2
+    vmovdqa TMP2, (%rsp)
+    
+# Copy the required bytes only (could probably use rep movsb)
+    xor KS, KS  
+.LEncCpy:
+        cmp     KS, len
+        je      .LEncCpyEnd
+        movb    (PT, KS, 1), %r8b
+        movb    %r8b, (%rsp, KS, 1)
+        inc     KS
+        jmp .LEncCpy
+.LEncCpyEnd:
+# Xor with the counter block
+    vpxor   (%rsp), TMP1, TMP0
+# Again, store at temp location
+    vmovdqa TMP0, (%rsp)
+# Copy only the required bytes to CT, and zero the rest for the hash
+    xor KS, KS
+.LEncCpy2:
+    cmp     KS, len
+    je      .LEncCpy3
+    movb    (%rsp, KS, 1), %r8b
+    movb    %r8b, (CT, KS, 1)
+    inc     KS
+    jmp .LEncCpy2
+.LEncCpy3:
+    cmp     $16, KS
+    je      .LEndCpy3
+    movb    $0, (%rsp, KS, 1)
+    inc     KS
+    jmp .LEncCpy3
+.LEndCpy3:
+   vmovdqa  (%rsp), TMP0
+
+   vpshufb  .Lbswap_mask(%rip), TMP0, TMP0
+   vpxor    TMP0, T, T
+   vmovdqu  (Htbl), TMP0
+   call     GFMUL
+
+DATA_END:
+
+   vpshufb  .Lbswap_mask(%rip), T, T
+   vpshufb  .Lbswap_mask(%rip), CTR, CTR
+   vmovdqu  T, 272(Gctx)
+   vmovdqu  CTR, 288(Gctx)
+
+   movq   %rbp, %rsp
+
+   popq   %rbx
+   popq   %rbp
+   ret
+   .size intel_aes_gcmENC, .-intel_aes_gcmENC
+  
+#########################
+# Decrypt and Authenticate
+# void intel_aes_gcmDEC(uint8_t* PT, uint8_t* CT, void *Gctx,uint64_t len);
+.type intel_aes_gcmDEC,@function
+.globl intel_aes_gcmDEC
+.align 16
+intel_aes_gcmDEC:
+# parameter 1: CT    # input
+# parameter 2: PT    # output
+# parameter 3: %rdx  # Gctx
+# parameter 4: %rcx  # len
+
+.macro DEC_KARATSUBA i
+    vmovdqu     (7-\i)*16(CT), TMP5
+    vpshufb     .Lbswap_mask(%rip), TMP5, TMP5
+
+    vpclmulqdq  $0x11, 16*\i(Htbl), TMP5, TMP3
+    vpxor       TMP3, TMP1, TMP1
+    vpclmulqdq  $0x00, 16*\i(Htbl), TMP5, TMP3
+    vpxor       TMP3, TMP2, TMP2
+    vpshufd     $78, TMP5, TMP3
+    vpxor       TMP5, TMP3, TMP5
+    vpclmulqdq  $0x00, 128+\i*16(Htbl), TMP5, TMP3
+    vpxor       TMP3, TMP0, TMP0
+.endm
+
+.set PT,%rsi
+.set CT,%rdi
+.set Htbl, %rdx
+.set len, %rcx
+.set KS,%r9
+.set NR,%r10d
+
+.set Gctx, %rdx
+
+.set T,%xmm0
+.set TMP0,%xmm1
+.set TMP1,%xmm2
+.set TMP2,%xmm3
+.set TMP3,%xmm4
+.set TMP4,%xmm5
+.set TMP5,%xmm6
+.set CTR0,%xmm7
+.set CTR1,%xmm8
+.set CTR2,%xmm9
+.set CTR3,%xmm10
+.set CTR4,%xmm11
+.set CTR5,%xmm12
+.set CTR6,%xmm13
+.set CTR7,%xmm14
+.set CTR,%xmm15
+
+    test  len, len
+    jnz   .LbeginDec
+    ret
+   
+.LbeginDec:
+
+    pushq   %rbp
+    pushq   %rbx
+    movq    %rsp, %rbp   
+    sub     $128, %rsp
+    andq    $-16, %rsp
+    vmovdqu 288(Gctx), CTR
+    vmovdqu 272(Gctx), T
+    mov     304(Gctx), KS
+    mov     4(KS), NR
+    lea     48(KS), KS
+
+    vpshufb .Lbswap_mask(%rip), CTR, CTR
+    vpshufb .Lbswap_mask(%rip), T, T
+     
+    vmovdqu .Lbswap_mask(%rip), TMP3
+    jmp     .LDECOctets
+      
+# Decrypt 8 blocks each time while hashing them at the same time
+.align 64
+.LDECOctets:
+   
+        cmp $128, len
+        jb  .LDECSingles
+        sub $128, len
+
+        vmovdqa CTR, CTR0
+        vpaddd  .Lone(%rip), CTR0, CTR1
+        vpaddd  .Ltwo(%rip), CTR0, CTR2
+        vpaddd  .Lone(%rip), CTR2, CTR3
+        vpaddd  .Ltwo(%rip), CTR2, CTR4
+        vpaddd  .Lone(%rip), CTR4, CTR5
+        vpaddd  .Ltwo(%rip), CTR4, CTR6
+        vpaddd  .Lone(%rip), CTR6, CTR7
+        vpaddd  .Ltwo(%rip), CTR6, CTR
+
+        vpshufb TMP3, CTR0, CTR0
+        vpshufb TMP3, CTR1, CTR1
+        vpshufb TMP3, CTR2, CTR2
+        vpshufb TMP3, CTR3, CTR3
+        vpshufb TMP3, CTR4, CTR4
+        vpshufb TMP3, CTR5, CTR5
+        vpshufb TMP3, CTR6, CTR6
+        vpshufb TMP3, CTR7, CTR7
+
+        vmovdqu (KS), TMP3
+        vpxor  TMP3, CTR0, CTR0
+        vpxor  TMP3, CTR1, CTR1
+        vpxor  TMP3, CTR2, CTR2
+        vpxor  TMP3, CTR3, CTR3
+        vpxor  TMP3, CTR4, CTR4
+        vpxor  TMP3, CTR5, CTR5
+        vpxor  TMP3, CTR6, CTR6
+        vpxor  TMP3, CTR7, CTR7
+
+        vmovdqu     7*16(CT), TMP5
+        vpshufb     .Lbswap_mask(%rip), TMP5, TMP5
+        vmovdqu     16*0(Htbl), TMP3
+        vpclmulqdq  $0x11, TMP3, TMP5, TMP1
+        vpclmulqdq  $0x00, TMP3, TMP5, TMP2      
+        vpshufd     $78, TMP5, TMP3
+        vpxor       TMP5, TMP3, TMP5
+        vmovdqu     128+0*16(Htbl), TMP3      
+        vpclmulqdq  $0x00, TMP3, TMP5, TMP0
+
+        ROUND 1
+        DEC_KARATSUBA 1
+
+        ROUND 2
+        DEC_KARATSUBA 2
+
+        ROUND 3
+        DEC_KARATSUBA 3
+
+        ROUND 4
+        DEC_KARATSUBA 4
+
+        ROUND 5
+        DEC_KARATSUBA 5
+
+        ROUND 6
+        DEC_KARATSUBA 6
+
+        ROUND 7
+
+        vmovdqu     0*16(CT), TMP5
+        vpshufb     .Lbswap_mask(%rip), TMP5, TMP5
+        vpxor       T, TMP5, TMP5
+        vmovdqu     16*7(Htbl), TMP4
+            
+        vpclmulqdq  $0x11, TMP4, TMP5, TMP3
+        vpxor       TMP3, TMP1, TMP1
+        vpclmulqdq  $0x00, TMP4, TMP5, TMP3
+        vpxor       TMP3, TMP2, TMP2
+
+        vpshufd     $78, TMP5, TMP3
+        vpxor       TMP5, TMP3, TMP5
+        vmovdqu     128+7*16(Htbl), TMP4
+
+        vpclmulqdq  $0x00, TMP4, TMP5, TMP3
+        vpxor       TMP3, TMP0, TMP0
+
+        ROUND 8      
+
+        vpxor       TMP1, TMP0, TMP0
+        vpxor       TMP2, TMP0, TMP0
+
+        vpsrldq     $8, TMP0, TMP3
+        vpxor       TMP3, TMP1, TMP4
+        vpslldq     $8, TMP0, TMP3
+        vpxor       TMP3, TMP2, T
+        vmovdqa	  .Lpoly(%rip), TMP2
+
+        vpalignr    $8, T, T, TMP1
+        vpclmulqdq  $0x10, TMP2, T, T
+        vpxor       T, TMP1, T
+
+        ROUND 9
+
+        vpalignr    $8, T, T, TMP1
+        vpclmulqdq  $0x10, TMP2, T, T
+        vpxor       T, TMP1, T
+
+        vmovdqu     160(KS), TMP5
+        cmp         $10, NR
+
+        jbe  .LDECLast1
+
+        ROUND 10
+        ROUND 11
+
+        vmovdqu     192(KS), TMP5
+        cmp         $12, NR       
+
+        jbe  .LDECLast1
+
+        ROUND 12
+        ROUND 13
+
+        vmovdqu  224(KS), TMP5
+
+.LDECLast1:      
+      
+        vpxor   (CT), TMP5, TMP3
+        vaesenclast TMP3, CTR0, CTR0
+        vpxor   16(CT), TMP5, TMP3
+        vaesenclast TMP3, CTR1, CTR1
+        vpxor   32(CT), TMP5, TMP3
+        vaesenclast TMP3, CTR2, CTR2
+        vpxor   48(CT), TMP5, TMP3
+        vaesenclast TMP3, CTR3, CTR3
+        vpxor   64(CT), TMP5, TMP3
+        vaesenclast TMP3, CTR4, CTR4
+        vpxor   80(CT), TMP5, TMP3
+        vaesenclast TMP3, CTR5, CTR5
+        vpxor   96(CT), TMP5, TMP3
+        vaesenclast TMP3, CTR6, CTR6
+        vpxor   112(CT), TMP5, TMP3
+        vaesenclast TMP3, CTR7, CTR7
+
+        vmovdqu .Lbswap_mask(%rip), TMP3
+
+        vmovdqu CTR0, (PT)
+        vmovdqu CTR1, 16(PT)
+        vmovdqu CTR2, 32(PT)
+        vmovdqu CTR3, 48(PT)
+        vmovdqu CTR4, 64(PT)
+        vmovdqu CTR5, 80(PT)
+        vmovdqu CTR6, 96(PT)
+        vmovdqu CTR7,112(PT)
+
+        vpxor   TMP4, T, T
+
+        lea 128(CT), CT
+        lea 128(PT), PT
+   jmp  .LDECOctets
+   
+#Here we decrypt and hash any remaining whole block
+.LDECSingles:
+
+    cmp   $16, len
+    jb    .LDECTail
+    sub   $16, len
+
+    vmovdqu  (CT), TMP1
+    vpshufb  .Lbswap_mask(%rip), TMP1, TMP1
+    vpxor    TMP1, T, T
+    vmovdqu  (Htbl), TMP0
+    call     GFMUL
+
+
+    vpshufb  .Lbswap_mask(%rip), CTR, TMP1
+    vpaddd   .Lone(%rip), CTR, CTR
+
+    vpxor    (KS), TMP1, TMP1
+    vaesenc  16*1(KS), TMP1, TMP1
+    vaesenc  16*2(KS), TMP1, TMP1
+    vaesenc  16*3(KS), TMP1, TMP1
+    vaesenc  16*4(KS), TMP1, TMP1
+    vaesenc  16*5(KS), TMP1, TMP1
+    vaesenc  16*6(KS), TMP1, TMP1
+    vaesenc  16*7(KS), TMP1, TMP1
+    vaesenc  16*8(KS), TMP1, TMP1
+    vaesenc  16*9(KS), TMP1, TMP1
+    vmovdqu  16*10(KS), TMP2
+    cmp      $10, NR
+    je       .LDECLast2
+    vaesenc  16*10(KS), TMP1, TMP1
+    vaesenc  16*11(KS), TMP1, TMP1
+    vmovdqu  16*12(KS), TMP2
+    cmp      $12, NR
+    je       .LDECLast2
+    vaesenc  16*12(KS), TMP1, TMP1
+    vaesenc  16*13(KS), TMP1, TMP1
+    vmovdqu  16*14(KS), TMP2
+.LDECLast2:
+    vaesenclast TMP2, TMP1, TMP1
+
+    vpxor    (CT), TMP1, TMP1
+    vmovdqu  TMP1, (PT)
+    addq     $16, CT
+    addq     $16, PT  
+    jmp   .LDECSingles
+
+#Here we decrypt the final partial block, if there is one
+.LDECTail:
+   test   len, len
+   jz     .LDEC_END
+
+   vpshufb  .Lbswap_mask(%rip), CTR, TMP1
+   vpaddd .Lone(%rip), CTR, CTR
+
+   vpxor  (KS), TMP1, TMP1
+   vaesenc  16*1(KS), TMP1, TMP1
+   vaesenc  16*2(KS), TMP1, TMP1
+   vaesenc  16*3(KS), TMP1, TMP1
+   vaesenc  16*4(KS), TMP1, TMP1
+   vaesenc  16*5(KS), TMP1, TMP1
+   vaesenc  16*6(KS), TMP1, TMP1
+   vaesenc  16*7(KS), TMP1, TMP1
+   vaesenc  16*8(KS), TMP1, TMP1
+   vaesenc  16*9(KS), TMP1, TMP1
+   vmovdqu  16*10(KS), TMP2
+   cmp      $10, NR
+   je       .LDECLast3
+   vaesenc  16*10(KS), TMP1, TMP1
+   vaesenc  16*11(KS), TMP1, TMP1
+   vmovdqu  16*12(KS), TMP2
+   cmp      $12, NR
+   je       .LDECLast3
+   vaesenc  16*12(KS), TMP1, TMP1
+   vaesenc  16*13(KS), TMP1, TMP1
+   vmovdqu  16*14(KS), TMP2
+
+.LDECLast3:
+   vaesenclast TMP2, TMP1, TMP1
+  
+   vpxor   TMP2, TMP2, TMP2
+   vmovdqa TMP2, (%rsp) 
+# Copy the required bytes only (could probably use rep movsb)
+    xor KS, KS  
+.LDecCpy:
+        cmp     KS, len
+        je      .LDecCpy2
+        movb    (CT, KS, 1), %r8b
+        movb    %r8b, (%rsp, KS, 1)
+        inc     KS
+        jmp     .LDecCpy
+.LDecCpy2:
+        cmp     $16, KS
+        je      .LDecCpyEnd
+        movb    $0, (%rsp, KS, 1)
+        inc     KS
+        jmp     .LDecCpy2
+.LDecCpyEnd:
+# Xor with the counter block
+    vmovdqa (%rsp), TMP0
+    vpxor   TMP0, TMP1, TMP1
+# Again, store at temp location
+    vmovdqa TMP1, (%rsp)
+# Copy only the required bytes to PT, and zero the rest for the hash
+    xor KS, KS
+.LDecCpy3:
+    cmp     KS, len
+    je      .LDecCpyEnd3
+    movb    (%rsp, KS, 1), %r8b
+    movb    %r8b, (PT, KS, 1)
+    inc     KS
+    jmp     .LDecCpy3
+.LDecCpyEnd3:
+   vpshufb  .Lbswap_mask(%rip), TMP0, TMP0
+   vpxor    TMP0, T, T
+   vmovdqu  (Htbl), TMP0
+   call     GFMUL
+.LDEC_END:
+
+   vpshufb  .Lbswap_mask(%rip), T, T
+   vpshufb  .Lbswap_mask(%rip), CTR, CTR
+   vmovdqu  T, 272(Gctx)
+   vmovdqu  CTR, 288(Gctx)
+
+   movq   %rbp, %rsp
+
+   popq   %rbx
+   popq   %rbp
+   ret
+  .size intel_aes_gcmDEC, .-intel_aes_gcmDEC
+#########################
+# a = T
+# b = TMP0 - remains unchanged
+# res = T
+# uses also TMP1,TMP2,TMP3,TMP4
+# __m128i GFMUL(__m128i A, __m128i B);
+.type GFMUL,@function
+.globl GFMUL
+GFMUL:  
+    vpclmulqdq  $0x00, TMP0, T, TMP1
+    vpclmulqdq  $0x11, TMP0, T, TMP4
+
+    vpshufd     $78, T, TMP2
+    vpshufd     $78, TMP0, TMP3
+    vpxor       T, TMP2, TMP2
+    vpxor       TMP0, TMP3, TMP3
+
+    vpclmulqdq  $0x00, TMP3, TMP2, TMP2
+    vpxor       TMP1, TMP2, TMP2
+    vpxor       TMP4, TMP2, TMP2
+
+    vpslldq     $8, TMP2, TMP3
+    vpsrldq     $8, TMP2, TMP2
+
+    vpxor       TMP3, TMP1, TMP1
+    vpxor       TMP2, TMP4, TMP4
+
+    vpclmulqdq  $0x10, .Lpoly(%rip), TMP1, TMP2
+    vpshufd     $78, TMP1, TMP3
+    vpxor       TMP3, TMP2, TMP1
+
+    vpclmulqdq  $0x10, .Lpoly(%rip), TMP1, TMP2
+    vpshufd     $78, TMP1, TMP3
+    vpxor       TMP3, TMP2, TMP1
+
+    vpxor       TMP4, TMP1, T
+    ret
+.size GFMUL, .-GFMUL
+
--- a/security/nss/lib/freebl/manifest.mn
+++ b/security/nss/lib/freebl/manifest.mn
@@ -114,16 +114,17 @@ CSRCS = \
 	tlsprfalg.c \
 	seed.c \
 	jpake.c \
 	$(MPI_SRCS) \
 	$(MPCPU_SRCS) \
 	$(ECL_SRCS) \
 	$(STUBS_SRCS) \
 	$(LOWHASH_SRCS) \
+	$(EXTRA_SRCS) \
 	$(NULL)
 
 ALL_CSRCS := $(CSRCS)
 
 ALL_HDRS =  \
 	alghmac.h \
 	blapi.h \
 	blapit.h \
--- a/security/nss/lib/freebl/rijndael.c
+++ b/security/nss/lib/freebl/rijndael.c
@@ -1,12 +1,12 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: rijndael.c,v 1.28 2012/09/28 22:46:32 rrelyea%redhat.com Exp $ */
+/* $Id: rijndael.c,v 1.29 2013/01/15 02:36:11 rrelyea%redhat.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "prinit.h"
 #include "prerr.h"
 #include "secerr.h"
@@ -15,18 +15,26 @@
 #include "blapi.h"
 #include "rijndael.h"
 
 #include "cts.h"
 #include "ctr.h"
 #include "gcm.h"
 
 #if USE_HW_AES
+#include "intel-gcm.h"
 #include "intel-aes.h"
 #include "mpi.h"
+
+static int has_intel_aes = 0;
+static int has_intel_avx = 0;
+static int has_intel_clmul = 0;
+static PRBool use_hw_aes = PR_FALSE;
+static PRBool use_hw_avx = PR_FALSE;
+static PRBool use_hw_gcm = PR_FALSE;
 #endif
 
 /*
  * There are currently five ways to build this code, varying in performance
  * and code size.
  *
  * RIJNDAEL_INCLUDE_TABLES         Include all tables from rijndael32.tab
  * RIJNDAEL_GENERATE_TABLES        Generate tables on first 
@@ -965,20 +973,16 @@ AESContext * AES_AllocateContext(void)
 ** the ECB or CBC mode.
 ** 	"mode" the mode of operation, which must be NSS_AES or NSS_AES_CBC
 */
 static SECStatus   
 aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize, 
 	        const unsigned char *iv, int mode, unsigned int encrypt,
 	        unsigned int blocksize)
 {
-#if USE_HW_AES
-    static int has_intel_aes;
-    PRBool use_hw_aes = PR_FALSE;
-#endif
     unsigned int Nk;
     /* According to Rijndael AES Proposal, section 12.1, block and key
      * lengths between 128 and 256 bits are supported, as long as the
      * length in bytes is divisible by 4.
      */
     if (key == NULL || 
         keysize < RIJNDAEL_MIN_BLOCKSIZE   || 
 	keysize > RIJNDAEL_MAX_BLOCKSIZE   || 
@@ -1004,22 +1008,28 @@ aes_InitContext(AESContext *cx, const un
 #if USE_HW_AES
     if (has_intel_aes == 0) {
 	unsigned long eax, ebx, ecx, edx;
 	char *disable_hw_aes = getenv("NSS_DISABLE_HW_AES");
 
 	if (disable_hw_aes == NULL) {
 	    freebl_cpuid(1, &eax, &ebx, &ecx, &edx);
 	    has_intel_aes = (ecx & (1 << 25)) != 0 ? 1 : -1;
+	    has_intel_clmul = (ecx & (1 << 1)) != 0 ? 1 : -1;
+	    has_intel_avx = (ecx & (1 << 28)) != 0 ? 1 : -1;
 	} else {
 	    has_intel_aes = -1;
+	    has_intel_avx = -1;
+	    has_intel_clmul = -1;
 	}
     }
     use_hw_aes = (PRBool)
 		(has_intel_aes > 0 && (keysize % 8) == 0 && blocksize == 16);
+    use_hw_gcm = (PRBool)
+		(use_hw_aes && has_intel_avx>0 && has_intel_clmul>0);
 #endif
     /* Nb = (block size in bits) / 32 */
     cx->Nb = blocksize / 4;
     /* Nk = (key size in bits) / 32 */
     Nk = keysize / 4;
     /* Obtain number of rounds from "table" */
     cx->Nr = RIJNDAEL_NUM_ROUNDS(Nk, cx->Nb);
     /* copy in the iv, if neccessary */
@@ -1112,21 +1122,32 @@ AES_InitContext(AESContext *cx, const un
     case NSS_AES_CTS:
 	cx->worker_cx = CTS_CreateContext(cx, cx->worker, iv, blocksize);
 	cx->worker = (freeblCipherFunc) 
 			(encrypt ?  CTS_EncryptUpdate : CTS_DecryptUpdate);
 	cx->destroy = (freeblDestroyFunc) CTS_DestroyContext;
 	cx->isBlock = PR_FALSE;
 	break;
     case NSS_AES_GCM:
+#if USE_HW_AES
+	if(use_hw_gcm) {
+        	cx->worker_cx = intel_AES_GCM_CreateContext(cx, cx->worker, iv, blocksize);
+		cx->worker = (freeblCipherFunc)
+			(encrypt ? intel_AES_GCM_EncryptUpdate : intel_AES_GCM_DecryptUpdate);
+		cx->destroy = (freeblDestroyFunc) intel_AES_GCM_DestroyContext;
+		cx->isBlock = PR_FALSE;
+    	} else
+#endif
+	{
 	cx->worker_cx = GCM_CreateContext(cx, cx->worker, iv, blocksize);
 	cx->worker = (freeblCipherFunc)
 			(encrypt ? GCM_EncryptUpdate : GCM_DecryptUpdate);
 	cx->destroy = (freeblDestroyFunc) GCM_DestroyContext;
 	cx->isBlock = PR_FALSE;
+	}
 	break;
     case NSS_AES_CTR:
 	cx->worker_cx = CTR_CreateContext(cx, cx->worker, iv, blocksize);
 	cx->worker = (freeblCipherFunc) CTR_Update ;
 	cx->destroy = (freeblDestroyFunc) CTR_DestroyContext;
 	cx->isBlock = PR_FALSE;
 	break;
     default:
--- a/security/nss/lib/freebl/unix_rand.c
+++ b/security/nss/lib/freebl/unix_rand.c
@@ -353,20 +353,22 @@ static size_t
 GetHighResClock(void *buf, size_t maxbytes)
 {
     return 0;
 }
 
 static void
 GiveSystemInfo(void)
 {
+#ifndef NO_SYSINFO
     struct sysinfo si;
     if (sysinfo(&si) == 0) {
 	RNG_RandomUpdate(&si, sizeof(si));
     }
+#endif
 }
 #endif /* LINUX */
 
 #if defined(NCR)
 
 #include <sys/utsname.h>
 #include <sys/systeminfo.h>
 
--- a/security/nss/lib/libpkix/include/pkix_params.h
+++ b/security/nss/lib/libpkix/include/pkix_params.h
@@ -631,19 +631,21 @@ PKIX_Error *
 PKIX_ProcessingParams_GetTrustAnchors(
         PKIX_ProcessingParams *params,
         PKIX_List **pAnchors,  /* list of TrustAnchor */
         void *plContext);
 /*
  * FUNCTION: PKIX_ProcessingParams_SetTrustAnchors
  * DESCRIPTION:
  *
- * Sets user defined set of trust anchors. A certificate will be considered
- * invalid if it does not chain to a trusted anchor from this list.
- * 
+ * Sets user defined set of trust anchors. The handling of the trust anchors
+ * may be furthered alter via PKIX_ProcessingParams_SetUseOnlyTrustAnchors.
+ * By default, a certificate will be considered invalid if it does not chain
+ * to a trusted anchor from this list.
+ *
  * PARAMETERS:
  *  "params"
  *      Address of ProcessingParams whose List of TrustAnchors are to
  *      be stored. Must be non-NULL.
  *  "anchors"
  *      Address of the trust anchors list object. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
@@ -657,16 +659,81 @@ PKIX_ProcessingParams_GetTrustAnchors(
  */
 PKIX_Error *
 PKIX_ProcessingParams_SetTrustAnchors(
         PKIX_ProcessingParams *params,
         PKIX_List *pAnchors,  /* list of TrustAnchor */
         void *plContext);
 
 /*
+ * FUNCTION: PKIX_ProcessingParams_GetUseOnlyTrustAnchors
+ * DESCRIPTION:
+ *
+ * Retrieves a pointer to the Boolean. The boolean value represents
+ * the switch value that is used to identify whether trust anchors, if
+ * specified, should be the exclusive source of trust information.
+ * If the function succeeds, the pointer to the Boolean is guaranteed to be
+ * non-NULL.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams. Must be non-NULL.
+ *  "pUseOnlyTrustAnchors"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetUseOnlyTrustAnchors(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pUseOnlyTrustAnchors,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetUseOnlyTrustAnchors
+ * DESCRIPTION:
+ *
+ * Configures whether trust anchors are used as the exclusive source of trust.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams. Must be non-NULL.
+ *  "useOnlyTrustAnchors"
+ *      If true, indicates that trust anchors should be used exclusively when
+ *      they have been specified via PKIX_ProcessingParams_SetTrustAnchors. A
+ *      certificate will be considered invalid if it does not chain to a
+ *      trusted anchor from that list.
+ *      If false, indicates that the trust anchors are additive to whatever
+ *      existing trust stores are configured. A certificate is considered
+ *      valid if it chains to EITHER a trusted anchor from that list OR a
+ *      certificate marked trusted in a trust store.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetUseOnlyTrustAnchors(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean useOnlyTrustAnchors,
+        void *plContext);
+
+/*
  * FUNCTION: PKIX_ProcessingParams_GetUseAIAForCertFetching
  * DESCRIPTION:
  *
  *  Retrieves a pointer to the Boolean. The boolean value represents
  *  the switch value that is used to identify if url in cert AIA extension
  *  may be used for cert fetching.
  *  If the function succeeds, the pointer to the Boolean is guaranteed to be
  *  non-NULL.
--- a/security/nss/lib/libpkix/pkix/params/pkix_procparams.c
+++ b/security/nss/lib/libpkix/pkix/params/pkix_procparams.c
@@ -551,16 +551,17 @@ PKIX_ProcessingParams_Create(
         params->resourceLimits = NULL;
 
         params->isCrlRevocationCheckingEnabled = PKIX_TRUE;
 
         params->isCrlRevocationCheckingEnabledWithNISTPolicy = PKIX_TRUE;
 
         params->useAIAForCertFetching = PKIX_FALSE;
         params->qualifyTargetCert = PKIX_TRUE;
+        params->useOnlyTrustAnchors = PKIX_TRUE;
 
         *pParams = params;
         params = NULL;
 
 cleanup:
 
         PKIX_DECREF(params);
 
@@ -682,16 +683,54 @@ PKIX_ProcessingParams_GetTrustAnchors(
         PKIX_INCREF(params->trustAnchors);
 
         *pAnchors = params->trustAnchors;
 
 cleanup:
         PKIX_RETURN(PROCESSINGPARAMS);
 }
 
+/**
+ * FUNCTION: PKIX_ProcessingParams_SetUseOnlyTrustAnchors
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetUseOnlyTrustAnchors(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pUseOnlyTrustAnchors,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_SetUseTrustAnchorsOnly");
+        PKIX_NULLCHECK_TWO(params, pUseOnlyTrustAnchors);
+
+        *pUseOnlyTrustAnchors = params->useOnlyTrustAnchors;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/**
+ * FUNCTION: PKIX_ProcessingParams_SetUseOnlyTrustAnchors
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetUseOnlyTrustAnchors(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean useOnlyTrustAnchors,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_SetUseTrustAnchorsOnly");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->useOnlyTrustAnchors = useOnlyTrustAnchors;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
 /*
  * FUNCTION: PKIX_ProcessingParams_GetDate (see comments in pkix_params.h)
  */
 PKIX_Error *
 PKIX_ProcessingParams_GetDate(
         PKIX_ProcessingParams *params,
         PKIX_PL_Date **pDate,
         void *plContext)
--- a/security/nss/lib/libpkix/pkix/params/pkix_procparams.h
+++ b/security/nss/lib/libpkix/pkix/params/pkix_procparams.h
@@ -31,16 +31,17 @@ struct PKIX_ProcessingParamsStruct {
         PKIX_List *certChainCheckers;
         PKIX_List *certStores;
         PKIX_Boolean isCrlRevocationCheckingEnabled;
         PKIX_Boolean isCrlRevocationCheckingEnabledWithNISTPolicy;
         PKIX_RevocationChecker *revChecker;
         PKIX_ResourceLimits *resourceLimits;
         PKIX_Boolean useAIAForCertFetching;
         PKIX_Boolean qualifyTargetCert;
+        PKIX_Boolean useOnlyTrustAnchors;
 };
 
 /* see source file for function documentation */
 
 PKIX_Error *pkix_ProcessingParams_RegisterSelf(void *plContext);
 
 #ifdef __cplusplus
 }
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -258,16 +258,18 @@ pkix_ForwardBuilderState_Create(
                 state->buildConstants.userCheckers =
                         parentState->buildConstants.userCheckers;
                 state->buildConstants.hintCerts =
                         parentState->buildConstants.hintCerts;
                 state->buildConstants.revChecker =
                         parentState->buildConstants.revChecker;
                 state->buildConstants.aiaMgr =
                         parentState->buildConstants.aiaMgr;
+                state->buildConstants.trustOnlyUserAnchors =
+                        parentState->buildConstants.trustOnlyUserAnchors;
         }
 
         *pState = state;
         state = NULL;
 cleanup:
         
         PKIX_DECREF(state);
 
@@ -842,20 +844,18 @@ pkix_Build_VerifyCertificate(
         PKIX_NULLCHECK_THREE
                 (state->candidateCerts, state->prevCert, state->trustChain);
 
         *pNeedsCRLChecking = PKIX_FALSE;
 
         PKIX_INCREF(state->candidateCert);
         candidateCert = state->candidateCert;
 
-        /* If user defined trust anchor list is not empty, do not
-         * trust any certs except to the ones that are in the list */
         if (state->buildConstants.numAnchors) {
-            trustOnlyUserAnchors = PKIX_TRUE;
+            trustOnlyUserAnchors = state->buildConstants.trustOnlyUserAnchors;
         }
 
         PKIX_CHECK(
             PKIX_PL_Cert_IsCertTrusted(candidateCert,
                                        trustOnlyUserAnchors,
                                        &trusted, plContext),
             PKIX_CERTISCERTTRUSTEDFAILED);
 
@@ -3472,17 +3472,19 @@ pkix_Build_InitiateBuildChain(
             buildConstants.targetCert = targetCert;
             buildConstants.targetPubKey = targetPubKey;
             buildConstants.certStores = certStores;
             buildConstants.anchors = anchors;
             buildConstants.userCheckers = userCheckers;
             buildConstants.hintCerts = hintCerts;
             buildConstants.revChecker = revChecker;
             buildConstants.aiaMgr = aiaMgr;
-                
+            buildConstants.trustOnlyUserAnchors =
+                    procParams->useOnlyTrustAnchors;
+
             PKIX_CHECK(pkix_Build_GetResourceLimits(&buildConstants, plContext),
                     PKIX_BUILDGETRESOURCELIMITSFAILED);
     
             PKIX_CHECK(pkix_ForwardBuilderState_Create
                     (0,              /* PKIX_UInt32 traversedCACerts */
                     buildConstants.maxFanout,
                     buildConstants.maxDepth,
                     PKIX_FALSE,      /* PKIX_Boolean revCheckDelayed */
@@ -3519,16 +3521,18 @@ pkix_Build_InitiateBuildChain(
             state->buildConstants.userCheckers =
                     buildConstants.userCheckers;
             PKIX_INCREF(buildConstants.hintCerts);
             state->buildConstants.hintCerts = buildConstants.hintCerts;
             PKIX_INCREF(buildConstants.revChecker);
             state->buildConstants.revChecker = buildConstants.revChecker;
             state->buildConstants.aiaMgr = buildConstants.aiaMgr;
             aiaMgr = NULL;
+            state->buildConstants.trustOnlyUserAnchors =
+                    buildConstants.trustOnlyUserAnchors;
 
             if (buildConstants.maxTime != 0) {
                     PKIX_CHECK(PKIX_PL_Date_Create_CurrentOffBySeconds
                             (buildConstants.maxTime,
                             &state->buildConstants.timeLimit,
                             plContext),
                             PKIX_DATECREATECURRENTOFFBYSECONDSFAILED);
             }
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.h
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.h
@@ -63,16 +63,17 @@ struct BuildConstantsStruct {
         PKIX_PL_PublicKey *targetPubKey;
         PKIX_List *certStores;
         PKIX_List *anchors;
         PKIX_List *userCheckers;
         PKIX_List *hintCerts;
         PKIX_RevocationChecker *revChecker;
         PKIX_PL_AIAMgr *aiaMgr;
         PKIX_Boolean useAIAForCertFetching;
+        PKIX_Boolean trustOnlyUserAnchors;
 };
 
 struct PKIX_ForwardBuilderStateStruct{
         BuildStatus status;
         PKIX_Int32 traversedCACerts;
         PKIX_UInt32 certStoreIndex;
         PKIX_UInt32 numCerts;
         PKIX_UInt32 numAias;
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -3310,17 +3310,17 @@ PKIX_PL_Cert_IsCertTrusted(
         rv = pkix_pl_Cert_GetTrusted(plContext, cert, &trusted, PKIX_TRUE);
         if (rv != SECSuccess) {
                 /* Failure means the cert is explicitly distrusted,
                  * let the next level know not to use it. */
                 *pTrusted = PKIX_FALSE;
                 PKIX_ERROR(PKIX_CERTISCERTTRUSTEDFAILED);
         }
 
-        if (trustOnlyUserAnchors) {
+        if (trustOnlyUserAnchors || cert->isUserTrustAnchor) {
             /* discard our |trusted| value since we are using the anchors */
             *pTrusted = cert->isUserTrustAnchor;
             goto cleanup;
         }
 
         /* no key usage information or store is not trusted */
         if (plContext == NULL || cert->store == NULL) {
                 *pTrusted = PKIX_FALSE;
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
@@ -818,17 +818,17 @@ pkix_pl_InfoAccess_ParseLocation(
 
         /* Convert remaining AVAs to LDAPNameComponents */
         for (ncIndex = 0; ncIndex < len; ncIndex ++) {
                 setOfNameComponent[ncIndex] = nameComponent;
                 avaPtr = avaArray[ncIndex];
                 nameComponent->attrType = (unsigned char *)avaPtr;
                 while ((*avaPtr != '=') && (*avaPtr != '\0')) {
                         avaPtr++;
-                        if (avaPtr == '\0') {
+                        if (*avaPtr == '\0') {
                                 PKIX_ERROR(PKIX_NAMECOMPONENTWITHNOEQ);
                         }
                 }
                 *(avaPtr++) = '\0';
                 nameComponent->attrValue = (unsigned char *)avaPtr;
                 nameComponent++;
         }
 
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -319,17 +319,16 @@ PK11_MakeCertFromHandle(PK11SlotInfo *sl
 	cert->ownSlot = PR_TRUE;
 	cert->series = slot->series;
     }
 
     trust = (CERTCertTrust*)PORT_ArenaAlloc(cert->arena, sizeof(CERTCertTrust));
     if (trust == NULL) 
     	goto loser;
     PORT_Memset(trust,0, sizeof(CERTCertTrust));
-    cert->trust = trust;
 
     if(! pk11_HandleTrustObject(slot, cert, trust) ) {
 	unsigned int type;
 
 	/* build some cert trust flags */
 	if (CERT_IsCACert(cert, &type)) {
 	    unsigned int trustflags = CERTDB_VALID_CA;
 	   
@@ -360,16 +359,20 @@ PK11_MakeCertFromHandle(PK11SlotInfo *sl
 	}
     }
 
     if (PK11_IsUserCert(slot,cert,certID)) {
 	trust->sslFlags |= CERTDB_USER;
 	trust->emailFlags |= CERTDB_USER;
 	/*    trust->objectSigningFlags |= CERTDB_USER; */
     }
+    CERT_LockCertTrust(cert);
+    cert->trust = trust;
+    CERT_UnlockCertTrust(cert);
+
     return cert;
 
 loser:
     if (nickname) 
     	PORT_Free(nickname);
     if (cert) 
     	CERT_DestroyCertificate(cert);
     return NULL;
@@ -1405,16 +1408,17 @@ pk11_keyIDHash_populate(void *wincx)
  * (they should be!)
  */
 static CERTCertificate *
 pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipientlist, int *rlIndex, void *pwarg)
 {
     NSSCMSRecipient *ri = NULL;
     int i;
     PRBool tokenRescanDone = PR_FALSE;
+    CERTCertTrust trust;
 
     for (i=0; (ri = recipientlist[i]) != NULL; i++) {
 	CERTCertificate *cert = NULL;
 	if (ri->kind == RLSubjKeyID) {
 	    SECItem *derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID);
 	    if (!derCert && !tokenRescanDone) {
 		/*
 		 * We didn't find the cert by its key ID. If we have slots
@@ -1485,18 +1489,18 @@ pk11_FindCertObjectByRecipientNew(PK11Sl
 		SECITEM_FreeItem(derCert, PR_TRUE);
 	    }
 	} else {
 	    cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->id.issuerAndSN, 
 						     pwarg);
 	}
 	if (cert) {
 	    /* this isn't our cert */
-	    if ((cert->trust == NULL) ||
-       		((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
+	    if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
+       		((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) {
 		 CERT_DestroyCertificate(cert);
 		continue;
 	    }
 	    ri->slot = PK11_ReferenceSlot(slot);
 	    *rlIndex = i;
 	    return cert;
 	}
     }
@@ -1545,27 +1549,28 @@ pk11_AllFindCertObjectByRecipientNew(NSS
  * list of recipients. This searches one slot.
  */
 static CERTCertificate *
 pk11_FindCertObjectByRecipient(PK11SlotInfo *slot, 
 	SEC_PKCS7RecipientInfo **recipientArray,
 	SEC_PKCS7RecipientInfo **rip, void *pwarg)
 {
     SEC_PKCS7RecipientInfo *ri = NULL;
+    CERTCertTrust trust;
     int i;
 
     for (i=0; (ri = recipientArray[i]) != NULL; i++) {
 	CERTCertificate *cert;
 
 	cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->issuerAndSN, 
 								pwarg);
         if (cert) {
 	    /* this isn't our cert */
-	    if ((cert->trust == NULL) ||
-       		((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
+	    if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
+       		((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) {
 		 CERT_DestroyCertificate(cert);
 		continue;
 	    }
 	    *rip = ri;
 	    return cert;
 	}
 
     }
@@ -2255,19 +2260,20 @@ KEAPQGCompare(CERTCertificate *server,CE
     return PR_FALSE;
 }
 
 PRBool
 PK11_FortezzaHasKEA(CERTCertificate *cert) 
 {
    /* look at the subject and see if it is a KEA for MISSI key */
    SECOidData *oid;
+   CERTCertTrust trust;
 
-   if ((cert->trust == NULL) ||
-       ((cert->trust->sslFlags & CERTDB_USER) != CERTDB_USER)) {
+   if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
+       ((trust.sslFlags & CERTDB_USER) != CERTDB_USER)) {
        return PR_FALSE;
    }
 
    oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm);
    if (!oid) {
        return PR_FALSE;
    }
 
--- a/security/nss/lib/pk11wrap/pk11merge.c
+++ b/security/nss/lib/pk11wrap/pk11merge.c
@@ -424,16 +424,17 @@ static SECStatus
 pk11_mergeSecretKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
 		CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg)
 {
     PK11SymKey *sourceKey = NULL;
     PK11SymKey *targetKey = NULL;
     SECItem *sourceOutput = NULL;
     SECItem *targetOutput = NULL;
     SECItem *param = NULL;
+    int blockSize;
     SECItem input;
     CK_OBJECT_HANDLE targetKeyID;
     CK_FLAGS flags;
     PRArenaPool *arena = NULL;
     SECStatus rv = SECSuccess;
     CK_MECHANISM_TYPE keyMechType, cryptoMechType;
     CK_KEY_TYPE sourceKeyType, targetKeyType;
     CK_ATTRIBUTE symTemplate[] = {
@@ -486,21 +487,22 @@ pk11_mergeSecretKey(PK11SlotInfo *target
     rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot,
 			symTemplate, symTemplateCount, id, &targetKeyID);
     if (rv != SECSuccess) {
 	goto done;
     }
 
     /* set up the input test */
     input.data = (unsigned char *)testString;
-    input.len = PK11_GetBlockSize(cryptoMechType, NULL);
-    if (input.len < 0) {
+    blockSize = PK11_GetBlockSize(cryptoMechType, NULL);
+    if (blockSize < 0) {
 	rv = SECFailure;
 	goto done;
     }
+    input.len = blockSize;
     if (input.len == 0) {
 	input.len = sizeof (testString);
     }
     while (targetKeyID != CK_INVALID_HANDLE) {
 	/* test to see if the keys are identical */
 	targetKeyType = PK11_ReadULongAttribute(sourceSlot, id, CKA_KEY_TYPE);
 	if (targetKeyType == sourceKeyType) {
 		/* same keyType  - see if it's the same key */
--- a/security/nss/lib/pkcs7/certread.c
+++ b/security/nss/lib/pkcs7/certread.c
@@ -140,34 +140,47 @@ CERT_ConvertAndDecodeCertificate(char *c
     return cert;
 }
 
 static const char NS_CERT_HEADER[]  = "-----BEGIN CERTIFICATE-----";
 static const char NS_CERT_TRAILER[] = "-----END CERTIFICATE-----";
 #define NS_CERT_HEADER_LEN  ((sizeof NS_CERT_HEADER) - 1)
 #define NS_CERT_TRAILER_LEN ((sizeof NS_CERT_TRAILER) - 1)
 
-static const char CERTIFICATE_TYPE_STRING[] = "certificate";
-#define CERTIFICATE_TYPE_LEN (sizeof(CERTIFICATE_TYPE_STRING)-1)
-
 /*
  * read an old style ascii or binary certificate chain
  */
 SECStatus
 CERT_DecodeCertPackage(char *certbuf,
 		       int certlen,
 		       CERTImportCertificateFunc f,
 		       void *arg)
 {
     unsigned char *cp;
     unsigned char *bincert = NULL;
     char *         ascCert = NULL;
     SECStatus      rv;
     
     if ( certbuf == NULL ) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return(SECFailure);
+    }
+    /*
+     * Make sure certlen is long enough to handle the longest possible
+     * reference in the code below:
+     * 0x30 0x84 l1 l2 l3 l4  +
+     *                       tag 9 o1 o2 o3 o4 o5 o6 o7 o8 o9
+     *   6 + 11 = 17. 17 bytes is clearly too small to code any kind of
+     *  certificate (a 128 bit ECC certificate contains at least an 8 byte
+     * key and a 16 byte signature, plus coding overhead). Typically a cert
+     * is much larger. So it's safe to require certlen to be at least 17
+     * bytes.
+     */
+    if (certlen < 17) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
 	return(SECFailure);
     }
     
     cp = (unsigned char *)certbuf;
 
     /* is a DER encoded certificate of some type? */
     if ( ( *cp  & 0x1f ) == SEC_ASN1_SEQUENCE ) {
 	SECItem certitem;
@@ -189,19 +202,22 @@ CERT_DecodeCertPackage(char *certbuf,
 		seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3];
 		break;
 	      case 2:
 		seqLen = (cp[1]<<8) | cp[2];
 		break;
 	      case 1:
 		seqLen = cp[1];
 		break;
-	      default:
+	      case 0:
 		/* indefinite length */
 		seqLen = 0;
+		break;
+	      default:
+		goto notder;
 	    }
 	    cp += ( seqLenLen + 1 );
 
 	} else {
 	    seqLenLen = 0;
 	    seqLen = *cp;
 	    cp++;
 	}
@@ -212,36 +228,30 @@ CERT_DecodeCertPackage(char *certbuf,
 		if (certlen > ( seqLen + seqLenLen + 2 ))
 		    PORT_SetError(SEC_ERROR_EXTRA_INPUT);
 		else 
 		    PORT_SetError(SEC_ERROR_INPUT_LEN);
 		goto notder;
 	    }
 	}
 	
-	/* check the type string */
-	/* netscape wrapped DER cert */
-	if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) &&
-	    ( cp[1] == CERTIFICATE_TYPE_LEN ) &&
-	    ( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) {
-	    
-	    cp += ( CERTIFICATE_TYPE_LEN + 2 );
-
-	    /* it had better be a certificate by now!! */
-	    certitem.data = cp;
-	    certitem.len = certlen - ( cp - (unsigned char *)certbuf );
-	    
-	    rv = (* f)(arg, &pcertitem, 1);
-	    
-	    return(rv);
-	} else if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
+	/* check the type oid */
+	if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
 	    SECOidData *oiddata;
 	    SECItem oiditem;
 	    /* XXX - assume DER encoding of OID len!! */
 	    oiditem.len = cp[1];
+	    /* if we add an oid below that is longer than 9 bytes, then we
+	     * need to change the certlen check at the top of the function
+	     * to prevent a buffer overflow
+	     */
+	    if ( oiditem.len > 9 ) {
+		PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
+		return(SECFailure);
+	    }
 	    oiditem.data = (unsigned char *)&cp[2];
 	    oiddata = SECOID_FindOID(&oiditem);
 	    if ( oiddata == NULL ) {
 		return(SECFailure);
 	    }
 
 	    certitem.data = (unsigned char*)certbuf;
 	    certitem.len = certlen;
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -1,14 +1,14 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.110 $ $Date: 2012/12/12 19:22:40 $";
+static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.111 $ $Date: 2013/01/07 04:11:51 $";
 #endif /* DEBUG */
 
 /*
  * Hacks to integrate NSS 3.4 and NSS 4.0 certificates.
  */
 
 #ifndef NSSPKI_H
 #include "nsspki.h"
@@ -800,17 +800,19 @@ fill_CERTCertificateFields(NSSCertificat
 	    nssTrust = nssTrustDomain_FindTrustForCertificate(context->td, c);
 	}
 	if (nssTrust) {
             trust = cert_trust_from_stan_trust(nssTrust, cc->arena);
             if (trust) {
                 /* we should destroy cc->trust before replacing it, but it's
                    allocated in cc->arena, so memory growth will occur on each
                    refresh */
+                CERT_LockCertTrust(cc);
                 cc->trust = trust;
+                CERT_UnlockCertTrust(cc);
             }
 	    nssTrust_Destroy(nssTrust);
 	}
     } else if (instance) {
 	/* slot */
 	if (cc->slot != instance->token->pk11slot) {
 	    if (cc->slot) {
 		PK11_FreeSlot(cc->slot);
@@ -821,17 +823,19 @@ fill_CERTCertificateFields(NSSCertificat
 	/* pkcs11ID */
 	cc->pkcs11ID = instance->handle;
 	/* trust */
 	trust = nssTrust_GetCERTCertTrustForCert(c, cc);
         if (trust) {
             /* we should destroy cc->trust before replacing it, but it's
                allocated in cc->arena, so memory growth will occur on each
                refresh */
+            CERT_LockCertTrust(cc);
             cc->trust = trust;
+            CERT_UnlockCertTrust(cc);
         }
 	nssCryptokiObject_Destroy(instance);
     } 
     /* database handle is now the trust domain */
     cc->dbhandle = c->object.trustDomain;
     /* subjectList ? */
     /* istemp and isperm are supported in NSS 3.4 */
     cc->istemp = PR_FALSE; /* CERT_NewTemp will override this */
@@ -848,16 +852,17 @@ fill_CERTCertificateFields(NSSCertificat
     }
 }
 
 static CERTCertificate *
 stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
 {
     nssDecodedCert *dc = NULL;
     CERTCertificate *cc = NULL;
+    CERTCertTrust certTrust;
 
     nssPKIObject_Lock(&c->object);
 
     dc = c->decoding;
     if (!dc) {
 	dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
 	if (!dc) {
             goto loser;
@@ -882,24 +887,28 @@ stan_GetCERTCertificate(NSSCertificate *
     cc = (CERTCertificate *)dc->data;
     PORT_Assert(cc);
     if (!cc) {
         nss_SetError(NSS_ERROR_INTERNAL_ERROR);
         goto loser;
     }
     if (!cc->nssCertificate || forceUpdate) {
         fill_CERTCertificateFields(c, cc, forceUpdate);
-    } else if (!cc->trust && !c->object.cryptoContext) {
+    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
+               !c->object.cryptoContext) {
         /* if it's a perm cert, it might have been stored before the
          * trust, so look for the trust again.  But a temp cert can be
          * ignored.
          */
         CERTCertTrust* trust = NULL;
         trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+
+        CERT_LockCertTrust(cc);
         cc->trust = trust;
+        CERT_UnlockCertTrust(cc);
     }
 
   loser:
     nssPKIObject_Unlock(&c->object);
     return cc;
 }
 
 NSS_IMPLEMENT CERTCertificate *
@@ -1081,37 +1090,41 @@ STAN_ChangeCertTrust(CERTCertificate *cc
 {
     PRStatus nssrv;
     NSSCertificate *c = STAN_GetNSSCertificate(cc);
     NSSToken *tok;
     NSSTrustDomain *td;
     NSSTrust *nssTrust;
     NSSArena *arena;
     CERTCertTrust *oldTrust;
+    CERTCertTrust *newTrust;
     nssListIterator *tokens;
     PRBool moving_object;
     nssCryptokiObject *newInstance;
     nssPKIObject *pkiob;
 
     if (c == NULL) {
         return PR_FAILURE;
     }
     oldTrust = nssTrust_GetCERTCertTrustForCert(c, cc);
     if (oldTrust) {
 	if (memcmp(oldTrust, trust, sizeof (CERTCertTrust)) == 0) {
 	    /* ... and the new trust is no different, done) */
 	    return PR_SUCCESS;
 	} else {
 	    /* take over memory already allocated in cc's arena */
-	    cc->trust = oldTrust;
+	    newTrust = oldTrust;
 	}
     } else {
-	cc->trust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
+	newTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
     }
-    memcpy(cc->trust, trust, sizeof(CERTCertTrust));
+    memcpy(newTrust, trust, sizeof(CERTCertTrust));
+    CERT_LockCertTrust(cc);
+    cc->trust = newTrust;
+    CERT_UnlockCertTrust(cc);
     /* Set the NSSCerticate's trust */
     arena = nssArena_Create();
     if (!arena) return PR_FAILURE;
     nssTrust = nss_ZNEW(arena, NSSTrust);
     if (!nssTrust) {
 	nssArena_Destroy(arena);
 	return PR_FAILURE;
     }
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -19,22 +19,23 @@
  */
 
 #include "sdb.h"
 #include "pkcs11t.h"
 #include "seccomon.h"
 #include <sqlite3.h>
 #include "prthread.h"
 #include "prio.h"
-#include "stdio.h"
+#include <stdio.h>
 #include "secport.h"
 #include "prmon.h"
 #include "prenv.h"
+#include "prprf.h"
 #include "prsystem.h" /* for PR_GetDirectorySeparator() */
-#include "sys/stat.h"
+#include <sys/stat.h>
 #if defined(_WIN32)
 #include <io.h>
 #include <windows.h>
 #elif defined(XP_UNIX)
 #include <unistd.h>
 #endif
 
 #ifdef SQLITE_UNSAFE_THREADS
@@ -190,17 +191,17 @@ sdb_done(int err, int *count)
 }
 
 /*
  * find out where sqlite stores the temp tables. We do this by replicating
  * the logic from sqlite.
  */
 #if defined(_WIN32)
 static char *
-sdb_getTempDir(void)
+sdb_getFallbackTempDir(void)
 {
     /* sqlite uses sqlite3_temp_directory if it is not NULL. We don't have
      * access to sqlite3_temp_directory because it is not exported from
      * sqlite3.dll. Assume sqlite3_win32_set_directory isn't called and
      * sqlite3_temp_directory is NULL.
      */
     char path[MAX_PATH];
     DWORD rv;
@@ -214,17 +215,17 @@ sdb_getTempDir(void)
         return NULL;
     /* The returned string ends with a backslash, for example, "C:\TEMP\". */
     if (path[len - 1] == '\\')
         path[len - 1] = '\0';
     return PORT_Strdup(path);
 }
 #elif defined(XP_UNIX)
 static char *
-sdb_getTempDir(void)
+sdb_getFallbackTempDir(void)
 {
     const char *azDirs[] = {
         NULL,
         NULL,
         "/var/tmp",
         "/usr/tmp",
         "/tmp",
         NULL     /* List terminator */
@@ -245,19 +246,62 @@ sdb_getTempDir(void)
         break;
     }
 
     if (zDir == NULL)
         return NULL;
     return PORT_Strdup(zDir);
 }
 #else
-#error "sdb_getTempDir not implemented"
+#error "sdb_getFallbackTempDir not implemented"
 #endif
 
+static char *
+sdb_getTempDir(sqlite3 *sqlDB)
+{
+    int sqlrv;
+    char *result = NULL;
+    char *tempName = NULL;
+    char *foundSeparator = NULL;
+
+    /* Obtain temporary filename in sqlite's directory for temporary tables */
+    sqlrv = sqlite3_file_control(sqlDB, 0, SQLITE_FCNTL_TEMPFILENAME,
+				 (void*)&tempName);
+    if (sqlrv == SQLITE_NOTFOUND) {
+	/* SQLITE_FCNTL_TEMPFILENAME not implemented because we are using
+	 * an older SQLite. */
+	return sdb_getFallbackTempDir();
+    }
+    if (sqlrv != SQLITE_OK) {
+	return NULL;
+    }
+
+    /* We'll extract the temporary directory from tempName */
+    foundSeparator = PORT_Strrchr(tempName, PR_GetDirectorySeparator());
+    if (foundSeparator) {
+	/* We shorten the temp filename string to contain only
+	  * the directory name (including the trailing separator).
+	  * We know the byte after the foundSeparator position is
+	  * safe to use, in the shortest scenario it contains the
+	  * end-of-string byte.
+	  * By keeping the separator at the found position, it will
+	  * even work if tempDir consists of the separator, only.
+	  * (In this case the toplevel directory will be used for
+	  * access speed testing). */
+	++foundSeparator;
+	*foundSeparator = 0;
+
+	/* Now we copy the directory name for our caller */
+	result = PORT_Strdup(tempName);
+    }
+
+    sqlite3_free(tempName);
+    return result;
+}
+
 /*
  * Map SQL_LITE errors to PKCS #11 errors as best we can.
  */
 static CK_RV
 sdb_mapSQLError(sdbDataType type, int sqlerr)
 {
     switch (sqlerr) {
     /* good matches */
@@ -286,59 +330,96 @@ sdb_mapSQLError(sdbDataType type, int sq
 }
 
 
 /*
  * build up database name from a directory, prefix, name, version and flags.
  */
 static char *sdb_BuildFileName(const char * directory, 
 			const char *prefix, const char *type, 
-			int version, int flags)
+			int version)
 {
     char *dbname = NULL;
     /* build the full dbname */
-    dbname = sqlite3_mprintf("%s/%s%s%d.db",directory, prefix, type, version);
+    dbname = sqlite3_mprintf("%s%c%s%s%d.db", directory,
+			     (int)(unsigned char)PR_GetDirectorySeparator(),
+			     prefix, type, version);
     return dbname;
 }
 
 
 /*
  * find out how expensive the access system call is for non-existant files
  * in the given directory.  Return the number of operations done in 33 ms.
  */
 static PRUint32
 sdb_measureAccess(const char *directory)
 {
     PRUint32 i;
     PRIntervalTime time;
     PRIntervalTime delta;
     PRIntervalTime duration = PR_MillisecondsToInterval(33);
+    const char *doesntExistName = "_dOeSnotExist_.db";
+    char *temp, *tempStartOfFilename;
+    size_t maxTempLen, maxFileNameLen, directoryLength;
 
     /* no directory, just return one */
     if (directory == NULL) {
 	return 1;
     }
 
+    /* our calculation assumes time is a 4 bytes == 32 bit integer */
+    PORT_Assert(sizeof(time) == 4);
+
+    directoryLength = strlen(directory);
+
+    maxTempLen = directoryLength + strlen(doesntExistName)
+		 + 1 /* potential additional separator char */
+		 + 11 /* max chars for 32 bit int plus potential sign */
+		 + 1; /* zero terminator */
+
+    temp = PORT_Alloc(maxTempLen);
+    if (!temp) {
+        return 1;
+    }
+
+    /* We'll copy directory into temp just once, then ensure it ends
+     * with the directory separator, then remember the position after
+     * the separator, and calculate the number of remaining bytes. */
+
+    strcpy(temp, directory);
+    if (directory[directoryLength - 1] != PR_GetDirectorySeparator()) {
+	temp[directoryLength++] = PR_GetDirectorySeparator();
+    }
+    tempStartOfFilename = temp + directoryLength;
+    maxFileNameLen = maxTempLen - directoryLength;
+
     /* measure number of Access operations that can be done in 33 milliseconds
      * (1/30'th of a second), or 10000 operations, which ever comes first.
      */
     time =  PR_IntervalNow();
     for (i=0; i < 10000u; i++) { 
-	char *temp;
 	PRIntervalTime next;
 
-        temp  = sdb_BuildFileName(directory,"","._dOeSnotExist_", time+i, 0);
+	/* We'll use the variable part first in the filename string, just in
+	 * case it's longer than assumed, so if anything gets cut off, it
+	 * will be cut off from the constant part.
+	 * This code assumes the directory name at the beginning of
+	 * temp remains unchanged during our loop. */
+        PR_snprintf(tempStartOfFilename, maxFileNameLen,
+		    ".%lu%s", (PRUint32)(time+i), doesntExistName);
 	PR_Access(temp,PR_ACCESS_EXISTS);
-        sqlite3_free(temp);
 	next = PR_IntervalNow();
 	delta = next - time;
 	if (delta >= duration)
 	    break;
     }
 
+    PORT_Free(temp);
+
     /* always return 1 or greater */
     return i ? i : 1u;
 }
 
 /*
  * some file sytems are very slow to run sqlite3 on, particularly if the
  * access count is pretty high. On these filesystems is faster to create
  * a temporary database on the local filesystem and access that. This
@@ -1787,17 +1868,17 @@ sdb_init(char *dbname, char *table, sdbD
      } else {
 	char *tempDir = NULL;
 	PRUint32 tempOps = 0;
 	/*
 	 *  Use PR_Access to determine how expensive it
 	 * is to check for the existance of a local file compared to the same
 	 * check in the temp directory. If the temp directory is faster, cache
 	 * the database there. */
-	tempDir = sdb_getTempDir();
+	tempDir = sdb_getTempDir(sqlDB);
 	if (tempDir) {
 	    tempOps = sdb_measureAccess(tempDir);
 	    PORT_Free(tempDir);
 
 	    /* There is a cost to continually copying the database. 
 	     * Account for that cost  with the arbitrary factor of 10 */
 	    enableCache = (PRBool)(tempOps > accessOps * 10);
 	}
@@ -1896,19 +1977,19 @@ loser:
 
 /* sdbopen */
 CK_RV
 s_open(const char *directory, const char *certPrefix, const char *keyPrefix,
 	int cert_version, int key_version, int flags, 
 	SDB **certdb, SDB **keydb, int *newInit)
 {
     char *cert = sdb_BuildFileName(directory, certPrefix,
-				   "cert", cert_version, flags);
+				   "cert", cert_version);
     char *key = sdb_BuildFileName(directory, keyPrefix,
-				   "key", key_version, flags);
+				   "key", key_version);
     CK_RV error = CKR_OK;
     int inUpdate;
     PRUint32 accessOps;
 
     if (certdb) 
 	*certdb = NULL;
     if (keydb) 
 	*keydb = NULL;
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -1,16 +1,16 @@
 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: ssl3con.c,v 1.195 2012/11/15 18:49:01 wtc%google.com Exp $ */
+/* $Id: ssl3con.c,v 1.197 2013/01/18 19:31:42 bsmith%mozilla.com Exp $ */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
 #include "cert.h"
 #include "ssl.h"
 #include "cryptohi.h"	/* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
@@ -8337,17 +8337,16 @@ static SECStatus
 ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     ssl3CertNode *   c;
     ssl3CertNode *   lastCert 	= NULL;
     PRInt32          remaining  = 0;
     PRInt32          size;
     SECStatus        rv;
     PRBool           isServer	= (PRBool)(!!ss->sec.isServer);
-    PRBool           trusted 	= PR_FALSE;
     PRBool           isTLS;
     SSL3AlertDescription desc;
     int              errCode    = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
     SECItem          certItem;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
 		SSL_GETPID(), ss->fd));
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
@@ -8380,18 +8379,20 @@ ssl3_HandleCertificate(sslSocket *ss, SS
 	remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
 	if (remaining < 0)
 	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
 	if ((PRUint32)remaining > length)
 	    goto decode_loser;
     }
 
     if (!remaining) {
-	if (!(isTLS && isServer))
+	if (!(isTLS && isServer)) {
+	    desc = bad_certificate;
 	    goto alert_loser;
+	}
     	/* This is TLS's version of a no_certificate alert. */
     	/* I'm a server. I've requested a client cert. He hasn't got one. */
 	rv = ssl3_HandleNoCertificate(ss);
 	if (rv != SECSuccess) {
 	    errCode = PORT_GetError();
 	    goto loser;
 	}
 	goto server_no_cert;
@@ -8454,19 +8455,16 @@ ssl3_HandleCertificate(sslSocket *ss, SS
 	}
 
 	c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
 	                                  PR_FALSE, PR_TRUE);
 	if (c->cert == NULL) {
 	    goto ambiguous_err;
 	}
 
-	if (c->cert->trust)
-	    trusted = PR_TRUE;
-
 	c->next = NULL;
 	if (lastCert) {
 	    lastCert->next = c;
 	} else {
 	    ss->ssl3.peerCertChain = c;
 	}
 	lastCert = c;
     }
--- a/security/nss/lib/util/secasn1t.h
+++ b/security/nss/lib/util/secasn1t.h
@@ -1,17 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
  * Encoding Rules).
  *
- * $Id: secasn1t.h,v 1.11 2012/04/25 14:50:16 gerv%gerv.net Exp $
+ * $Id: secasn1t.h,v 1.12 2013/01/08 16:19:09 kaie%kuix.de Exp $
  */
 
 #ifndef _SECASN1T_H_
 #define _SECASN1T_H_
 
 #include "utilrename.h"
 
 /*
@@ -178,17 +178,17 @@ typedef struct sec_ASN1Template_struct {
 /*
 ** Function used for SEC_ASN1_DYNAMIC.
 ** "arg" is a pointer to the structure being encoded/decoded
 ** "enc", when true, means that we are encoding (false means decoding)
 */
 typedef const SEC_ASN1Template * SEC_ASN1TemplateChooser(void *arg, PRBool enc);
 typedef SEC_ASN1TemplateChooser * SEC_ASN1TemplateChooserPtr;
 
-#if defined(_WIN32)
+#if defined(_WIN32) || defined(ANDROID)
 #define SEC_ASN1_GET(x)        NSS_Get_##x(NULL, PR_FALSE)
 #define SEC_ASN1_SUB(x)        &p_NSS_Get_##x
 #define SEC_ASN1_XTRN          SEC_ASN1_DYNAMIC
 #define SEC_ASN1_MKSUB(x) \
 static const SEC_ASN1TemplateChooserPtr p_NSS_Get_##x = &NSS_Get_##x;
 #else
 #define SEC_ASN1_GET(x)        x
 #define SEC_ASN1_SUB(x)        x
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -1,14 +1,13 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "secoid.h"
-#include "secoidt.h"
 #include "pkcs11t.h"
 #include "secitem.h"
 #include "secerr.h"
 #include "prenv.h"
 #include "plhash.h"
 #include "nssrwlk.h"
 #include "nssutil.h"
 
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -1074,22 +1074,22 @@ cert_eccurves()
 cert_extensions_test()
 {
     COUNT=`expr ${COUNT} + 1`
     CERTNAME=TestExt${COUNT}
     CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 
     echo
     echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
-        -t "u,u,u" -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
+        -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
         -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
     echo "certutil options:"
     cat ${TARG_FILE}
     ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
-        -t "u,u,u" -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
+        -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
         -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE}
     RET=$?
     if [ "${RET}" -ne 0 ]; then
         CERTFAILED=1
         html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate" 
         cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed" 
         return 1
     fi
@@ -1480,17 +1480,19 @@ cert_cleanup()
 
 ################## main #################################################
 
 cert_init 
 cert_all_CA
 cert_extended_ssl 
 cert_ssl 
 cert_smime_client        
-cert_fips
+if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
+    cert_fips
+fi
 cert_eccurves
 cert_extensions
 cert_test_password
 cert_test_distrust
 cert_test_ocspresp
 
 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
     cert_crl_ssl
--- a/security/nss/tests/chains/chains.sh
+++ b/security/nss/tests/chains/chains.sh
@@ -181,19 +181,23 @@ chains_init()
     DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10)
     NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT}
     NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"}
     NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp}
 
     if [ -n "${NSS_AIA_PATH}" ]; then
         HTTPPID=${NSS_AIA_PATH}/http_pid.$$
         mkdir -p "${NSS_AIA_PATH}"
-        pushd "${NSS_AIA_PATH}"
+        SAVEPWD=`pwd`
+        cd "${NSS_AIA_PATH}"
+        # Start_httpserv sets environment variables, which are required for
+        # correct cleanup. (Running it in a subshell doesn't work, the
+        # value of $SHELL_HTTPPID wouldn't arrive in this scope.)
         start_httpserv
-        popd
+        cd "${SAVEPWD}"
     fi
 
     html_head "Certificate Chains Tests"
 }
 
 ############################ chains_cleanup ############################
 # local shell function to finish this script (no exit since it might be
 # sourced)
@@ -785,45 +789,51 @@ revoke_cert()
 ########################################################################
 # List of global variables related to certificate verification:
 #
 # Generated by parse_config:
 # DB - DB used for testing
 # FETCH - fetch flag (used with AIA extension)
 # POLICY - list of policies
 # TRUST - trust anchor
+# TRUST_AND_DB - Examine both trust anchors and the cert db for trust
 # VERIFY - list of certificates to use as vfychain parameters
 # EXP_RESULT - expected result
 # REV_OPTS - revocation options
 ########################################################################
 
 ############################# verify_cert ##############################
 # local shell function to verify certificate validity
 ########################################################################
 verify_cert()
 {
     DB_OPT=
     FETCH_OPT=
     POLICY_OPT=
     TRUST_OPT=
     VFY_CERTS=
     VFY_LIST=
+    TRUST_AND_DB_OPT=
 
     if [ -n "${DB}" ]; then
         DB_OPT="-d ${DB}"
     fi
 
     if [ -n "${FETCH}" ]; then
         FETCH_OPT="-f"
         if [ -z "${NSS_AIA_HTTP}" ]; then
             echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined"
             return
         fi
     fi
 
+    if [ -n "${TRUST_AND_DB}" ]; then
+        TRUST_AND_DB_OPT="-T"
+    fi
+
     for ITEM in ${POLICY}; do
         POLICY_OPT="${POLICY_OPT} -o ${ITEM}"
     done
 
     for ITEM in ${TRUST}; do
         echo ${ITEM} | grep ":" > /dev/null
         if [ $? -eq 0 ]; then
             CERT_NICK=`echo ${ITEM} | cut -d: -f1`
@@ -846,18 +856,18 @@ verify_cert()
             VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
         else
             CERT=${CERT_NICK}${CERT_ISSUER}.der
             VFY_CERTS="${VFY_CERTS} ${CERT}"
             VFY_LIST="${VFY_LIST} ${CERT}"
         fi
     done
 
-    VFY_OPTS_TNAME="${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
-    VFY_OPTS_ALL="${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+    VFY_OPTS_TNAME="${TRUST_AND_DB_OPT} ${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+    VFY_OPTS_ALL="${DB_OPT} -pp -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
 
     TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
     echo "${SCRIPTNAME}: ${TESTNAME}"
     echo "vfychain ${VFY_OPTS_ALL}"
 
     if [ -z "${MEMLEAK_DBG}" ]; then
         VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1)
         RESULT=$?
@@ -1040,16 +1050,17 @@ parse_config()
             ;;
         "copycrl")
             COPYCRL="${VALUE}"
             copy_crl "${COPYCRL}"
             ;;
         "verify")
             VERIFY="${VALUE}"
             TRUST=
+            TRUST_AND_DB=
             POLICY=
             FETCH=
             EXP_RESULT=
             REV_OPTS=
             USAGE_OPT=
             ;;
         "cert")
             VERIFY="${VERIFY} ${VALUE}"
@@ -1059,16 +1070,19 @@ parse_config()
                 DB="${VALUE}DB"
             else
                 DB=
             fi
             ;;
         "trust")
             TRUST="${TRUST} ${VALUE}"
             ;;
+        "trust_and_db")
+            TRUST_AND_DB=1
+            ;;
         "fetch")
             FETCH=1
             ;;
         "result")
             EXP_RESULT="${VALUE}"
             parse_result
             ;;
         "rev_type")
--- a/security/nss/tests/chains/scenarios/scenarios
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -14,16 +14,17 @@
 # The Original Code is the Network Security Services (NSS)
 #
 # The Initial Developer of the Original Code is Sun Microsystems, Inc.
 # Portions created by the Initial Developer are Copyright (C) 2009
 # the Initial Developer. All Rights Reserved.
 #
 # Contributor(s):
 #   Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
+#   Ryan Sleevi <ryan.sleevi@gmail.com>, Google
 #
 # Alternatively, the contents of this file may be used under the terms of
 # either the GNU General Public License Version 2 or later (the "GPL"), or
 # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 # in which case the provisions of the GPL or the LGPL are applicable instead
 # of those above. If you wish to allow use of your version of this file only
 # under the terms of either the GPL or the LGPL, and not to allow others to
 # use your version of this file under the terms of the MPL, indicate your
@@ -46,8 +47,9 @@ aia.cfg
 bridgewithaia.cfg
 bridgewithhalfaia.cfg
 bridgewithpolicyextensionandmapping.cfg
 realcerts.cfg
 dsa.cfg
 revoc.cfg
 ocsp.cfg
 crldp.cfg
+trustanchors.cfg
new file mode 100644
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/trustanchors.cfg
@@ -0,0 +1,114 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+entity RootCA
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer RootCA
+
+entity CA2
+  type Intermediate
+  issuer CA1
+
+entity EE1
+  type EE
+  issuer CA2
+
+entity OtherRoot
+  type Root
+
+entity OtherIntermediate
+  type Intermediate
+  issuer OtherRoot
+
+entity EE2
+  type EE
+  issuer OtherIntermediate
+
+# Scenarios where trust only comes from the DB
+db DBOnly
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Simple chaining - no trust anchors
+verify EE1:CA2
+  cert CA2:CA1
+  result pass
+
+# Simple trust anchors - ignore the Cert DB
+verify EE1:CA2
+  trust CA2:CA1
+  result pass
+
+# Redundant trust - trust anchor and DB
+verify EE1:CA2
+  cert CA2:CA1
+  trust RootCA
+  result pass
+
+
+# Scenarios where trust only comes from trust anchors
+db TrustOnly
+
+# Simple checking - direct trust anchor
+verify EE1:CA2
+  cert CA2:CA1
+  cert CA1:RootCA:
+  trust RootCA:
+  result pass
+
+# Partial chain (not self-signed), with a trust anchor
+verify EE1:CA2
+  trust CA2:CA1
+  result pass
+
+
+# Scenarios where trust comes from both trust anchors and the DB
+db TrustAndDB
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Check that trust in the DB works
+verify EE1:CA2
+  cert CA2:CA1
+  result pass
+
+# Check that trust anchors work
+verify EE2:OtherIntermediate
+  cert OtherIntermediate:OtherRoot
+  trust OtherRoot:
+  result pass
+
+# Check that specifying a trust anchor still allows searching the cert DB
+verify EE1:CA2
+  trust_and_db
+  cert CA2:CA1
+  trust OtherIntermediate:OtherRoot
+  trust OtherRoot:
+  result pass
+
+# Scenarios where the trust DB has explicitly distrusted one or more certs,
+# even when the trust anchors indicate trust
+db ExplicitDistrust
+
+import RootCA::CT,C,C
+import CA1:RootCA:p,p,p
+import OtherRoot::p,p,p
+
+# Verify that a distrusted intermediate, but trusted root, is rejected.
+verify EE1:CA2
+  cert CA2:CA1
+  trust CA1:RootCA
+  result fail
+
+# Verify that a trusted intermediate, but distrusted root, is accepted.
+verify EE2:OtherIntermediate
+  trust OtherIntermediate:OtherRoot
+  result pass
--- a/security/nss/tests/common/init.sh
+++ b/security/nss/tests/common/init.sh
@@ -245,28 +245,45 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
 
     qadir=`(cd ..; pwd)`
     QADIR=${QADIR-$qadir}
 
     common=${QADIR}/common
     COMMON=${TEST_COMMON-$common}
     export COMMON
 
-    MAKE=gmake
-    $MAKE -v >/dev/null 2>&1 || MAKE=make
-    $MAKE -v >/dev/null 2>&1 || { echo "You are missing make."; exit 5; }
-    MAKE="$MAKE --no-print-directory"
-
     DIST=${DIST-${MOZILLA_ROOT}/dist}
     SECURITY_ROOT=${SECURITY_ROOT-${MOZILLA_ROOT}/security/nss}
     TESTDIR=${TESTDIR-${MOZILLA_ROOT}/tests_results/security}
-    OBJDIR=`(cd $COMMON; $MAKE objdir_name)`
-    OS_ARCH=`(cd $COMMON; $MAKE os_arch)`
-    DLL_PREFIX=`(cd $COMMON; $MAKE dll_prefix)`
-    DLL_SUFFIX=`(cd $COMMON; $MAKE dll_suffix)`
+
+    # Allow for override options from a config file
+    if [ -n "${OBJDIR}" -a -f ${DIST}/${OBJDIR}/platform.cfg ]; then
+	. ${DIST}/${OBJDIR}/platform.cfg
+    fi
+
+    # only need make if we don't already have certain variables set
+    if [ -z "${OBJDIR}" -o -z "${OS_ARCH}" -o -z "${DLL_PREFIX}" -o -z "${DLL_SUFFIX}" ]; then
+        MAKE=gmake
+        $MAKE -v >/dev/null 2>&1 || MAKE=make
+        $MAKE -v >/dev/null 2>&1 || { echo "You are missing make."; exit 5; }
+        MAKE="$MAKE --no-print-directory"
+    fi
+
+    if [ "${OBJDIR}" = "" ]; then
+        OBJDIR=`(cd $COMMON; $MAKE objdir_name)`
+    fi
+    if [ "${OS_ARCH}" = "" ]; then
+        OS_ARCH=`(cd $COMMON; $MAKE os_arch)`
+    fi
+    if [ "${DLL_PREFIX}" = "" ]; then
+        DLL_PREFIX=`(cd $COMMON; $MAKE dll_prefix)`
+    fi
+    if [ "${DLL_SUFFIX}" = "" ]; then
+        DLL_SUFFIX=`(cd $COMMON; $MAKE dll_suffix)`
+    fi
     OS_NAME=`uname -s | sed -e "s/-[0-9]*\.[0-9]*//" | sed -e "s/-WOW64//"`
 
     BINDIR="${DIST}/${OBJDIR}/bin"
 
     # Pathnames constructed from ${TESTDIR} are passed to NSS tools
     # such as certutil, which don't understand Cygwin pathnames.
     # So we need to convert ${TESTDIR} to a Windows pathname (with
     # regular slashes).
@@ -291,17 +308,20 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
     echo testdir is $TESTDIR
 
 #in case of backward comp. tests the calling scripts set the
 #PATH and LD_LIBRARY_PATH and do not want them to be changed
     if [ -z "${DON_T_SET_PATHS}" -o "${DON_T_SET_PATHS}" != "TRUE" ] ; then
         if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME"  != "CYGWIN_NT" -a "$OS_NAME" != "MINGW32_NT" ]; then
             PATH=.\;${DIST}/${OBJDIR}/bin\;${DIST}/${OBJDIR}/lib\;$PATH
             PATH=`perl ../path_uniq -d ';' "$PATH"`
-        else
+        elif [ "${OS_ARCH}" = "Android" ]; then
+	    # android doesn't have perl, skip the uniq step
+            PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:$PATH
+	else 
             PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:/bin:/usr/bin:$PATH
             # added /bin and /usr/bin in the beginning so a local perl will 
             # be used
             PATH=`perl ../path_uniq -d ':' "$PATH"`
         fi
 
         LD_LIBRARY_PATH=${DIST}/${OBJDIR}/lib:$LD_LIBRARY_PATH
         SHLIB_PATH=${DIST}/${OBJDIR}/lib:$SHLIB_PATH
@@ -344,26 +364,30 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
                 *)
                     echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
                     exit 1 #does not need to be Exit, very early in script
                     ;;
             esac
             ;;
     esac
 
-    if [ -z "${DOMSUF}" ]; then
+    if [ -z "${DOMSUF}" -a "${OS_ARCH}" != "Android" ]; then
         echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined."
         exit 1 #does not need to be Exit, very early in script
     fi
 
 #HOSTADDR was a workaround for the dist. stress test, and is probably 
 #not needed anymore (purpose: be able to use IP address for the server 
 #cert instead of PC name which was not in the DNS because of dyn IP address
     if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then
-        HOSTADDR=${HOST}.${DOMSUF}
+	if [ -z "${DOMSUF}" ]; then
+            HOSTADDR=${HOST}
+	else
+            HOSTADDR=${HOST}.${DOMSUF}
+	fi
     else
         HOSTADDR=${IP_ADDRESS}
     fi
 
 #if running remote side of the distributed stress test we need to use 
 #the files that the server side gives us...
     if [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
         for w in `ls -rtd ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null |
@@ -613,15 +637,15 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
 
     if [ -z "`echo ${IOPR_HOSTADDR_LIST} | grep '[A-Za-z]'`" ]; then
         IOPR=0
     else
         IOPR=1
     fi
     #################################################
 
-    if [ "${OS_ARCH}" != "WINNT" ]; then
+    if [ "${OS_ARCH}" != "WINNT" -a "${OS_ARCH}" != "Android" ]; then
         ulimit -c unlimited
     fi 
 
     SCRIPTNAME=$0
     INIT_SOURCED=TRUE   #whatever one does - NEVER export this one please
 fi
new file mode 100644
--- /dev/null
+++ b/security/nss/tests/dummy/dummy.sh
@@ -0,0 +1,19 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/dummy/dummy.sh
+#
+# Minimal test that doesn't do anything
+#
+# NSS_TESTS="dummy" can be used for quick testing of the
+#   test script infrastructure, without running any of the tests 
+#
+########################################################################
+
+# html_failed "dummy test fail"
+html_passed "dummy test ok"
new file mode 100644
--- /dev/null
+++ b/security/nss/tests/remote/Makefile
@@ -0,0 +1,154 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+TESTPACKAGE="nss-$(OS_TARGET)$(CPU_TAG).tgz"
+RTSH=$(DIST)/../../runtests.sh
+PCFG=$(DIST)/platform.cfg
+
+
+#Hint: In order to test the Makefiles without running the tests, use:
+#      make NSS_CYCLES="standard" NSS_TESTS="dummy"
+
+ifeq ($(OS_TARGET),Android)
+TEST_SHELL?=$$HOME/bin/sh
+ANDROID_PORT?="2222"
+#Define the subset of tests that is known to work on Android
+NSS_CYCLES?="standard pkix upgradedb sharedb"
+NSS_TESTS?="cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits chains"
+NSS_SSL_TESTS?="crl normal_normal iopr"
+NSS_SSL_RUN?="cov auth stress"
+else
+TEST_SHELL?="/bin/sh"
+endif
+
+# Create a package for test execution on a separate system.
+package_for_testing:
+	echo "export OBJDIR=$(OBJDIR_NAME)"     > $(PCFG)
+	echo "export OS_ARCH=$(OS_ARCH)"       >> $(PCFG)
+	echo "export OS_TARGET=$(OS_TARGET)"   >> $(PCFG)
+	echo "export DLL_PREFIX=$(DLL_PREFIX)" >> $(PCFG)
+	echo "export DLL_SUFFIX=$(DLL_SUFFIX)" >> $(PCFG)
+	echo 'echo "set HOST and DOMSUF if your system is not registered in DNS"' > $(RTSH)
+	cat $(PCFG)                                  >> $(RTSH)
+	echo 'export NSS_TESTS=$(NSS_TESTS)'         >> $(RTSH)
+	echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(RTSH)
+	echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)'     >> $(RTSH)
+	echo 'export NSS_CYCLES=$(NSS_CYCLES)'       >> $(RTSH)
+	echo 'export USE_64=$(USE_64)'               >> $(RTSH)
+	echo 'export BUILD_OPT=$(BUILD_OPT)'         >> $(RTSH)
+	echo 'export PKITS_DATA=$(PKITS_DATA)'       >> $(RTSH)
+	echo 'export NSS_ENABLE_ECC=$(NSS_ENABLE_ECC)'                       >> $(RTSH)
+	echo 'export NSS_ECC_MORE_THAN_SUITE_B=$(NSS_ECC_MORE_THAN_SUITE_B)' >> $(RTSH)
+	echo 'export NSPR_LOG_MODULES=$(NSPR_LOG_MODULES)'                   >> $(RTSH)
+ifeq ($(OS_TARGET),Android)
+	# Android doesn't support FIPS tests, because
+	# dladdr does not return a full path for implicitly loaded libraries
+	echo "export NSS_TEST_DISABLE_FIPS=1" >> $(DIST)/platform.cfg
+endif
+ifeq ($(CROSS_COMPILE),1)
+# execute signing on test system
+	echo 'export DIST=$${HOME}/nsstest/dist/'           >> $(RTSH)
+	echo 'export NSPR_LIB_DIR=$${DIST}/$${OBJDIR}/lib/' >> $(RTSH)
+	echo 'echo "signing"'                               >> $(RTSH)
+# work around a bug in Android ash that has a corrupted work directory after login
+	echo 'cd $${HOME}/nsstest'                          >> $(RTSH)
+	echo 'cd security/nss/cmd/shlibsign'                >> $(RTSH)
+	echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}freebl3.$${DLL_SUFFIX}'  >> $(RTSH)
+	echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}softokn3.$${DLL_SUFFIX}' >> $(RTSH)
+	echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}nssdbm3.$${DLL_SUFFIX}'  >> $(RTSH)
+ifneq ($(OS_TARGET),Android)
+# Android's ash doesn't support "export -n" yet
+	echo 'export -n DIST'                          >> $(RTSH)
+	echo 'export -n NSPR_LIB_DIR'                  >> $(RTSH)
+endif
+	echo 'cd ../../../../'                         >> $(RTSH)
+endif
+	echo 'rm -rf tests_results'                    >> $(RTSH)
+	echo 'echo "running tests"'                    >> $(RTSH)
+	echo 'cd security/nss/tests'                   >> $(RTSH)
+	# We require progress indication on stdout while running the tests (to avoid timeouts).
+	set -o pipefail
+	echo '$(TEST_SHELL) ./all.sh | tee ../../../logfile 2>&1 |grep ": #"'       >> $(RTSH)
+	RETVAL=$?
+	echo 'cd ../../../'                            >> $(RTSH)
+	# dump test summary from end of logfile
+	echo 'echo "=========="; tail -100 logfile'    >> $(RTSH)
+	echo 'tar czf tests_results.tgz tests_results'                              >> $(RTSH)
+	echo 'echo "created tests_results.tgz"'                                     >> $(RTSH)
+	echo 'echo "results are in directory: "`ls -1d tests_results/security/*.1`' >> $(RTSH)
+	echo 'echo exit status: $${RETVAL}'                                         >> $(RTSH)
+	echo 'exit $${RETVAL}'                                                      >> $(RTSH)
+	rm -f $(TESTPACKAGE)
+	(cd $(DIST)/../.. ; tar czhf dist/$(TESTPACKAGE) runtests.sh dist/$(OBJDIR_NAME) dist/public security/nss/tests security/nss/cmd/bltest/tests security/nss/cmd/shlibsign; echo "created "`pwd`"/dist/$(TESTPACKAGE)" )
+
+android_run_tests:
+	ssh -p $(ANDROID_PORT) -o CheckHostIP=no $(ANDROID_ADDR)  'pwd; cd; pwd; cd nsstest; export PATH=$$HOME/bin:$$PATH ; $(TEST_SHELL) runtests.sh'
+
+android_install:
+	rm -f $(DIST)/android.sftp
+	echo '-mkdir nsstest' > $(DIST)/android.sftp
+	echo '-rm nsstest/$(TESTPACKAGE)' >> $(DIST)/android.sftp
+	echo 'progress' >> $(DIST)/android.sftp
+	echo 'put $(DIST)/../$(TESTPACKAGE) nsstest' >> $(DIST)/android.sftp
+	sftp -o Port=$(ANDROID_PORT) -o CheckHostIP=no -b $(DIST)/android.sftp $(ANDROID_ADDR)
+	ssh -p $(ANDROID_PORT) -o CheckHostIP=no $(ANDROID_ADDR)  'cd nsstest ; $$HOME/bin/rm -rf logfile runtests.sh dist security tests_results tests_results.tgz;  $$HOME/bin/tar xzf $(TESTPACKAGE)'
+
+WORKDIR="$(DIST)/../../"
+RESULTSPACKAGE=tests_results.tgz
+android_get_result:
+	rm -f $(WORKDIR)/result.sftp $(WORKDIR)/$(RESULTSPACKAGE)
+	echo "progress" > $(WORKDIR)/result.sftp
+	echo 'get nsstest/$(RESULTSPACKAGE) $(WORKDIR)' >> $(WORKDIR)/result.sftp
+	sftp -o Port=$(ANDROID_PORT) -o CheckHostIP=no -b $(WORKDIR)/result.sftp $(ANDROID_ADDR) 
+	(cd $(WORKDIR); tar xzf $(RESULTSPACKAGE); rm -f result.sftp $(RESULTSPACKAGE) )
+
+# Android testing assumes having built with: OS_TARGET=Android CROSS_COMPILE=1
+# Connectivity tested with Android app: SSHDroid
+# Provide appropriate ANDROID_ADDR variable, e.g.:
+#   make test_android ANDROID_ADDR=root@192.168.4.5
+# See also: https://wiki.mozilla.org/NSS:Android
+
+test_android: package_for_testing android_install android_run_tests android_get_result
new file mode 100644
--- /dev/null
+++ b/security/nss/tests/remote/manifest.mn
@@ -0,0 +1,6 @@
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../../..
+DEPTH      = ../../..