Bug 527659, Update Mozilla-central to NSS 3.12.6
authorKai Engert <kaie@kuix.de>
Fri, 12 Feb 2010 09:47:51 +0100
changeset 38128 b384ece4feb18bc18ae961f24871fbd3bac1b7c1
parent 38127 e0f83c3ba63541a98ae799c0ccaeea3cce3d6d5f
child 38129 247b6aed541482aa001b2493ed2522a0f60482c9
push id11620
push userkaie@kuix.de
push dateFri, 12 Feb 2010 08:48:13 +0000
treeherdermozilla-central@b384ece4feb1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs527659, 519550
milestone1.9.3a2pre
Bug 527659, Update Mozilla-central to NSS 3.12.6 === r=rrelyea for upgrading to release candidate 1 === reapplying bug 519550 on top === includes PSM makefile tweak to keep TLS disabled (variables changed in the updated NSS snapshot) === change configure.in to require the newer system NSS, r=wtc
configure.in
security/coreconf/Darwin.mk
security/coreconf/coreconf.dep
security/manager/Makefile.in
security/nss/cmd/lib/secutil.h
security/nss/cmd/modutil/Makefile
security/nss/cmd/p7env/p7env.c
security/nss/cmd/platlibs.mk
security/nss/cmd/signtool/Makefile
security/nss/cmd/ssltap/ssltap.c
security/nss/cmd/strsclnt/strsclnt.c
security/nss/cmd/tstclnt/tstclnt.c
security/nss/lib/Makefile
security/nss/lib/certdb/alg1485.c
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/secname.c
security/nss/lib/cryptohi/cryptohi.h
security/nss/lib/cryptohi/secsign.c
security/nss/lib/cryptohi/secvfy.c
security/nss/lib/jar/jarver.c
security/nss/lib/libpkix/pkix/util/pkix_list.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
security/nss/lib/manifest.mn
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11pars.c
security/nss/lib/pkcs7/certread.c
security/nss/lib/pki/tdcache.c
security/nss/lib/pki/trustdomain.c
security/nss/lib/ssl/Makefile
security/nss/lib/ssl/config.mk
security/nss/lib/ssl/ssl.def
security/nss/lib/ssl/ssl.h
security/nss/lib/ssl/sslenum.c
security/nss/lib/ssl/sslimpl.h
security/nss/lib/sysinit/nsssysinit
security/nss/lib/sysinit/nsssysinit.c
security/nss/lib/util/manifest.mn
security/nss/lib/util/nssutil.h
security/nss/lib/util/secinit.c
security/nss/lib/util/secoid.c
security/nss/tests/memleak/memleak.sh
--- a/configure.in
+++ b/configure.in
@@ -4361,17 +4361,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss      Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.12.0, [MOZ_NATIVE_NSS=1], [MOZ_NATIVE_NSS=])
+    AM_PATH_NSS(3.12.6, [MOZ_NATIVE_NSS=1], [MOZ_NATIVE_NSS=])
 fi
 
 if test -n "$MOZ_NATIVE_NSS"; then
    NSS_LIBS="$NSS_LIBS -lcrmf"
 else
    NSS_CFLAGS='-I$(LIBXUL_DIST)/include/nss'
    NSS_DEP_LIBS="\
         \$(LIBXUL_DIST)/lib/\$(LIB_PREFIX)crmf.\$(LIB_SUFFIX) \
--- a/security/coreconf/Darwin.mk
+++ b/security/coreconf/Darwin.mk
@@ -126,9 +126,10 @@ DARWIN_DYLIB_VERSIONS = -compatibility_v
 # May override this with -bundle to create a loadable module.
 DSO_LDOPTS	= -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @executable_path/$(notdir $@) -headerpad_max_install_names
 
 MKSHLIB		= $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
 DLL_SUFFIX	= dylib
 PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
                 sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@
 
-G++INCLUDES	= -I/usr/include/g++
+USE_SYSTEM_ZLIB = 1
+ZLIB_LIBS	= -lz
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -37,8 +37,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/manager/Makefile.in
+++ b/security/manager/Makefile.in
@@ -238,19 +238,19 @@ endif
 endif
 # Build libfreebl3.so the same way it's built in Fedora, so that Fedora's
 # /lib/libcrypt.so.1 can get the NSSRAWHASH_3.12.3 symbols it needs from
 # our libfreebl3.so.
 ifeq ($(OS_ARCH),Linux)
 DEFAULT_GMAKE_FLAGS += FREEBL_NO_DEPEND=1
 endif
 
-# Turn off TLS compression support because NSS 3.12.5 Beta can't be built
+# Turn off TLS compression support because NSS 3.12.6 can't be built
 # with Mozilla's zlib.h.  See bug 527659 comment 10.
-DEFAULT_GMAKE_FLAGS += USE_SYSTEM_ZLIB=
+DEFAULT_GMAKE_FLAGS += NSS_ENABLE_ZLIB=
 
 # Disable building of the test programs in security/nss/lib/zlib
 DEFAULT_GMAKE_FLAGS += PROGRAMS=
 
 ifdef CROSS_COMPILE
 
 ifdef WINCE
 DEFAULT_GMAKE_FLAGS += \
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -315,17 +315,16 @@ extern void SECU_PrintRDN(FILE *out, CER
 #ifdef SECU_GetPassword
 /* Convert a High public Key to a Low public Key */
 extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
 #endif
 
 extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
 
 extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
-extern void SEC_Init(void);
 
 extern char *SECU_SECModDBName(void);
 
 extern void SECU_PrintPRandOSError(char *progName);
 
 extern SECStatus SECU_RegisterDynamicOids(void);
 
 /* Identifies hash algorithm tag by its string representation. */
--- a/security/nss/cmd/modutil/Makefile
+++ b/security/nss/cmd/modutil/Makefile
@@ -52,16 +52,22 @@ include $(CORE_DEPTH)/coreconf/config.mk
 # (3) Include "component" configuration information. (OPTIONAL)       #
 #######################################################################
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 include ../platlibs.mk
 
+ifdef USE_SYSTEM_ZLIB
+OS_LIBS += $(ZLIB_LIBS)
+else
+EXTRA_LIBS += $(ZLIB_LIBS)
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
--- a/security/nss/cmd/p7env/p7env.c
+++ b/security/nss/cmd/p7env/p7env.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * p7env -- A command to create a pkcs7 enveloped data.
  *
- * $Id: p7env.c,v 1.9 2008/08/08 23:47:56 julien.pierre.boogz%sun.com Exp $
+ * $Id: p7env.c,v 1.10 2010/02/11 02:39:47 wtc%google.com Exp $
  */
 
 #include "nspr.h"
 #include "secutil.h"
 #include "plgetopt.h"
 #include "secpkcs7.h"
 #include "cert.h"
 #include "certdb.h"
@@ -56,18 +56,16 @@
 #include <string.h>
 
 #if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4))
 extern int fread(char *, size_t, size_t, FILE*);
 extern int fwrite(char *, size_t, size_t, FILE*);
 extern int fprintf(FILE *, char *, ...);
 #endif
 
-extern void SEC_Init(void);		/* XXX */
-
 
 static void
 Usage(char *progName)
 {
     fprintf(stderr,
 	    "Usage:  %s -r recipient [-d dbdir] [-i input] [-o output]\n",
 	    progName);
     fprintf(stderr, "%-20s Nickname of cert to use for encryption\n",
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -246,11 +246,9 @@ endif # USE_STATIC_LIBS
 
 # If a platform has a system zlib, set USE_SYSTEM_ZLIB to 1 and
 # ZLIB_LIBS to the linker command-line arguments for the system zlib
 # (for example, -lz) in the platform's config file in coreconf.
 ifndef USE_SYSTEM_ZLIB
 ZLIB_LIBS = $(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX)
 endif
 
-JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX) \
-	$(ZLIB_LIBS) \
-	$(NULL)
+JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX)
--- a/security/nss/cmd/signtool/Makefile
+++ b/security/nss/cmd/signtool/Makefile
@@ -53,16 +53,22 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
 include ../platlibs.mk
 
+ifdef USE_SYSTEM_ZLIB
+OS_LIBS += $(ZLIB_LIBS)
+else
+EXTRA_LIBS += $(ZLIB_LIBS)
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
--- a/security/nss/cmd/ssltap/ssltap.c
+++ b/security/nss/cmd/ssltap/ssltap.c
@@ -61,30 +61,30 @@
 #include <string.h>
 #include <time.h>
 
 #include "plgetopt.h"
 #include "nss.h"
 #include "cert.h"
 #include "sslproto.h"
 
-#define VERSIONSTRING "$Revision: 1.17 $ ($Date: 2010/01/28 06:19:11 $) $Author: nelson%bolyard.com $"
+#define VERSIONSTRING "$Revision: 1.18 $ ($Date: 2010/02/10 02:00:56 $) $Author: wtc%google.com $"
 
 
 struct _DataBufferList;
 struct _DataBuffer;
 
 typedef struct _DataBufferList {
   struct _DataBuffer *first,*last;
   int size;
   int isEncrypted;
-  char * msgBuf;
-  int    msgBufOffset;
-  int    msgBufSize;
-  int    hMACsize;
+  unsigned char * msgBuf;
+  int             msgBufOffset;
+  int             msgBufSize;
+  int             hMACsize;
 } DataBufferList;
 
 typedef struct _DataBuffer {
   unsigned char *buffer;
   int length;
   int offset;  /* offset of first good byte */
   struct _DataBuffer *next;
 } DataBuffer;
@@ -768,18 +768,18 @@ void print_ssl3_handshake(unsigned char 
   unsigned char *     hsdata;  
   int                 offset=0;
 
   PR_fprintf(PR_STDOUT,"   handshake {\n");
 
   if (s->msgBufOffset && s->msgBuf) {
     /* append recordBuf to msgBuf, then use msgBuf */
     if (s->msgBufOffset + recordLen > s->msgBufSize) {
-      int    newSize = s->msgBufOffset + recordLen;
-      char * newBuf = PORT_Realloc(s->msgBuf, newSize);
+      int             newSize = s->msgBufOffset + recordLen;
+      unsigned char * newBuf = PORT_Realloc(s->msgBuf, newSize);
       if (!newBuf) {
 	PR_ASSERT(newBuf);
 	showErr( "Realloc failed");
         exit(10);
       }
       s->msgBuf = newBuf;
       s->msgBufSize = newSize;
     }
@@ -1127,17 +1127,17 @@ void print_ssl3_handshake(unsigned char 
       if (!s->msgBuf) {
 	PR_ASSERT(s->msgBuf);
 	showErr( "Malloc failed");
         exit(11);
       }
       s->msgBufSize = newMsgLen;
       memcpy(s->msgBuf, recordBuf + offset, newMsgLen);
     } else if (newMsgLen > s->msgBufSize) {
-      char * newBuf = PORT_Realloc(s->msgBuf, newMsgLen);
+      unsigned char * newBuf = PORT_Realloc(s->msgBuf, newMsgLen);
       if (!newBuf) {
 	PR_ASSERT(newBuf);
 	showErr( "Realloc failed");
         exit(12);
       }
       s->msgBuf = newBuf;
       s->msgBufSize = newMsgLen;
     } else if (offset || s->msgBuf != recordBuf) {
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -224,18 +224,18 @@ errExit(char * funcString)
 ** 
 ** Routines for disabling SSL ciphers.
 **
 **************************************************************************/
 
 void
 disableAllSSLCiphers(void)
 {
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
+    const PRUint16 *cipherSuites = SSL_GetImplementedCiphers();
+    int             i            = SSL_GetNumImplementedCiphers();
     SECStatus       rv;
 
     /* disable all the SSL3 cipher suites */
     while (--i >= 0) {
 	PRUint16 suite = cipherSuites[i];
         rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
 	if (rv != SECSuccess) {
 	    printf("SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n",
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -269,18 +269,18 @@ milliPause(PRUint32 milli)
 {
     PRIntervalTime ticks = PR_MillisecondsToInterval(milli);
     PR_Sleep(ticks);
 }
 
 void
 disableAllSSLCiphers(void)
 {
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
+    const PRUint16 *cipherSuites = SSL_GetImplementedCiphers();
+    int             i            = SSL_GetNumImplementedCiphers();
     SECStatus       rv;
 
     /* disable all the SSL3 cipher suites */
     while (--i >= 0) {
 	PRUint16 suite = cipherSuites[i];
         rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
 	if (rv != SECSuccess) {
 	    PRErrorCode err = PR_GetError();
--- a/security/nss/lib/Makefile
+++ b/security/nss/lib/Makefile
@@ -63,16 +63,20 @@ ZLIB_SRCDIR = zlib  # Add the zlib direc
 endif
 
 ifndef MOZILLA_CLIENT
 ifndef NSS_USE_SYSTEM_SQLITE
 SQLITE_SRCDIR = sqlite  # Add the sqlite directory to DIRS.
 endif
 endif
 
+ifeq ($(OS_ARCH),Linux)
+SYSINIT_SRCDIR = sysinit  # Add the sysinit directory to DIRS.
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -453,17 +453,17 @@ ParseRFC1485AVA(PRArenaPool *arena, char
 	if (vt == SEC_ASN1_DS) {
 	    /* RFC 4630: choose PrintableString or UTF8String */
 	    if (IsPrintable((unsigned char*) valBuf, valLen))
 		vt = SEC_ASN1_PRINTABLE_STRING;
 	    else 
 		vt = SEC_ASN1_UTF8_STRING;
 	}
 
-	derVal.data = valBuf;
+	derVal.data = (unsigned char*) valBuf;
 	derVal.len  = valLen;
 	a = CERT_CreateAVAFromSECItem(arena, kind, vt, &derVal);
     }
     return a;
 
 loser:
     /* matched no kind -- invalid tag */
     PORT_SetError(SEC_ERROR_INVALID_AVA);
@@ -976,17 +976,17 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava,
 	    if (unknownTag) 
 	    	PR_smprintf_free(unknownTag);
 	    return SECFailure;
 	}
     }
 
     nameLen  = strlen(tagName);
     valueLen = (useHex ? avaValue->len : 
-		cert_RFC1485_GetRequiredLen(avaValue->data, avaValue->len, 
+		cert_RFC1485_GetRequiredLen((char *)avaValue->data, avaValue->len, 
 					    &mode));
     len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
 
     maxName  = nameLen;
     maxValue = valueLen;
     if (len <= sizeof(tmpBuf)) {
     	encodedAVA = tmpBuf;
     } else if (strict != CERT_N2A_READABLE) {
@@ -1189,18 +1189,18 @@ avaToString(PRArenaPool *arena, CERTAVA 
     char *    buf       = NULL;
     SECItem*  avaValue;
     int       valueLen;
 
     avaValue = CERT_DecodeAVAValue(&ava->value);
     if(!avaValue) {
 	return buf;
     }
-    valueLen = cert_RFC1485_GetRequiredLen(avaValue->data, avaValue->len, 
-					   NULL) + 1;
+    valueLen = cert_RFC1485_GetRequiredLen((char *)avaValue->data,
+                                           avaValue->len, NULL) + 1;
     if (arena) {
 	buf = (char *)PORT_ArenaZAlloc(arena, valueLen);
     } else {
 	buf = (char *)PORT_ZAlloc(valueLen);
     }
     if (buf) {
 	SECStatus rv = escapeAndQuote(buf, valueLen, (char *)avaValue->data, 
 	                              avaValue->len, NULL);
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -34,17 +34,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Certificate handling code
  *
- * $Id: certdb.c,v 1.101 2009/05/18 21:33:25 nelson%bolyard.com Exp $
+ * $Id: certdb.c,v 1.102 2010/02/10 02:00:57 wtc%google.com Exp $
  */
 
 #include "nssilock.h"
 #include "prmon.h"
 #include "prtime.h"
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
@@ -1548,24 +1548,26 @@ cert_VerifySubjectAltName(CERTCertificat
 	switch (current->type) {
 	case certDNSName:
 	    if (!isIPaddr) {
 		/* DNS name current->name.other.data is not null terminated.
 		** so must copy it.  
 		*/
 		int cnLen = current->name.other.len;
 		rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen, 
-					    current->name.other.data, cnLen);
+					    (char *)current->name.other.data,
+					    cnLen);
 		if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_OUTPUT_LEN) {
 		    cnBufLen = cnLen * 3 + 3; /* big enough for worst case */
 		    cn = (char *)PORT_ArenaAlloc(arena, cnBufLen);
 		    if (!cn)
 			goto fail;
 		    rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen, 
-					    current->name.other.data, cnLen);
+					    (char *)current->name.other.data,
+					    cnLen);
 		}
 		if (rv == SECSuccess)
 		    rv = cert_TestHostName(cn ,hn);
 		if (rv == SECSuccess)
 		    goto finish;
 	    }
 	    DNSextCount++;
 	    break;
--- a/security/nss/lib/certdb/secname.c
+++ b/security/nss/lib/certdb/secname.c
@@ -585,17 +585,17 @@ CERT_CompareRDN(CERTRDN *a, CERTRDN *b)
     ** not equal
     */
     ac = CountArray((void**) aavas);
     bc = CountArray((void**) bavas);
     if (ac < bc) return SECLessThan;
     if (ac > bc) return SECGreaterThan;
 
     while (NULL != (aava = *aavas++)) {
-	for (bavas = b->avas; bava = *bavas++; ) {
+	for (bavas = b->avas; NULL != (bava = *bavas++); ) {
 	    rv = SECITEM_CompareItem(&aava->type, &bava->type);
 	    if (SECEqual == rv) {
 		rv = CERT_CompareAVA(aava, bava);
 		if (SECEqual != rv) 
 		    return rv;
 		break;
 	    }
     	}
--- a/security/nss/lib/cryptohi/cryptohi.h
+++ b/security/nss/lib/cryptohi/cryptohi.h
@@ -32,17 +32,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: cryptohi.h,v 1.13 2009/09/23 22:51:56 wtc%google.com Exp $ */
+/* $Id: cryptohi.h,v 1.14 2010/02/10 00:49:43 wtc%google.com Exp $ */
 
 #ifndef _CRYPTOHI_H_
 #define _CRYPTOHI_H_
 
 #include "blapit.h"
 
 #include "seccomon.h"
 #include "secoidt.h"
@@ -132,17 +132,18 @@ extern SECStatus SGN_End(SGNContext *cx,
 ** signature/hash algorithm.
 **	"result" the final signature data (memory is allocated)
 **	"buf" the input data to sign
 **	"len" the amount of data to sign
 **	"pk" the private key to encrypt with
 **	"algid" the signature/hash algorithm to sign with 
 **		(must be compatible with the key type).
 */
-extern SECStatus SEC_SignData(SECItem *result, unsigned char *buf, int len,
+extern SECStatus SEC_SignData(SECItem *result,
+			     const unsigned char *buf, int len,
 			     SECKEYPrivateKey *pk, SECOidTag algid);
 
 /*
 ** Sign a pre-digested block of data using private key encryption, encoding
 **  The given signature/hash algorithm.
 **	"result" the final signature data (memory is allocated)
 **	"digest" the digest to sign
 **	"pk" the private key to encrypt with
@@ -343,18 +344,18 @@ extern SECStatus VFY_VerifyDigestWithAlg
 ** 	"buf" the input data
 ** 	"len" the length of the input data
 ** 	"key" the public key to check the signature with
 ** 	"sig" the encrypted signature data
 **	"sigAlg" specifies the signing algorithm to use.  This must match
 **	    the key type.
 **	"wincx" void pointer to the window context
 */
-extern SECStatus VFY_VerifyData(unsigned char *buf, int len,
-				SECKEYPublicKey *key, SECItem *sig,
+extern SECStatus VFY_VerifyData(const unsigned char *buf, int len,
+				const SECKEYPublicKey *key, const SECItem *sig,
 				SECOidTag sigAlg, void *wincx);
 /*
 ** Verify the signature on a block of data. The signature data is an RSA
 ** private key encrypted block of data formatted according to PKCS#1.
 ** 	"buf" the input data
 ** 	"len" the length of the input data
 ** 	"key" the public key to check the signature with
 ** 	"sig" the encrypted signature data
@@ -386,16 +387,16 @@ extern SECStatus VFY_VerifyDataDirect(co
 **	"algid" specifies the signing algorithm and parameters to use.
 **         This must match the key type.
 **      "hash" optional pointer to return the oid of the actual hash used in 
 **         the signature. If this value is NULL no, hash oid is returned.
 **	"wincx" void pointer to the window context
 */
 extern SECStatus VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, 
 				int len, const SECKEYPublicKey *key,
-				 const SECItem *sig,
+				const SECItem *sig,
 				const SECAlgorithmID *algid, SECOidTag *hash,
 				void *wincx);
 
 
 SEC_END_PROTOS
 
 #endif /* _CRYPTOHI_H_ */
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -32,17 +32,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secsign.c,v 1.21 2009/09/23 22:51:56 wtc%google.com Exp $ */
+/* $Id: secsign.c,v 1.22 2010/02/10 00:49:43 wtc%google.com Exp $ */
 
 #include <stdio.h>
 #include "cryptohi.h"
 #include "sechash.h"
 #include "secder.h"
 #include "keyhi.h"
 #include "secoid.h"
 #include "secdig.h"
@@ -272,17 +272,17 @@ SGN_End(SGNContext *cx, SECItem *result)
 
 /************************************************************************/
 
 /*
 ** Sign a block of data returning in result a bunch of bytes that are the
 ** signature. Returns zero on success, an error code on failure.
 */
 SECStatus
-SEC_SignData(SECItem *res, unsigned char *buf, int len,
+SEC_SignData(SECItem *res, const unsigned char *buf, int len,
 	     SECKEYPrivateKey *pk, SECOidTag algid)
 {
     SECStatus rv;
     SGNContext *sgn;
 
 
     sgn = SGN_NewContext(algid, pk);
 
--- a/security/nss/lib/cryptohi/secvfy.c
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -32,17 +32,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secvfy.c,v 1.22 2008/02/28 04:27:36 nelson%bolyard.com Exp $ */
+/* $Id: secvfy.c,v 1.23 2010/02/10 00:49:43 wtc%google.com Exp $ */
 
 #include <stdio.h>
 #include "cryptohi.h"
 #include "sechash.h"
 #include "keyhi.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "pk11func.h"
@@ -716,18 +716,18 @@ VFY_VerifyDataDirect(const unsigned char
 		     const SECKEYPublicKey *key, const SECItem *sig,
 		     SECOidTag encAlg, SECOidTag hashAlg,
 		     SECOidTag *hash, void *wincx)
 {
     return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, hash, wincx);
 }
 
 SECStatus
-VFY_VerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
-	       SECItem *sig, SECOidTag algid, void *wincx)
+VFY_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key,
+	       const SECItem *sig, SECOidTag algid, void *wincx)
 {
     SECOidTag encAlg, hashAlg;
     SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg);
     if (rv != SECSuccess) {
 	return rv;
     }
     return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, NULL, wincx);
 }
--- a/security/nss/lib/jar/jarver.c
+++ b/security/nss/lib/jar/jarver.c
@@ -530,17 +530,17 @@ jar_parse_any(JAR *jar, int type, JAR_Si
 		    return JAR_ERR_MEMORY;
 		}
 
 		ADDITEM (jar->metainfo, jarTypeMeta,
 		x_name, met, sizeof (JAR_Metainfo));
 	    }
 	}
 
-	if (!x_name || !*x_name) {
+	if (!*x_name) {
 	    /* Whatever that was, it wasn't an entry, because we didn't get a 
 	       name. We don't really have anything, so don't record this. */
 	    continue;
 	}
 
 	dig = PORT_ZNew(JAR_Digest);
 	if (dig == NULL)
 	    return JAR_ERR_MEMORY;
--- a/security/nss/lib/libpkix/pkix/util/pkix_list.c
+++ b/security/nss/lib/libpkix/pkix/util/pkix_list.c
@@ -115,17 +115,17 @@ pkix_List_Destroy(
         /* Check that this object is a list */
         PKIX_CHECK(pkix_CheckType(object, PKIX_LIST_TYPE, plContext),
                     PKIX_OBJECTNOTLIST);
 
         list = (PKIX_List *)object;
 
         /* We have a valid list. DecRef its item and recurse on next */
         PKIX_DECREF(list->item);
-        while (nextItem = list->next) {
+        while ((nextItem = list->next) != NULL) {
             list->next = nextItem->next;
             nextItem->next = NULL;
             PKIX_DECREF(nextItem);
         }      
         list->immutable = PKIX_FALSE;
         list->length = 0;
         list->isHeader = PKIX_FALSE;
 
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
@@ -38,16 +38,23 @@
  * pkix_pl_pk11certstore.c
  *
  * PKCS11CertStore Function Definitions
  *
  */
 
 #include "pkix_pl_pk11certstore.h"
 
+/*
+ * PKIX_DEFAULT_MAX_RESPONSE_LENGTH (64 * 1024) is too small for downloading
+ * CRLs.  We observed CRLs of sizes 338759 and 439035 in practice.  So we
+ * need to use a higher max response length for CRLs.
+ */
+#define PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH (512 * 1024)
+
 /* --Private-Pk11CertStore-Functions---------------------------------- */
 
 /*
  * FUNCTION: pkix_pl_Pk11CertStore_CheckTrust
  * DESCRIPTION:
  * This function checks the trust status of this "cert" that was retrieved
  * from the CertStore "store" and returns its trust status at "pTrusted".
  *
@@ -866,16 +873,18 @@ DownloadCrl(pkix_pl_CrlDp *dp, PKIX_PL_C
                               ((PKIX_PL_NssContext*)plContext)->timeoutSeconds),
                                    &pRequestSession) != SECSuccess) {
                 savedError = PKIX_HTTPSERVERERROR;
                 break;
             }
 
             myHttpResponseDataLen =
                 ((PKIX_PL_NssContext*)plContext)->maxResponseLength;
+            if (myHttpResponseDataLen < PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH)
+                myHttpResponseDataLen = PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH;
 
             /* We use a non-zero timeout, which means:
                - the client will use blocking I/O
                - TryFcn will not return WOULD_BLOCK nor a poll descriptor
                - it's sufficient to call TryFcn once
             */
             /* we don't want result objects larger than this: */
             if ((*hcv1->trySendAndReceiveFcn)(
--- a/security/nss/lib/manifest.mn
+++ b/security/nss/lib/manifest.mn
@@ -50,17 +50,17 @@ DEPTH      = ../..
 #  crmf jar (not dll's)
 DIRS =  util freebl $(SQLITE_SRCDIR) softoken \
 	base dev pki pki1 \
 	libpkix \
 	certdb certhigh pk11wrap cryptohi nss \
 	$(ZLIB_SRCDIR) ssl \
 	pkcs12 pkcs7 smime \
 	crmf jar \
-	ckfw      \
+	ckfw $(SYSINIT_SRCDIR) \
 	$(NULL)
 
 #  fortcrypt  is no longer built
 
 #
 # these dirs are not built at the moment
 #
 #NOBUILD_DIRS = jar
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.74 2009/11/20 20:15:05 christophe.ravel.bugs%sun.com Exp $ */
+/* $Id: nss.h,v 1.76 2010/02/11 19:12:45 christophe.ravel.bugs%sun.com Exp $ */
 
 #ifndef __nss_h_
 #define __nss_h_
 
 /* The private macro _NSS_ECC_STRING is for NSS internal use only. */
 #ifdef NSS_ENABLE_ECC
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
 #define _NSS_ECC_STRING " Extended ECC"
@@ -61,22 +61,22 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.12.6.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.12.6.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   12
 #define NSS_VPATCH   6
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_TRUE
+#define NSS_BETA     PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
 /*
@@ -258,21 +258,17 @@ extern SECStatus NSS_InitReadWrite(const
 #define NSS_INIT_NOPK11FINALIZE   0x100
 #define NSS_INIT_RESERVED         0x200
 
 #define NSS_INIT_COOPERATE NSS_INIT_PK11THREADSAFE | \
         NSS_INIT_PK11RELOAD | \
         NSS_INIT_NOPK11FINALIZE | \
         NSS_INIT_RESERVED
 
-#ifdef macintosh
-#define SECMOD_DB "Security Modules"
-#else
 #define SECMOD_DB "secmod.db"
-#endif
 
 typedef struct NSSInitContextStr NSSInitContext;
 
 
 extern SECStatus NSS_Initialize(const char *configdir, 
 	const char *certPrefix, const char *keyPrefix, 
 	const char *secmodName, PRUint32 flags);
 
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -1940,17 +1940,17 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *s
     if (!collection) {
 	return SECFailure;
     }
     certList = nssList_Create(NULL, PR_FALSE);
     if (!certList) {
 	nssPKIObjectCollection_Destroy(collection);
 	return SECFailure;
     }
-    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    (void)nssTrustDomain_GetCertsFromCache(td, certList);
     transfer_token_certs_to_collection(certList, tok, collection);
     instances = nssToken_FindObjects(tok, NULL, CKO_CERTIFICATE,
                                      tokenOnly, 0, &nssrv);
     nssPKIObjectCollection_AddInstances(collection, instances, 0);
     nss_ZFreeIf(instances);
     nssList_Destroy(certList);
     certs = nssPKIObjectCollection_GetCertificates(collection,
                                                    NULL, 0, NULL);
--- a/security/nss/lib/pk11wrap/pk11pars.c
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -1129,16 +1129,22 @@ SECMOD_LoadModule(char *modulespec,SECMO
 
 	    index = moduleSpecList;
 	    if (*index && SECMOD_GetSkipFirstFlag(module)) {
 		index++;
 	    }
 
 	    for (; *index; index++) {
 		SECMODModule *child;
+		if (0 == PORT_Strcmp(*index, modulespec)) {
+		    /* avoid trivial infinite recursion */
+		    PORT_SetError(SEC_ERROR_NO_MODULE);
+		    rv = SECFailure;
+		    break;
+		}
 		child = SECMOD_LoadModule(*index,module,PR_TRUE);
 		if (!child) break;
 		if (child->isCritical && !child->loaded) {
 		    int err = PORT_GetError();
 		    if (!err)  
 			err = SEC_ERROR_NO_MODULE;
 		    SECMOD_DestroyModule(child);
 		    PORT_SetError(err);
--- a/security/nss/lib/pkcs7/certread.c
+++ b/security/nss/lib/pkcs7/certread.c
@@ -355,17 +355,17 @@ notder:
     	}
     }
 
     if ( certbegin ) {
 	/* find the ending marker */
 	while ( cl >= NS_CERT_TRAILER_LEN ) {
 	    if ( !PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
 				   NS_CERT_TRAILER_LEN) ) {
-		certend = (unsigned char *)cp;
+		certend = cp;
 		break;
 	    }
 
 	    /* skip to next eol */
 	    while ( cl && ( *cp != '\n' )) {
 		cp++;
 		cl--;
 	    }
@@ -378,17 +378,17 @@ notder:
 	}
     }
 
     if ( certbegin && certend ) {
 	unsigned int binLen;
 
 	*certend = 0;
 	/* convert to binary */
-	bincert = ATOB_AsciiToData(certbegin, &binLen);
+	bincert = ATOB_AsciiToData((char *)certbegin, &binLen);
 	if (!bincert) {
 	    rv = SECFailure;
 	    goto loser;
 	}
 
 	/* now recurse to decode the binary */
 	rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);
 	
--- a/security/nss/lib/pki/tdcache.c
+++ b/security/nss/lib/pki/tdcache.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: tdcache.c,v $ $Revision: 1.48 $ $Date: 2008/11/19 16:08:05 $";
+static const char CVS_ID[] = "@(#) $RCSfile: tdcache.c,v $ $Revision: 1.49 $ $Date: 2010/02/10 02:04:32 $";
 #endif /* DEBUG */
 
 #ifndef PKIM_H
 #include "pkim.h"
 #endif /* PKIM_H */
 
 #ifndef PKIT_H
 #include "pkit.h"
@@ -494,17 +494,17 @@ nssTrustDomain_UpdateCachedTokenCerts (
   NSSToken *token
 )
 {
     NSSCertificate **cp, **cached = NULL;
     nssList *certList;
     PRUint32 count;
     certList = nssList_Create(NULL, PR_FALSE);
     if (!certList) return PR_FAILURE;
-    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    (void)nssTrustDomain_GetCertsFromCache(td, certList);
     count = nssList_Count(certList);
     if (count > 0) {
 	cached = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
 	if (!cached) {
 	    return PR_FAILURE;
 	}
 	nssList_GetArray(certList, (void **)cached, count);
 	nssList_Destroy(certList);
--- a/security/nss/lib/pki/trustdomain.c
+++ b/security/nss/lib/pki/trustdomain.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.60 $ $Date: 2008/10/06 02:56:00 $";
+static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.61 $ $Date: 2010/02/10 02:04:32 $";
 #endif /* DEBUG */
 
 #ifndef DEV_H
 #include "dev.h"
 #endif /* DEV_H */
 
 #ifndef PKIM_H
 #include "pkim.h"
@@ -1043,17 +1043,17 @@ NSSTrustDomain_TraverseCertificates (
     nssPKIObjectCallback pkiCallback;
     nssUpdateLevel updateLevel;
     NSSCertificate **cached = NULL;
     nssList *certList;
 
     certList = nssList_Create(NULL, PR_FALSE);
     if (!certList) 
     	return NULL;
-    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    (void)nssTrustDomain_GetCertsFromCache(td, certList);
     cached = get_certs_from_list(certList);
     collection = nssCertificateCollection_Create(td, cached);
     nssCertificateArray_Destroy(cached);
     nssList_Destroy(certList);
     if (!collection) {
 	return (PRStatus *)NULL;
     }
     /* obtain the current set of active slots in the trust domain */
--- a/security/nss/lib/ssl/Makefile
+++ b/security/nss/lib/ssl/Makefile
@@ -66,21 +66,16 @@ DEFINES += -DIN_LIBSSL
 else
 ifeq ($(OS_TARGET),OS2)
 CSRCS	+= os2_err.c
 else
 CSRCS	+= unix_err.c
 endif
 endif
 
-ifdef USE_SYSTEM_ZLIB
-DEFINES += -DNSS_ENABLE_ZLIB
-EXTRA_LIBS += $(ZLIB_LIBS)
-endif
-
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
--- a/security/nss/lib/ssl/config.mk
+++ b/security/nss/lib/ssl/config.mk
@@ -38,17 +38,16 @@
 ifdef NISCC_TEST
 DEFINES += -DNISCC_TEST
 endif
 
 ifdef NSS_SURVIVE_DOUBLE_BYPASS_FAILURE
 DEFINES += -DNSS_SURVIVE_DOUBLE_BYPASS_FAILURE
 endif
 
-# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 
 EXTRA_LIBS += \
 	$(CRYPTOLIB) \
 	$(NULL)
 
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
@@ -77,17 +76,16 @@ EXTRA_SHARED_LIBS += \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
 	$(NULL)
 endif # NS_USE_GCC
 
 else
 
-# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lnss3 \
 	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
@@ -95,8 +93,28 @@ EXTRA_SHARED_LIBS += \
 	-lnspr4 \
 	$(NULL)
 
 ifeq ($(OS_ARCH), BeOS)
 EXTRA_SHARED_LIBS += -lbe
 endif
 
 endif
+
+# Mozilla's mozilla/modules/zlib/src/zconf.h adds the MOZ_Z_ prefix to zlib
+# exported symbols, which causes problem when NSS is built as part of Mozilla.
+# So we add a NSS_ENABLE_ZLIB variable to allow Mozilla to turn this off.
+NSS_ENABLE_ZLIB = 1
+ifdef NSS_ENABLE_ZLIB
+
+DEFINES += -DNSS_ENABLE_ZLIB
+
+# If a platform has a system zlib, set USE_SYSTEM_ZLIB to 1 and
+# ZLIB_LIBS to the linker command-line arguments for the system zlib
+# (for example, -lz) in the platform's config file in coreconf.
+ifdef USE_SYSTEM_ZLIB
+OS_LIBS += $(ZLIB_LIBS)
+else
+ZLIB_LIBS = $(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX)
+EXTRA_LIBS += $(ZLIB_LIBS)
+endif
+
+endif
--- a/security/nss/lib/ssl/ssl.def
+++ b/security/nss/lib/ssl/ssl.def
@@ -137,16 +137,18 @@ SSL_ReHandshakeWithTimeout;
 ;+    global:
 SSL_CanBypass;
 ;+    local:
 ;+*;
 ;+};
 ;+NSS_3.12.6 {      # NSS 3.12.6 release
 ;+    global:
 SSL_ConfigServerSessionIDCacheWithOpt;
+SSL_GetImplementedCiphers;
 SSL_GetNegotiatedHostInfo;
+SSL_GetNumImplementedCiphers;
 SSL_HandshakeNegotiatedExtension;
 SSL_ReconfigFD;
 SSL_SetTrustAnchors;
 SSL_SNISocketConfigHook;
 ;+    local:
 ;+*;
 ;+};
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl.h,v 1.35 2010/02/04 03:21:11 wtc%google.com Exp $ */
+/* $Id: ssl.h,v 1.36 2010/02/10 18:07:21 wtc%google.com Exp $ */
 
 #ifndef __ssl_h_
 #define __ssl_h_
 
 #include "prtypes.h"
 #include "prerror.h"
 #include "prio.h"
 #include "seccomon.h"
@@ -56,19 +56,25 @@
 #define SSL_IMPORT extern
 #endif
 
 SEC_BEGIN_PROTOS
 
 /* constant table enumerating all implemented SSL 2 and 3 cipher suites. */
 SSL_IMPORT const PRUint16 SSL_ImplementedCiphers[];
 
+/* the same as the above, but is a function */
+SSL_IMPORT const PRUint16 *SSL_GetImplementedCiphers(void);
+
 /* number of entries in the above table. */
 SSL_IMPORT const PRUint16 SSL_NumImplementedCiphers;
 
+/* the same as the above, but is a function */
+SSL_IMPORT PRUint16 SSL_GetNumImplementedCiphers(void);
+
 /* Macro to tell which ciphers in table are SSL2 vs SSL3/TLS. */
 #define SSL_IS_SSL2_CIPHER(which) (((which) & 0xfff0) == 0xff00)
 
 /*
 ** Imports fd into SSL, returning a new socket.  Copies SSL configuration
 ** from model.
 */
 SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
--- a/security/nss/lib/ssl/sslenum.c
+++ b/security/nss/lib/ssl/sslenum.c
@@ -34,31 +34,34 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslenum.c,v 1.16 2008/12/17 06:09:19 nelson%bolyard.com Exp $ */
+/* $Id: sslenum.c,v 1.17 2010/02/10 18:07:21 wtc%google.com Exp $ */
 
 #include "ssl.h"
 #include "sslproto.h"
 
 /*
  * The ciphers are listed in the following order:
  * - stronger ciphers before weaker ciphers
  * - national ciphers before international ciphers
  * - faster ciphers before slower ciphers
  *
  * National ciphers such as Camellia are listed before international ciphers
  * such as AES and RC4 to allow servers that prefer Camellia to negotiate
  * Camellia without having to disable AES and RC4, which are needed for
  * interoperability with clients that don't yet implement Camellia.
+ *
+ * If new ECC cipher suites are added, also update the ssl3CipherSuite arrays
+ * in ssl3ecc.c.
  */
 const PRUint16 SSL_ImplementedCiphers[] = {
     /* 256-bit */
 #ifdef NSS_ENABLE_ECC
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 #endif /* NSS_ENABLE_ECC */
     TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
@@ -144,8 +147,19 @@ const PRUint16 SSL_ImplementedCiphers[] 
 
     0
 
 };
 
 const PRUint16 SSL_NumImplementedCiphers = 
     (sizeof SSL_ImplementedCiphers) / (sizeof SSL_ImplementedCiphers[0]) - 1;
 
+const PRUint16 *
+SSL_GetImplementedCiphers(void)
+{
+    return SSL_ImplementedCiphers;
+}
+
+PRUint16
+SSL_GetNumImplementedCiphers(void)
+{
+    return SSL_NumImplementedCiphers;
+}
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -34,17 +34,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslimpl.h,v 1.76 2010/02/04 03:08:45 wtc%google.com Exp $ */
+/* $Id: sslimpl.h,v 1.77 2010/02/10 00:33:50 wtc%google.com Exp $ */
 
 #ifndef __sslimpl_h_
 #define __sslimpl_h_
 
 #ifdef DEBUG
 #undef NDEBUG
 #else
 #undef NDEBUG
@@ -125,21 +125,17 @@ extern int Debug;
 #endif
 
 #ifdef DEBUG
 #define SSL_DBG(b) if (ssl_debug) ssl_Trace b
 #else
 #define SSL_DBG(b)
 #endif
 
-#ifdef macintosh
-#include "pprthred.h"
-#else
 #include "private/pprthred.h"	/* for PR_InMonitor() */
-#endif
 #define ssl_InMonitor(m) PZ_InMonitor(m)
 
 #define LSB(x) ((unsigned char) ((x) & 0xff))
 #define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
 
 /************************************************************************/
 
 typedef enum { SSLAppOpRead = 0,
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..bdc7f69bc35d619e7ecb6dacd976b27e5ba40564
GIT binary patch
literal 35588
zc$~F;3t*JRwf}s(o8-$oupw_?fdo+@F9HG*Mal9o0U`;=OT#AFBnwLtv%4Xn2zEh9
zW4z#_YOh}KZ7a0))>>Ptmm(@y+ft<x6un#x7@DXlL_kISpEKut-+sGUZ2Q0e|LW#9
zXU>^3XJ*dKoSAQT88zL}QqyovOr9<HRZuv2($vXCg_Eb)Z22<B_}6BetR-wKV}uYU
zcyGdYRh4V<l*zgEPH$CnO_jI7*SI>jx=qZlsHj@#^!i#F=QY*(+|G(-XHAL2>ky3|
zk7u37)#&o(HsyuXJ1HM4p}z(B`I9FX*=!Rh73Jr1y&LUivlK-U+Dj2;5uk*4cqL(x
z{5wu$iFC;y2Jc1fCo24X-kuBJefQm+uc7&GmSn3-2rVezY2Vpy$(8~gcC~ZS&i2Y|
zi<Yxx@4Bd$QL5M4VSgb<^b1ieW(bk^z~01{_WJjGm*4yvRgrC|qSKE>G#%~s{x|Id
znB(8jFMKgl->D1mr^DW_3HkTN2jmC*8wPa2cUch3?XV97OqI#u(njAf1BXgICe4UI
zGr|_^z9<V`j=j*YU=0I-HhYJL>gz4<^v7OO*+c)LGBf1(_h;*UmmJi0Lk)fB-=C~Y
zSqxIFTN?&TSXF4wV3mPV$(I<sQ9*-8gTY?V-08n!a5q3BOFR8}VHt&;{-Usq^iKa(
z;TTXAI&W`;tWobKf1ld300a&qu^4QgVQi@-J6Y?McKflOw<Y%YH}nXv+Tlk(?~Uvr
zueA5QY40a*Jf=HY8dTZSbP-E+_gwic;&K0m<05hM4^Z!IG{Eb?4}X8$)c%IqcZ_s*
z`j;uFyVJi?k!?xpu=fGPb=czo)DHV`Y+$FqRx$Kxq~G4J7<7dS_YD&EZ|D}@`8{dU
z4y<-1SL-%mlLms6u>k|5vzv6@ZVGRJ*?#Ozxo%+Xx?6V#lE?h}XDq)ZoTu=t?oEZd
zq$af^;JEey#gGl1_dcvH8n@GbA$V-T1=Owf3yH7VFZj=o^Uj1n8{_=vM|(&3&tK-X
z_D=PmU+x|2KYyDy!+(CdH=%bNiuPV6|Bib38Z;y0<qdM7diiFAxR);{FR}p~3^O}q
zjRVw3k@(W0fy9^IQQlDwCH`6@{(5hYu%Us;AqH;RaA5^apM&8HN1HF(kb;H}=}keK
zW6<UZusPVR1Eu4jbZ-i1Nqk96vtQ7}tbV(yQ10fvzT?J1X}vaLB)+;AJ9HGyr?3Uz
z3od9eGQGos)VxnV{vl+t{J1ylXKXykL82zAaa~Ym5tQF*KZ7;&uEaIN8?8CW4MBpt
z$cYo>x`Hy&?y;LToU!?WO`1(6jnI1Mj5kH9SGMU5{86uE8`0Vr7X^<o>dBSMK{wC)
zjz!&=|Ch^u-+n+_-e7l&qiI0v!BevEfPb$NSO|MM>^-o0z~rFrvyhL+bu1caPr~Iu
zTO?NnHR7+|%I20x%dZJyJ@Kv96aBI$`ejd~Xm+9~t|wcQ{PsSDhwf^7cgt@f^9>Z}
z@$WCvJak-dE-9a0?2D9@jSH&m>kG272*~W65ac8WxSOKn`Uh*tKu`k*4u+ZgT;wUa
zRKhBgrY$0A9bj^DJO05`5~h+c71y40>W2!&AFAAE-ZE>;ziL?ir-N-Ob}K9z-gueN
zmkqh5Y4Y)4ZpWgyb`zMW*ws@bS$Tw1{_Z7}N1#EhJn2%(U-%Z4C+W)fapV*$l^+eO
zd@3l9#dfpu<Vz{9kjj%a<-HB4*&;QcxTIza_AP5pyOidyE}-T#U2_8Gzpssxq(1*f
zqvSv*ZfUs4p-CVrxw9`@;T<(-#6u&xIN^<fK_XA$-SiI>vibL#iob(os}0*{Rj_@1
z+&+j3EP)LPbz|n1esn>7lUQV7;h_B9YN=bn?TtCI1L6!FHikqLdtB$1zF>*>Wa9^V
z$1?q27m$u)>fNt3idyslbmX1;u`8%wdXssQjps?05HyuOhE%w%(qLVn^Kf<qhVJf*
zdd#9NB$c${^cGS4t5Td`!5u!(RDA_a<NU?45?H7D$fkX$B@nRcLwplPQCYzw?B8qQ
ziJXLHCE@rcZvG9mfSu*XIK<Bi<4pGJUTYkL#10t|?DM}hLn_ldwG>h?I@pbF-)KB_
zG+U_hjwzC5(zHaMZ;$NFLOuDxjP}#f`!uDP=a9V@C$|F4&=u$`$~OQ0tmU^<-5h3n
zc+=h;BcVq~=p&HJuz!Ope9+^4r^YC{^Z)9+Vd6}m;EM&}?_{*2`M~u2#4U$NHFk}G
z(dJFy)RM$4FOWzQi=28~i(X~F)1s~H?X;M*XatnO)E}ZV{XO~U#B*5X$~!VSRkzV7
zbQ21VVb+X0=5uP+#u9_jRkY~C&az=VhJO1Jf4&Gdy8);k9TL4<+hn<CZ={|D$4dM;
zxTbVAeJcuaegB4J2nAp@)OLtCgVWz9Cu6_d0Fw=p3QdpR(R@UlagmQA{lXh-I5ryn
z8QnQQXmoiz2L{)hA?xkNuv%NR4oOeG$)b63x51O6c#dJNz2{Urxrv;k^)h}a=~&d?
z*@2;E`ypkoatPwyjuO?<{(H>-WpKVFzr8G5rAm4Xm86H&p+-a3Vze$#FH`OPx8KXf
z8o$w^5*`&-Xy^`Ok{>>F=WaNKYu`TJrQ>K_Ue4?CPcPCAc)bPYd7R++Zs^KRzmr9y
zG|@PnwT4;0_=;nSq&H`%v|~VISl{XQSi+tC;z$tZRPPwBV31G@3DJNU&f-ZOGc4`<
z?tBaKZP=!A3m>dH{p+-y#D5nXw&ZJW`quI!U2NMRv4Viu5aW?Od$6NnpW6Fzw)M*>
z%$q|gj=$EQk;Ys3=tV2xyF9ZN^&3M{EvVEq`6vwPELUV0g<W{Z#L)1x4~n3YO3k<W
z43osn0b`%B4IxXR7_<~(KZ{Fm^LH!y#`fqLd1UU*z(|!(l67Cwp1p~9kV~bH;nM20
zcP#2_M<17t9uo4v)C^^-+I^M5!(qz{k_wbIPVD1>{rAh$(iCpxsi$$u+mBJ@(&mwJ
zoq@qPrf3%P@a_4#9KOZD^6h8Xy-{Ae_N0zQJpq%<^7yTGXhE7>xYk_29ivAvIB%GR
zP3kW>9n^PTm>)e?!^VD(ojo2Z12^e5F1{r}^E_#*{V=aphLzCX-8+g7GSlpbabz($
zeT7ek{PM!V-mPdS9p7K&h{2p1z$MCJqTnld!20AhK!6`$_&4<F5zRbwOI)+035DTI
zfK<;LVg+?jw>$y$;0dTF*rxr`nM*F+YLK&cZ?*poj^@%~9{2*!r@g_uLWpC>cKFYu
zW5fhJyS-n#VT=nngVIk&Zr&E;z^6h*y@nttlM1Gy->wL_poNMSO0xnn-J6zdw5Mn4
zMJ;%PXh!y&N;dVbleH8izPhLv%Ki=Jc@my}Dzo|Sh$3kJV;1A(U4QRL{c?!~o(&eD
zvnSOd$v)|bhQ*`b*v%n9?bY@q-N4bIHSG?nY2bS<J*9u8ke;b_6%Ei`>r(fW&|?#X
ze&^TELxFqL1QEF1HeNAfC0U*RU+SBR&N6z#RdPcg*6IJ<V7X5JtKU;N=^qt-?RyF*
z|D(che^24Ge^mJBB@4^(y<`Ms+!RjzmlW^$E%tN!d+on}_hftj7`wV<Z{p^iVOak2
zGkn7XXM;}v$3gzk*P9bsg2YY)i^;3cV!G7~TxWhB?8U)hkHL3wnTeFMshd`m9{>4~
ziFZws9YD?661G`!FiBU*x~~mmX26hvP$xGSGJv&TqLm`TST4x8CW_+%!J9m(O%EEF
z!!$5mvISkT1zq6=<~LI8I7uIqYw(<oMaM$p%u2j+>3UTvI0p(oZ9hMCpD!bfq(#Mj
zKG6?5o)(fGyL~s_m3zzm8x9L^AzfpGzQf^$svGkS_ssUgcyK))&O;9S?Oo6*U9wZM
zr2Jw3{^^FpT*!Km5q>?$`2O`^-T!7i*!E9NEHJe)XyHtTT^aVL!~XM%cc{E1@uhG~
z485DokuM~pJN?lSGRgbLXWw!!W>K|i@<NC14zRJ8aflQY%O5>YeWLSwf}`Buoaf_J
zw_N<Y16|Z3GYt0!aXA=X!{nGuK}|B<VkFTR#_2Z|yayyj1kd@gRBDi1QLr3$=R05N
z&)DAlicd6^VY~EA`vLOtw*~J-Z-+jT=vZ_>IfS8!{ea*8HaOPXSKH%mf6s3}0O<pP
z$`2tG6mT923@xc&WK=JQ;ZVRON+LvPW;koKERL`P7CqTvw^5H~QBS2&PbHJmB<Tfm
zz>am;^C@#YW=@lLSBG(w3#HxJ)VH&^Z>OE7YjFJ-H;(u>GC$+I?nSq8yCwf-=HGvo
z7vw|IDFVHsyA{v)1};#2mP3rgvcTcN1&&dHW-d^0mi_RUEO5-YluB3Y4|>Gb6SNYy
z2DwldyYauB!{X9`H=omYhjr&@cfe!xIo-!<WU>pBe>fR@Xc@}+<ON;Se_cjzGzOs9
zz|n$^gwnPxY+L!4dKZrthLdzB^YbOYFThVC{(a0(`cj|B#82j^kNN!rTBt=G)lVJ8
zdneEO$0I@(WZ64)XZ7A$epc_D^0RvH*w6B|#L*yrBp^=4=PJhMD#Yh;iXKXT0@-ln
z40qPlpS9@cOJlfaxZ~qExJRC>kF!w03AVcXY8afmJ`?;z=eTx!?$_6r;~|$Uz)<Wx
zr}pp?2?s$C!y7<|RrN`0y!W{ljvO(UdKPiaAb;lx{aFN@1iMK)-o8ujij$hjNHupG
z8qiu0Z2W-!+;*_>17N(ob?fE}pQ~hck388+8}XQ;M?Wv)Ey}6a1#`7$4CDhZ8+-uD
zW%31sh1$rU07->yrFVUp(y#n8rH{f+)jM4;9i^Av7hF1>OGgEj{`YVBfZNxe#E&Mz
z-!JM1I=;D(N8L_Z8#<-uYbUanZ}rbJcxU$9`H|*fTl5=^ZPFLq#z*Dyf^Caj00KQL
zH-S35vOaHG8wH!VC%+fK>`m{@@4&m$KCKxG{+o_rHeR@2I!<(wc7GV9KkYMwtwxWf
zAOb(Zp$t)S60EW2gv^8?%1|XKQV3JFh>g7_)(i`}nUe`ZSW<*JVOs3f5p%6VL@*JH
zL?j6b5tRrDAyfopL|YYeLToI`DL}@=>xHJk1c@ChP$<r#1VrM;fk;-o5DAu`qKQyc
z4HQkvRY=oiadWL`_KZlB8WN#PnLui2Q4nb@(yK=@Iah@05Mo%aE~90oL<AK}Ez-LI
z$+TDn1%*gwlOlpm%3zaNJToGwbe5vbwW8SYQP3B8(03z>g5*aAv<7tAs7_3d%2lq7
z3s<kWJcT}31_P&j1CvZy3&|ORUI)eynk*5nMz1hiqH^FsWwu0|g_f8Vb$KL0<Yo{t
zo1*@LJX6F1P-k(#G&2_{<B_9AEJkrP>J6-=8!9ocS8^oBa%&Xoi@FPnS|%drmr65A
zEk&pLNWmaK0+&q7R2L>AQSPoMFgY6}EO%oC5kJNnx60&~(U5GH#Wp~tmJXR451K9a
z$fRs(=S27$X^DzBiAo+sD#{Xp`=I41BqDmT>`ySMTE@z@Mt%yGMt4Jl)rfW2o|xev
z9<lyg?4B_q<_uI3aoa>mS)kMk1wB_mzfCB31u%X#n6}9jkH&AZ#AiU(CN=)2V8EuN
z_zVPFJT3v7_KNtKFr=F{De-ujunEfSg9a+`sqohn|1CB)ejNN&p&IPQh)NKT9RDZK
z7>&uS$njQS$NUdi994-)G!Pfvs6{oBN{ab2m>actu{1Y1<~Za=-Si_#rHKgi)2K-!
zATt`1Nl}xqSPVXkikecx`aZ-?n@VLYF;S>*8c}M@4rprB)kMXCm1sjk2^y}}Z3T!w
z0IKeYUk(OtjNc&LFXDad+Ep%Wm&JxnvBRGw(K!#mkjKmbh0$Yob6=l_rbJ&hhbwDE
z;miL-mBrv^ouVfk71Yd)IB2=u+{^?}6`l7oH8bXS(C5+luSqH^<|s-QPz|=2*N|68
zHH?e-H)vdR(HD{$AM+|08a)MX=}cqtV=hO_t{x_-qL`J~XR{_qYD&yQ$eT^nj2Ju#
zM$aK?PRxsF=OVw<SssIj-{{3eRf>oYq57DG(u?cBu9*9<6C%<<UF`H<VI$rGf#lff
zDPUO4H24#jyTeR<Qwe<&m*?kUc@c8s3Uauo9!9EgBKOquC^>PgLOpdCx@r+oLtqGA
zQ*a=Dij{o}^~RZsmtti<$7-&zNimV=b~XyrwK-hbFyzgks#THHi@V0va-!p_hVgz-
zGo;ql0z9c^yBJ#Ss}oA`BhYu|?GJAhNtvKXxj{iTmf8V`a~Ch6te=4~N*R@Gu>Kmx
zLYYUDTO{{EXDMrBK`it-dJq&G_5gI3((*$=S$~5!E?L8}p$C-pn2lLBs2?AVCVh-m
zJfmPf=Dh)Lyu2s|X)9(Z&*>F@h4uegilW%N=)E{&KE}3xt=!LfH-P0ukbePGq$Fdl
zUvt}23X}k4vEru%l?zzRw7t@b=Wyj);w`cM#T1}cSofll7iHIPUunIFJ@(yV$*WDp
ziK+;Nm<?%v1ZF0vN{z+tnW`*i>qUALno_DrJJH4`;Ef;dy8)V&;b^HxCK)4A%VMyr
zW#2}a@e_1Z&3vxLEs~zbn4n2^1}ehO!rTKQ9>^Y2103mG+r1*`S+K)&yA(vBnefKX
zk3GtQw~u85lZsJrlN3au<?!ytab>|xy2k6EKGS9?h(eFRI|=OmoCP=Qg2*v#mx7r5
z6TGK`;25ZANGou7Sg_D`y-*E0_9L<o7Kj3^4N$0z3q8VxMAB23cwF`o3S9;72SCsl
zMP@v%3vR-$dR7XeP#?Vag5d8!Fr^I}{Va=GU&QWzj!ao?#g9Cge)2=D$I%MYYf=rW
zH~}U5AnR&XQ}deUW)q{4dWGC<sI#$Fm|oXh$&L61Q7f&})c{pX6~0LoHVl>X{eV8;
z<*4+8tRAbL1+r<-RbIXN6WR=y6@IEso1|{+&@UC-3b4>5aIF%^I)Me#W00qfgWFXN
z6#1ZK$eN~Fol;ZIpdDw4iW}1C@#s{N6@AlmUb8g)I~?{HMVgAW&4UoC8EUM87G!Qw
zC6lYnlxj87l6nJToPv_(?L8Y(ccSg_+T=>T3e8PmX}6pcrbLQvws&t3SvYb{P<Hs&
zkoBENpNJzrmMlRleDHo0R6dH9OpBIG%}vsuz}6Hh((_O-Ee>Kb5FUde;!n(yshNE+
z(m-0M6&k6gO3g(~u1v*C7@e#gA;)!+-llJnJ6X}(Y-B3Vu33tL)yG26JpeT?M-%WG
z02r7?6Yf_e$tJ+|fqOxEGI~O_qTs%RrJLc9U;~Xup;ShrZw)fJ5vdU<Tg!&5NR>N^
zQ$~Sk_0!mhI;jYkx!aMf*RB2!)X|_XN9k|jm~W$cvCbZNmqEQZ#%i6nP47IbY9K9{
z6N#jX)J(jw0ul>?r;%0nv2X)fbw3Ncq1D)L>9_)#o>ZjmSaU>@5N(imOt1aP;M$+m
zJx-3*(@d_Qv3gn`I$7N_+$XgoT)2*K7mRSY-LO~$25u{M=PQbWl`kA3#8Y5EAq--s
z+{RxCHsBS#`HkpGuPRv<@*NB!OnWsK7wNx6`Y5?DYE6Oj;USRychr1^Dw&#QIUkNH
zyzr#TdOy(oE>$iP$F!a#H~cU#f<7F<(~2|%EBOo#EEgc{058h?gGn+|EL72Nq9my`
z;SnLpSJ?d*pj89RU6Lvr_$4=R1@_@tu61SV?@+Hs(q5{Qm1(2Egg4+#ElDu3>1j7Y
z-m{pWjB~+i(mD$~p#T-;m}KSHf=`l#7zZsotG6P@q_sl2R*p$)#W~{A>R&dZwON=h
zW9AB=3IpWI)TJn^k+rFBqo#2tZE_SEN$A=WC|yiOp+PsmF%Uz?dlEG7C^l(hILt`0
zQN?W3iqy%d@>(XVQ_HbyXE0flx)#anbgSfQdA-(asq1lAW|}mAP2Z1$xSXs)iynaY
zCa~(HZq@Q&tCpK+9#}GJopr*rf=QJsx<wy`k>^o!gGoV+2jIO6v?eBkR#&8C=u7U;
zaC)_n2`G3)nh;$e{38^;GD<SZUXi&s+CW+|m!L%+Ce_TfMlvq*C5wSfqDk)4djijD
zrq)1DyodP@k{M{izH~S|fvLqXlQU;UN~WL9C^eFn)NQEwA>B>DxgX|nUujzns$xOa
z7*IpA?@?`R(hj8I8AFH>-ZkK7Pim&Yu2TZJex36|z`4`!lPd+8i6(ZzAtxX5UPm+0
zpMc3`Qj7O;;WD)A_iR`Bh*bfiGR*=?Udhl5e4R@yN%KJ7(;1o>f7V)vb1WN&`#9Nw
zHuy7zSOIp7gyks{4?4iqMh#CoI?1c;$H4>fNnju@V&V*GMy>B<39%J4{~a~s(F>T`
zK*$Dbq$LxNTc!ccB{P31*C5k0NtTgSUuyn9R%v81t+{8lrjwBxxgvFMgn?X{I>SiT
zrY52AIlV={w-`uhkr~-(X4xWaP3=e_UW69a!P=C0y;(9j=+B%_WDd7T`hS{P^YFdV
z1~QKPKi#agXswY<CjZySw9GfLY=)USCoA($kp|L69-hf$HhH*4j!T_}nzPud8R$tG
zQIab6f#GIq?VMD+y41<C5i&^B$nw-9CIh#U{7NI2q~3`pjxcMT-V<RUSEi0r3}kKU
zhemD#je$l&r@OKBi>TAF!<X2EI1a6fg|#=cmzdhh_K=a}NKPZwjQJH6!nBylxK#Xb
zh3O{E$PqGLUZNW**UTllk<%g!WCQia65Ys=U#Rl<te|l}fOj19<xDiN!lIw6!N3ep
zOHF{Zi1g?2w7X7`@jRA01aaXMD4RY^P&f@tt#R`7yN*wlmdv6k1F5F&Knrfu_vv!v
z-mXVNtFY__Jrep158roa!G!Gu)NCCEn*~^$`fsS{E-f$;X=%WCXOwnmZP)knC$xN7
z;9foU5Mq?#z^o_fbc{{H+t6CDXeTzSG(s}9sV`fphj5t~1pujX_#qpug>bd0veD1z
z?ZESw@+|j3!-$qvp*$!15)HAwg9rT+cxI0<<Nb-X0W*3i1D}e>BgQ+!_=r&|tji!b
z{)$hAp@0p_#O{M+)@aB*uSpFN*6*<PxjiI>dQ)+dt(F&xvZ7RJ!e|qn`0>+Gq73~<
zJc9Nr-z3DtU-`{or1P5H4p(EX!|TXf)3hGmHO@wFUQ_j|33aX(=Y(2kwXc4H*Xi+k
z@@ickZ(ehYtJUFk=AjS%t7Tn{HEv%mmThhkc|K2zo>T4edV+HPW!=rbYPYLKnq~an
zw7k7)UR_Yo>}c`iHei#RTfFO<ok&1GX-Pc(y4E-$1>Fr*w>TReEW#8K9%oHW)0(D6
zprB7ZUWb<oH?OYo6cl(l+gSrAUM8?|X$n;?<+yka)=pKzP|535^VNzvTHUEGU90A~
z)lsUowf=E+bNx<r^oiX&)l$<~>+V*D;#KOXBdgRg2LaWC<}2z@yuMZSt8>fLIrG%n
z^IMmihu76FHD8{q=AHDb^=s=N_is`2%`v7j#XQP1L8(`_n~E|{?*3VEo0`2{ouC%%
zuD6)XKfa@GkLgNleZ9};Te~!0^{IOr_Uy>tW6DljyR=|Wo;vdA(t`Rt_4%Vq^XpAH
z*5ZQtQm{%bo|jke%U5^c+uXX#9IfVFlU-b>j_O)_qJI11YQqu#A5?!H3i!<HyZ6->
zuX5#`QSbfW$dTeAb##~MvgD<vo2~f&vSiaTt9iY;>!YQs)v_aN)%#2nlA#J;o@tDA
zyXwpDGPk{Fj`@$`2aEG|lwNrZY8ib5Y<SDB?(tozuHOy4Q>^Bxuc!m3b{sT~PBweh
zU24C1sO^X9C~Q_&*ACyjBR<gRTd>rWZB?ym@hACeagX2ZQ*GuLbzAlh&@twuT3UZ%
z*%39lc(t0}3N;L<CwFhJS8p=qCaW7iQD59$yj~pxUBAP0WwPqqS+Dx{sQ#V1)oY+N
z@IMUBI{yxJ&Y9vdI0W@jkN-YUJlfZ_UA=!`u6ol`^=g-CY_hs`K)qirZGc9W*4M)b
zm;PL}ns0s2X&!poU+h*}yZowu&inQ1Nwwi%y<aWe@jo9FyTJStVAW1&L94n)olpje
zu6k2Jvf6bLY=#C5s9oqOs`Y1U)KMo|)gAR}X=}Z@BkW(0%v-w${I68~ohc`|K|Qj2
z_h$30b!O}7J!*Y}X}lH4HdBsbjz0}PQw*{@TDP07u&TZ*|5lIUo6SwC*PME~cxz~F
z(1C3O+w-^Q-+u(upMd|M)AyJrr<leL+r7Kk4eny|ZCBrXrR<2heY?6Hgz}D?V}5J8
zVwhS6tv)GB@Y__Byc=IfcF2ivnbZgWnI>2<yV#<b@4mgRI8UAMc>N?bXZwAszrOy6
zX<G8Kdeh2eb+>uFX^PTUzkT=P;7>4i+MmsS@HcRfwd(E$zi+2%_3d7(E>lbMj}-dy
z+d#1?QpmM)&VqS%k(b-N+9hz&sjU`yPH#;f&`jd5I?S3|ULopS%^u-x@i|3PqbR^h
z4ur?MprzK?Qhe1UTaBx^!P!D&L4Ll?<8JbnJ6arTJjJ)=x8>8Tpm;gv&vHBJJ;e(v
zt{cB_W)Zv#$CubE#+S?)Uoq#pg7Nc8Cc(RKd__gs_{y@1@z()w;dS#%7R<9bJgb}6
z7CRc(*>IU_@_CCV=G$(zZLrz?@9dfQ|IeQBve)nhK~amNWnHmtjr?7V;?dBjwnZLi
ziw*aMYKO-;+SZJgIlaynPx0uQrp7u~eXXmd_%hF}?rAxm%WOFwo40ATv$4eKscCUF
zdtFV9#h0NPpHa<aqiv8^JUYiyCmZBy1ci+bcaCTD|1&$dir@;ylg5(k7c{!pjfb<a
z!{_$SYpN}|e!OS3t9h2I#p4|<s7#B~QQHJ!m#_zRJg;-jKW|a^ZVAz1Fg&zx#zR4`
ztH$A$T{P%5W89d_ZP^QFR@AxN&S^G%-y7d*%Z7YstIGqGPO}x{7EHyQ5(p}$*$VUX
zr{?8P%qyH^%bzr@uwYvLL|e81{}Lte2LFP0kpLePC3D2A1q&<f%a&pOB!Lbmz~SIs
zD8S(aIGg~76EmR`+-{dcRM_n$qFjavGo39EZ;&hMy(t<&vRD|p4d-w%wB>&hBjp)l
z4^my`Y`n72Hr?iNt#>xnjq^D1H)a+)+&<^!qFCTfpgyq#&kZ4Gi*U9&Th@sNhi73^
zlb4#%(xi!Ub|p?_k>e@Osmbx=)X0=a{;d_-$cgbnPBG2*gwY9wHmp!c<TvEE<>XIk
zgY<Z*W_-SzbMyqvVH|Hsx!a1D!;GWJjZ=^3c1|t$(ak|JNZSl6k1#AdBCzCewntDa
zWkLOaZRq6483qo=%_u4Y?k~{&MQ!z(X~Nlt-7!s6_-bmL7&ZpIro;Q~u%1mXH-2b>
zVrcn9LQ8u&jd#y&oW}U>c248BH#gzw4iMK~{G>a|&VctlEVBvT+ssrBl|IP%Sm+Tg
z4a~>1G$?pnOG5=uYiX$9C#)Y8{imiA6#W_x7}S)c*B~89=}q_;@vR8KB~a39K{QiZ
zMXZr&pQ`l*(zPs$SjV!6_&nDri}X%~WD%dBw2Jt8h%C}?uq@&MmPPzqh%C~*EQ|OV
z%Oc{#U!yG2qf8`=IEK>d7=CJOltubYmPI_svIqGQu~8Q3!z_#V9?QPRk7<pvNS9hj
z7I7Y>)p`6l*C>nhlPrt)G|N8CPiu{`NJmGIEMhFB)mVODYm`O0gk=$DvFt2<W^0s1
zdIifO-omoC@MBw}EYd$_S;R+K_ECOvYm`O$&n%1h7nc1CKd?2*BCSS}EMg3$)fj$e
zYm`NL3d<r+W7%o^*w!eE^k*!K_yx;;!Ov!mvPhqdB3Z;9N~=BmAk`>~^lX)65$94`
zoy*Tojj~8jjv-mZDU?>H@KaBtEYkC1Nfxo3(rP(Bmo&;E-O93vZ7kcyk0p(=NT<h<
zEMg|5)l7bVXp}`dE}mo&6DX}F@RLHLEYi0okSwBy(yE7_?ipo~KE<+#y)4_y&*F@-
zNJl1-ETT$jRprNKMp>jQhL9}cB1)@^_(7Oa7U|TXB#W3%X*HdnWf^6W{@hBki2amS
z`}v8HQ5Na$WRgWZNon;YKgbDMAAl}R;q?J<UJ9=d{CLGEi}Zsmi}(=BKEw}AjIu}{
zWLd;Nu<RfBnTb&r=_}Jn7I6Zl)d~Dy!zhdNYw0A5_&TN4*ZJv!Q5NZ=86=DN0j1Rs
z_z8ef7U|8IB#U?#rPaImPTwet^pPx*MLbGr^(fz#8)cDpjwD&cdP=MHe93E+MS7`?
zWD%EBT1EUph%C~6mPOpcvWR#YX_Q6!FQZ8o@m)%*@A9RkQT9rKG`=RJ&<*V+e>M<b
zS-QAI)1ZGU6kk<UO?7ouUg7fap+gU}Jl?7rh}%S?bL~vds+wC--{NR)5KYa_#v6T2
z-b-E2LDJ=RJMuiv8Xts_>tqBBL0TSP#|7Wad0h34&RSbdgQEqj@H9JWoTA0)o!R7T
z^kR;?X)OeU7(F|yWOOHkyQ(T*)vZ29Em-evYOJ@(KfXrRhM#xElZ(J#S#(1*E-*01
z&#f8aL%N`=TC*Ce@K$(RT#fajyzDx>=EHg&?&byubU>SzBT*>r0jcI@XKj^Hjn@GZ
zfdJlM51Iiz3AM;3aUGE3YHWfQU_RI%6tvR-l%dJBu6mbOv(nL0kHwp@;f-)?tu4}1
zaO|<qys63OuD#yfRI@tJE*d$CnX9U*-K%RFy;^@s(*mmbuu<u#b~~~0Alc%UmlpQM
zR_YD>um_i@Yie2J@KS55pz;dn0w455LsN@aYKF$P!r=j0>Oe0FR5Z)!)w&7GanQ~D
zMxWcweN<Id@4~SSl$_)6poPNOSUVGarAG6QYPX|twUD>70^F*$8vTnJy#~%8!8XfL
zyj40c6m9l3)_{(xT4!sO94VixR<ug%z;W<w59gvFr-GBRquJ?^9sy@KiDWY6k=MFB
z^R!b{Py?<<Q#}T@JZlYhUG2oD9TkP!QSEfo0f$b30kyN8-ual1CrKWGAYB2;a-2ee
zRRX(79_HZywZ?_r(CBtGt`6$-3Q(@C0Mw=B3$Jf#qSNWz5`*Mi4=o8^NISh^W@%;B
z%*7Q|AcJ=-FetiLf<l84bn2uz3IiZpQPZ?$O;aPaYLJU!_s!H!r~1iPjw{{QqlPts
z3d$GGZS*#ZTDMy&^tM(tf>JSi{vz8<TTyONZXtN9+X;&W8G$zyjVy_RX#PwGuCA`S
zbrter1cp_PjA8Ue9lDaM2`ZwMRO_upFa{F~xm#xXT3SK}1lu*Yv95_`C|V!t_R`&h
z4*amLLQ}nlgMXmFLZ_p)3_OZg64^0^Q?;b4VEw8s2zDZQ(x#btiFKhudYI0e4=bab
zksgmbAO94H8h4Y&Nq(UFpj_CS<>INe6gHL6ie|w!VsESsUXw$cCanZTc(p1QW39*J
z-B{4wL10nBx#W@V?p#~J%Qwz$y!@Ca7iLGTt4-+lYJuuXoHf9o?^{z13iWFfZ3_tU
zeY;#1gr~{ZQsb1P3<k_{xZJ)LC(MPain0ZjI2UT0e7L}R^o>AHxj}VS0M{Mx3}a1l
z2{B%c1TAmi>by@?K{vF5Gq>QLf<pjJ*1cCN)8ceWaks<c<t8+fR#+U{X#atMakjx<
z_H%G=8oQdN=5_jF?W4t78jRxL_iLM4YQN`4jh(QG(mE__lykERb{#q2=1O1Z?ksO{
z${mQzk;@<KpV&m$BFL2sMR{pK0SIbc28Lm`FDhFwe>RAq4}g75t<Dy=qZxX?rg@#H
zgQeQwaClpUZX`P-L>;*r?5!TrO#2QkoRD2h#`(Y{j8nT}wX3;YixJRaOL$oTuVc4{
z>0!9}GR#vMGT^r9Xax_#y)<aHNK>_yP+s8~?#~Q0NeOmz+{EQNEGIuiANm?IX!C~*
z53iqc+UT_|)EAo;IikG%!!Ft)_Zi;HIf5$3T|&&BIdhtA9IUmM^HST9m5txoNag@k
zS-(&yx2sBKoW-(LfwLzEt@x4;ZLdpEuis*dk67S0BX0`lPge%>Dh1sujSW){zm<gd
zNI7A6_XxT-njD7roS=K6XTtFI3%VDIH}cs2<AUyi)*9_B_gnCrQfac`boa9)jNUAT
z?t1D%^vd=tbhmSLm~xd0-Q}c(Dc7vf-OV*&c=#!QysMcMhWDI8cQaGN@b)Wo7n2``
zcU+;nmtTe9T~O$*<*P7lNHfvhiX%+9BL2Mj7h%S}+(dULX-3{c;^B8P@vdZC7@hbb
z3A`J5GQ<`f!>3Gi7jnkPyU`zUm*s96e-qt*IK$X;+(h>sZDI6YFwy<S@JskcmYMD}
z=7rHa#Y}e?`@@aDneHr(geix2(|AX5Hk|*P=}w|POu6UGbO&)mIR7`(okLL=-f=VC
zF;pvI+Ha;ig@?nmANlyXUc5(0QNs88bPL@bJRhdsB^J6Xs0h;*uZ8Xg?lleO;cs!^
zUBEyXox3b__P-*G{~WN;S$}>Qo%mHrJlmfS(J690>(+Q3)qvg>!Uin`k!Y?LPn@}U
zs1~`^u%PD3Cree1>T28wr3mG?aAz{m5K1_KZla<xA5t;_dl!T*np{(ju~@UO8slA$
zF%NdG#(Jk-H<%}KF)GKPQyQ3iiGRf)w-L7VTv+fYz_A$4qEe@`0YVMj;B)I+ntZqx
z|Ff@e1b*5n@Iqh1%MkoFo?Xzj2EJkF<Z}vsej%UR7%w`s>kn`Z5pB>n1&pyplRgv6
zq5d4!XV%JR8?R6T=_^@YlT)*U?bqb;S)VY-br~|W<n<wP$8+eWCsgj5kajFtC&b<a
zYDbiz9ScMB#Y4xGM-0|CKSW>J)<8c;8}!{GwC6$eT6vui?-=yi7*~nl{+ls7*bq&w
zE~H-DR{9nn)*EN2cYR1ZX3T*(8#TBc?ICi976_3i2Fq;;srQhfy@`f;9}Cg<-GYGa
zMtzTj=<C`_&-hT^5QDy5Tqd98MwUY##surb_pd|h-MCDMp<(LX%jrlSknPKY{Zy0t
zFht*j%S6yi<NaL(kMG0F=sO$QOG|zh(%zn}^wmRbZ>pia*mko)?tv=M9memCb>i!M
zEqxLl=c_i)lekW!zHzI;r^EPj=*yUI5r6;A$TJ7kjI<?$jtHS6L+GdwI$9)fnx2t{
z>W>vEA`r(S-zEaFE7JIdSuI{g8vnTqEk;Fpo(ROHNMjtS#iE1ji<8e~sqNSoal$JC
zYbVk$e0sc!<+qDKe2Vmc0A4W2<KBxOPA!vktawS#yy#;7pMvVMh`)(IOpE$Zmlnq&
zonVMvksf7;SCO7*h*6QY8{$%=ml|SGq+N#i6Y1LwF(=a7lt7$`G{(7FY>D(fB@j;{
z{k{^2A(6)C$y(fqG=3acixrX1G{lBT7aHP0X}=)`l=hnfF(1-xra+vB^bbve*bZs@
zYT<dqc;NR;wfGMC_>5YM>5x8Z3dC_pe{KrIZb)A=1>!ZNlMFE$()hy>T1<vC#-Uma
zhIFYp5O*P6We&tzNaN=uwD<~X{Jet}Q%Qd_2jZx~{+kd&Cx*~NLTGCUJuHMy387O%
z=;RPuk)Ny3UPDd8#LEU6*QGy&(0>h~-w&bxCxq?^q0fiV--XZ#mSB2V2%Q;1j}M_I
zhS1YOXnP2~IE1baq3c6vUkJT9guXX~zCVP1JcRy92>ogZeK>?Z5kmKc&;y3pd?@-`
z&?71BSyA8_fbsIoa6uLRZrE_=V!USzy_yMkDWpHH3c8Z!tCifMqKOlYH|v*re)G@W
z-)gt1VQv@0+-wfI=pTGV9qv&_=+mo9-uMPT8@kj*+NB?6{Nuaqz<u?gXG-7qz~d74
z!C@}k!#%6`r*C%k$2gaGIxzSVS(s;WgCBK;za0*_{vCX=81@n3rSImAmxJM+ss>%M
zUgAMe@a62_$Gu^Xn^m*R7F>T_S=EABvnuSBRh8FWUuLfoYn*F5PA@%}g%VDfh@cj~
zpIp9RVP(~IZa4u~E%LhLWj@v>vu8nf1ahJ1n$@@nNFKDK*4Ip2(1?!-9sKALWwA-k
zB)QC>y?kMnXN|latrOVU&<gowkE&{U1}`tegLR``d|}mf9#~Mk!r^UlF;`<sLCsQm
z!D_5W&%8wKa;ULeP=!<lD!=cO1M)lb5P0Lx8#7A?{0FftvngJ)z}agx^KWH7{_IpV
z1m_!(KUavS5Fyz3IbtcS&xjB#evSyi>qVB2hj_sPhtE7jI9pw#5WiF*{xas@&ioGM
zKdVsvyA`Vcmn^>r`EaKCBlF*7KAyELHwtl@^UrfWo|~{-0-yyB%lN}g$j>zqzlizx
zD<jyhg-kn;u7G}EdOg#dnZBRt$C%#5^fA`|G3&=T%u-3;*@}jZDW1_`rgAREt&H;X
zpo<``W%?DSyO=)C7;PaOVj+Hkh5Bte<3bDBf%j!-2i}cY77KA7^B=a59rzopD3=mJ
za-#q(H^KfHN%>z#QocQk#(BO<`IRc=KdO=)&*Lw3!C~T{O8URzd^MW#$3|2B;%Lfu
za=xGQU*P=z;`|Ree?|<|H!FtfyD^6RZd(k=|CsR!%wG!U>KO9FS2+LAG2~zUF{F1x
zEa}64u@Uv%8%z2=h$Vh(9MwBIj^xJ0kz8FI>GQ>r+#W<YJ0E7W#*=({Jjw5hr+#cp
zp!_=$DF1^5(*JkPKgap`iKPEpK+AF=)+EySY+-yVk?Q>g(|<q&UpSXY`r?yFpEZf}
z6(*6sn;F{}A7OkhiRyWk=|3`kGKus>4PpOc%w?RyxNHd3w{i&8*FA*%11~Y~C+$ZJ
zC4Tl$;{PY+-z>z@p|sBQ52bnWq?PJ>k?~6_mHWm@<!T^Qx7-5jLo&(tCKLbf$;2-h
zM*Z<R<KKsoeP0cuc`-DF=!_Ji@%Qvlt~iC~Nea)C6dq^h-_GSWbGb)Z?g^Ir8Oyzj
z{3?hwng1U1KTaWgqf)88)>P6rI+gtKYNl^sx}51MrrVglo9RxbA7%PiOz&s<EvAn$
zeVS<{jp(Q}qEncjm`3(aO(T1M!2Ej{A4sEi|B~rFOm{JToaxWgsQq6tI?{PvODF!?
zbjp8(^B?E@x6`Tqchaf;^bG3HnT)q&kbnC#s9Z+|m3t(E^!<$UU*i1Z8Km!I2I)JU
zLH(baN&P=2ljI9Csr{u)FJpQo(@jiwWRkw^nWS$w^Iv9sjqxJmh%CZsS!7>n7WvmE
z&fl6vc0R}S3rv5MMfG%NQ9V(^X+4@Sob110IN85uIN9YHPUU~V^n=5xKFbKo&t@!P
zTsea5@G-r81j#?c^gibIGJR$Q*;PK0<lH04zLt?>-`yig?pek+89!xAwh?C8NY4*#
zRDPR{`_V@2!+&}c*Nf;;fGc609Yy7?8b#~eqETem8_Yk)blPZ=vjJKll3C33ElfYa
z^rK97ji&lP8qNFt7~b#4P#kgN7}^(K7(@E^FyalM5<z#=%C&UQi8zcg9TE2S;f$jY
zqv$Rg`I8xo8A}*T85c6%#OP#nGv3O$k?}6Z4#tNVpJe<Q<8K)EGya+JeZ~`v{frkG
zV->;_#>*LV8K*JMVO+&{D`OkuM#j4sI~gBje2npF#^)J-!T4*&{fvKR{DAQk<2gqB
zIyGW4<4DFU8K*MNW?aO$im{dPcE%qtwln^i@fpS!8TT<BV*H4)kMV0p{34C)SH^6{
zLdF@4^BGq#u3~Isyo>Qc#+{7MGrq*QkMR)WM~r=pUo+wlHY1K<%wsHNT*fGW;}F{7
zV#I&DOPLPyjQKk_|4GJYng0UwUuFCwV;9REV?56CCz$^Q=bvFb$NUS-kBp%F7{-JM
z;#(t#KZ5f|Gmd3`9`mnZoXh-qj5o5}V&*$I-^u7=ehc$AG2YAgDC18VUuJxR@i5~j
ztnX9CKF<G^F*=g+;~9rUQoWZ)5`Qux?2lJ7UCOwa<(Dzu!sWco-^lrX#=DvS81tXw
z{9TMMF#iqa|Aq7a%6OFdUoih`&cDcLiXwh?6#G{c<xgb1iuv=Hzl8HwFs@{NEA#K<
z{4I>_%)gKMI~jk*_zL3zmVcY^5SKg3{7)J2SF#a@FpgxL&WPXZ!Sbby_={zzX9@Ft
zjGLIhnQ<%2ZD;--#v_a;8BeqPS;nuq9R3;*@`o~xVk}^s!MK32nGt_{5A|$f+#F5%
zI+_0%<4>5soADPc_gm&4Wb9)6l<_R1{3R7!*BHmgke+<Tq8QRw%=|LOYQ{#EYhi3<
z`FolF7~?L+J&bQLzR!4)%m0n>bJlZ?`H``N!x*y}Co*2oxP-Abmh?0*x?@S7kNKM!
z?`M31@fVCAGM?b_rx-tDJ!hF85y$<=IEHZ|<F#>AZYJaGI4WPx{3^yq#tn>*GCs%U
zb}_!d<$uHc1B^!)PcnYVI3%9X#+Vn+^O$i8=g(%kl(C%is~H<PzlE_ip6uAj{CgQ6
zV?4;%#rP@XIY#^`d(;!f7@I))k`uTe84DS&V=QN^Vr*pGz}U(72<v@}@p0DwQ|AAM
z@d)Fmj9;+)8OC#54j*YDKZ!9bk@z;o>_n2A!2IcqrHsoMU5ssvcQZc3_$2FlmhpMk
z`y%sSV|<74bCx^J_zmaBBoUp!n9Vqj@tP!(yMgKXj0=;fzU9nc#dtsSA7Xrz^Pgw>
z=ZtS~{yR*+$M`<${e=0a8I>X2uZ%Xv@k6LwK4Z}kDqqa}GREbMs~FcYZe@Ik@fpTn
zG45x4m+@o9(~K9nUei#*$e~n!;!xs`V4T1>ow1a08KaA_jqz^AA2B}7_#)#W#{Xvg
zmNC;xcm?BB#yN~PG1fDBtYr6E#@no9|7Paj&-eu6UdE3YKVytbCQMEyJ!y<t$)qob
z`6Z0y%&%lz!g3DgH#2TzyqEDY#$Aki7~f(&e_}ks`JXb~%h=EP-!W|-MyL+s{$sq1
z^RHyg8%Fj`Vg78!#f(lyFQcFFamL+<;LHEX^s7w2%k+OE@_m-vFH(pflR|U~BE<BW
zOpjy!GYZ*<FD!3iv@wonoWfYbSkAbDv4PRcxQX!|#)lc7Vtj$|cZ>%Z4>KNT>|;F7
zc!5!#yCVab#OG_Y+hn58{UI)4^fGQ^+{Ji+v6~Tp+yK$WIGu3`qnB|T<1WSnjNOd*
zC>b$}aSCH4V>9DDjL$J1VC-hZ4>?JD7^gEXVe~R?W8B4ffU%nq2UhA~oWZz)v5oNo
M#upghX6#}7Klm~-q5uE@
--- a/security/nss/lib/sysinit/nsssysinit.c
+++ b/security/nss/lib/sysinit/nsssysinit.c
@@ -31,32 +31,32 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 #include "seccomon.h"
 #include "prio.h"
 #include "prprf.h"
-
-
+#include "plhash.h"
 
 /*
  * The following provides a default example for operating systems to set up
  * and manage applications loading NSS on their OS globally.
  *
  * This code hooks in to the system pkcs11.txt, which controls all the loading
  * of pkcs11 modules common to all applications.
  */
 
 /*
  * OS Specific function to get where the NSS user database should reside.
  */
 
 #ifdef XP_UNIX
+#include <unistd.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
 static int 
 testdir(char *dir)
 {
    struct stat buf;
    memset(&buf, 0, sizeof(buf));
@@ -105,36 +105,65 @@ getUserDB(void)
 }
 
 #define NSS_DEFAULT_SYSTEM "/etc/pki/nssdb"
 static char *
 getSystemDB(void) {
    return PORT_Strdup(NSS_DEFAULT_SYSTEM);
 }
 
+static PRBool
+userIsRoot()
+{
+   /* this works for linux and all unixes that we know off
+	  though it isn't stated as such in POSIX documentation */
+   return getuid() == 0;
+}
+
+static PRBool
+userCanModifySystemDB()
+{
+   return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0);
+}
+
 #else
 #ifdef XP_WIN
 static char *
 getUserDB(void)
 {
-   /* use the registry to find the user's NSS_DIR. if no entry exists, creaate
+   /* use the registry to find the user's NSS_DIR. if no entry exists, create
     * one in the users Appdir location */
    return NULL;
 }
 
 static char *
 getSystemDB(void)
 {
-   /* use the registry to find the system's NSS_DIR. if no entry exists, creaate
+   /* use the registry to find the system's NSS_DIR. if no entry exists, create
     * one based on the windows system data area */
    return NULL;
 }
 
+static PRBool
+userIsRoot()
+{
+   /* use the registry to find if the user is the system administrator. */
+   return PR_FALSE;
+}
+
+static PRBool
+userCanModifySystemDB()
+{
+   /* use the registry to find if the user has administrative privilege 
+    * to modify the system's nss database. */
+   return PR_FALSE;
+}
+
 #else
-#error "Need to write getUserDB and get SystemDB functions"
+#error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
 #endif
 #endif
 
 static PRBool 
 getFIPSEnv(void)
 {
     char *fipsEnv = getenv("NSS_FIPS");
     if (!fipsEnv) {
@@ -179,16 +208,35 @@ getFIPSMode(void)
 {
     return getFIPSEnv();
 }
 #endif
 
 
 #define NSS_DEFAULT_FLAGS "flags=readonly"
 
+/* configuration flags according to
+ * https://developer.mozilla.org/en/PKCS11_Module_Specs
+ * As stated there the slotParams start with a slot name which is a slotID
+ * Slots 1 through 3 are reserved for the nss internal modules as follows:
+ * 1 for crypto operations slot non-fips,
+ * 2 for the key slot, and
+ * 3 for the crypto operations slot fips
+ */
+#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
+#define SLOT_FLAGS \
+	"[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
+	" askpw=any timeout=30 ]"
+ 
+static const char *nssDefaultFlags =
+	ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " }  ";
+
+static const char *nssDefaultFIPSFlags =
+	ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " }  ";
+
 /*
  * This function builds the list of databases and modules to load, and sets
  * their configuration. For the sample we have a fixed set.
  *  1. We load the user's home nss database.
  *  2. We load the user's custom PKCS #11 modules.
  *  3. We load the system nss database readonly.
  *
  * Any space allocated in get_list must be freed in release_list.
@@ -196,56 +244,90 @@ getFIPSMode(void)
  * it is running in the process of the application for which it is making 
  * decisions, so it's possible to acquire the application name as part of
  * the decision making process.
  *
  */
 static char **
 get_list(char *filename, char *stripped_parameters)
 {
-    char **module_list = PORT_ZNewArray(char *, 4);
-    char *userdb;
+    char **module_list = PORT_ZNewArray(char *, 5);
+    char *userdb, *sysdb;
+    int isFIPS = getFIPSMode();
+    const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags;
     int next = 0;
 
     /* can't get any space */
     if (module_list == NULL) {
 	return NULL;
     }
 
-    userdb  = getUserDB();
-    if (userdb != NULL) {
+    sysdb = getSystemDB();
+    userdb = getUserDB();
+
+    /* Don't open root's user DB */
+    if (userdb != NULL && !userIsRoot()) {
 	/* return a list of databases to open. First the user Database */
 	module_list[next++] = PR_smprintf(
 	    "library= "
 	    "module=\"NSS User database\" "
-	    "parameters=\"configdir='sql:%s' %s\" "
-	    "NSS=\"flags=internal%s\"", 
-		userdb, stripped_parameters, getFIPSMode() ? ",FIPS" : "");
+	    "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
+        "NSS=\"%sflags=internal%s\"",
+        userdb, stripped_parameters, nssflags,
+        isFIPS ? ",FIPS" : "");
 
 	/* now open the user's defined PKCS #11 modules */
 	/* skip the local user DB entry */
 	module_list[next++] = PR_smprintf(
 	    "library= "
 	    "module=\"NSS User database\" "
 	    "parameters=\"configdir='sql:%s' %s\" "
 	    "NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"", 
 		userdb, stripped_parameters);
-   }
+	}
+
+#if 0
+	/* This doesn't actually work. If we register
+		both this and the sysdb (in either order)
+		then only one of them actually shows up */
+
+    /* Using a NULL filename as a Boolean flag to
+     * prevent registering both an application-defined
+     * db and the system db. rhbz #546211.
+     */
+    PORT_Assert(filename);
+    if (sysdb && PL_CompareStrings(filename, sysdb))
+	    filename = NULL;
+    else if (userdb && PL_CompareStrings(filename, userdb))
+	    filename = NULL;
 
-    /* now the system database (always read only) */
-    module_list[next++] = PR_smprintf(
-	"library= "
-	"module=\"NSS system database\" "
-	"parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" "
-	"NSS=\"flags=internal,critical\"",filename);
+    if (filename && !userIsRoot()) {
+	    module_list[next++] = PR_smprintf(
+	      "library= "
+	      "module=\"NSS database\" "
+	      "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
+	      "NSS=\"%sflags=internal\"",filename, filename, nssflags);
+    }
+#endif
+
+    /* now the system database (always read only unless it's root) */
+    if (sysdb) {
+	    const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
+	    module_list[next++] = PR_smprintf(
+	      "library= "
+	      "module=\"NSS system database\" "
+	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+	      "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
+    }
 
     /* that was the last module */
     module_list[next] = 0;
 
     PORT_Free(userdb);
+    PORT_Free(sysdb);
 
     return module_list;
 }
 
 static char **
 release_list(char **arg)
 {
     static char *success = "Success";
--- a/security/nss/lib/util/manifest.mn
+++ b/security/nss/lib/util/manifest.mn
@@ -90,17 +90,16 @@ CSRCS = \
 	secasn1d.c \
 	secasn1e.c \
 	secasn1u.c \
 	secitem.c \
 	secload.c \
 	secoid.c \
 	sectime.c \
 	secport.c \
-	secinit.c \
 	templates.c \
 	utf8.c \
 	$(NULL)
 
 MODULE = nss
 
 # don't duplicate module name in REQUIRES
 MAPFILE = $(OBJDIR)/nssutil.def
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -46,16 +46,16 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.12.6.0 Beta"
+#define NSSUTIL_VERSION  "3.12.6.0"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   12
 #define NSSUTIL_VPATCH   6
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_TRUE
+#define NSSUTIL_BETA     PR_FALSE
 
 #endif /* __nssutil_h_ */
deleted file mode 100644
--- a/security/nss/lib/util/secinit.c
+++ /dev/null
@@ -1,53 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nspr.h"
-#include "secport.h"
-
-static int sec_inited = 0;
-
-void 
-SEC_Init(void)
-{
-    /* PR_Init() must be called before SEC_Init() */
-#if !defined(SERVER_BUILD)
-    PORT_Assert(PR_Initialized() == PR_TRUE);
-#endif
-    if (sec_inited)
-	return;
-
-    sec_inited = 1;
-}
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -37,16 +37,36 @@
 
 #include "secoid.h"
 #include "pkcs11t.h"
 #include "secitem.h"
 #include "secerr.h"
 #include "prenv.h"
 #include "plhash.h"
 #include "nssrwlk.h"
+#include "nssutil.h"
+
+/* Library identity and versioning */
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_util_rcsid[] = "$Header: NSS " NSSUTIL_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_util_sccsid[] = "@(#)NSS " NSSUTIL_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
 
 /* MISSI Mosaic Object ID space */
 #define USGOV                   0x60, 0x86, 0x48, 0x01, 0x65
 #define MISSI	                USGOV, 0x02, 0x01, 0x01
 #define MISSI_OLD_KEA_DSS	MISSI, 0x0c
 #define MISSI_OLD_DSS		MISSI, 0x02
 #define MISSI_KEA_DSS		MISSI, 0x14
 #define MISSI_DSS		MISSI, 0x13
@@ -1856,16 +1876,19 @@ handleHashAlgSupport(char * envVal)
 
 SECStatus
 SECOID_Init(void)
 {
     PLHashEntry *entry;
     const SECOidData *oid;
     int i;
     char * envVal;
+    volatile char c; /* force a reference that won't get optimized away */
+
+    c = __nss_util_rcsid[0] + __nss_util_sccsid[0];
 
     if (oidhash) {
 	return SECSuccess; /* already initialized */
     }
 
     if (!PR_GetEnv("NSS_ALLOW_WEAK_SIGNATURE_ALG")) {
 	/* initialize any policy flags that are disabled by default */
 	xOids[SEC_OID_MD2                           ].notPolicyFlags = ~0;
--- a/security/nss/tests/memleak/memleak.sh
+++ b/security/nss/tests/memleak/memleak.sh
@@ -421,16 +421,17 @@ run_strsclnt()
 	${BINDIR}/tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE}
 	ret=$?
 	if [ $ret -ne 0 ]; then
 		html_failed "${LOGNAME}: Tstclnt"
 		echo "${SCRIPTNAME} ${LOGNAME}: " \
 			"Tstclnt produced a returncode of ${ret} - FAILED"
 	fi
 	
+	sleep 20
 	kill $(jobs -p) 2> /dev/null
 }
 
 ########################### run_strsclnt_dbg ###########################
 # local shell function to run strsclnt under debug tool for all ciphers 
 # and send stop command to selfserv over tstclnt
 ########################################################################
 run_strsclnt_dbg()