Bug 695833: Update NSS to NSS_3_13_1_BETA2. Includes fixes for
authorWan-Teh Chang <wtc@google.com>
Sat, 22 Oct 2011 17:46:33 -0700
changeset 79130 85be1cf6dd9e111473a5525bd23415ed3b783ed8
parent 79129 5cfb2cfe8bebc3325e2e8796bd0fe09e35c7b1f2
child 79131 969648d5182542a4c7472a7e94a5d252f856a0b1
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
bugs695833, 647706, 691997
milestone10.0a1
Bug 695833: Update NSS to NSS_3_13_1_BETA2. Includes fixes for bug 647706 and bug 691997. See individual bugs for code reviews.
security/coreconf/coreconf.dep
security/nss/TAG-INFO
security/nss/cmd/lib/secutil.c
security/nss/lib/cryptohi/seckey.c
security/nss/lib/cryptohi/secsign.c
security/nss/lib/cryptohi/secvfy.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/pk11wrap/pk11slot.c
security/nss/lib/pkcs12/p12local.c
security/nss/lib/softoken/rsawrapr.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/sslerrstrs.c
security/nss/lib/ssl/sslerrstrs.h
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslinit.c
security/nss/lib/ssl/sslsnce.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/ssl/sslutil.h
security/nss/lib/util/secalgid.c
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -37,8 +37,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_13_1_BETA1
+NSS_3_13_1_BETA2
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -3758,16 +3758,18 @@ SECU_StringToSignatureAlgTag(const char 
 	if (!PL_strcmp(alg, "MD2")) {
 	    hashAlgTag = SEC_OID_MD2;
 	} else if (!PL_strcmp(alg, "MD4")) {
 	    hashAlgTag = SEC_OID_MD4;
 	} else if (!PL_strcmp(alg, "MD5")) {
 	    hashAlgTag = SEC_OID_MD5;
 	} else if (!PL_strcmp(alg, "SHA1")) {
 	    hashAlgTag = SEC_OID_SHA1;
+	} else if (!PL_strcmp(alg, "SHA224")) {
+	    hashAlgTag = SEC_OID_SHA224;
 	} else if (!PL_strcmp(alg, "SHA256")) {
 	    hashAlgTag = SEC_OID_SHA256;
 	} else if (!PL_strcmp(alg, "SHA384")) {
 	    hashAlgTag = SEC_OID_SHA384;
 	} else if (!PL_strcmp(alg, "SHA512")) {
 	    hashAlgTag = SEC_OID_SHA512;
 	}
     }
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -545,16 +545,17 @@ seckey_GetKeyType (SECOidTag tag) {
 	break;
       case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
 	keyType = ecKey;
 	break;
       /* accommodate applications that hand us a signature type when they 
 	* should be handing us a cipher type */
       case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
 	keyType = rsaKey;
 	break;
       default:
 	keyType = nullKey;
     }
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -32,17 +32,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secsign.c,v 1.26 2011/07/24 13:48:12 wtc%google.com Exp $ */
+/* $Id: secsign.c,v 1.27 2011/10/22 14:35:42 wtc%google.com Exp $ */
 
 #include <stdio.h>
 #include "cryptohi.h"
 #include "sechash.h"
 #include "secder.h"
 #include "keyhi.h"
 #include "secoid.h"
 #include "secdig.h"
@@ -473,16 +473,18 @@ SEC_GetSignatureAlgorithmOidTag(KeyType 
 	switch (hashAlgTag) {
 	case SEC_OID_MD2:
 	    sigTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;	break;
 	case SEC_OID_MD5:
 	    sigTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;	break;
 	case SEC_OID_UNKNOWN:	/* default for RSA if not specified */
 	case SEC_OID_SHA1:
 	    sigTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;	break;
+	case SEC_OID_SHA224:
+	    sigTag = SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION;	break;
 	case SEC_OID_SHA256:
 	    sigTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;	break;
 	case SEC_OID_SHA384:
 	    sigTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;	break;
 	case SEC_OID_SHA512:
 	    sigTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;	break;
 	default:
 	    break;
@@ -497,16 +499,18 @@ SEC_GetSignatureAlgorithmOidTag(KeyType 
 	    break;
 	}
 	break;
     case ecKey:
 	switch (hashAlgTag) {
 	case SEC_OID_UNKNOWN:	/* default for ECDSA if not specified */
 	case SEC_OID_SHA1:
             sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE; break;
+	case SEC_OID_SHA224:
+            sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE; break;
 	case SEC_OID_SHA256:
             sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; break;
 	case SEC_OID_SHA384:
             sigTag = SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE; break;
 	case SEC_OID_SHA512:
             sigTag = SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE; break;
 	default:
 	break;
--- a/security/nss/lib/cryptohi/secvfy.c
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -32,17 +32,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secvfy.c,v 1.24 2010/06/23 02:13:56 wtc%google.com Exp $ */
+/* $Id: secvfy.c,v 1.25 2011/10/22 14:35:42 wtc%google.com Exp $ */
 
 #include <stdio.h>
 #include "cryptohi.h"
 #include "sechash.h"
 #include "keyhi.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "pk11func.h"
@@ -236,16 +236,20 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
       case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
         *hashalg = SEC_OID_SHA1;
 	break;
       case SEC_OID_PKCS1_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
         *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */
 	break;
 
+      case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
+      case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
+	*hashalg = SEC_OID_SHA224;
+	break;
       case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
 	*hashalg = SEC_OID_SHA256;
 	break;
       case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
       case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
 	*hashalg = SEC_OID_SHA384;
 	break;
@@ -271,19 +275,17 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
 	 * hash algorithm that is not reduced by the keysize of 
 	 * the EC algorithm. Note that key strength is in bytes and
 	 * algorithms are specified in bits. Never use an algorithm
 	 * weaker than sha1. */
 	len = SECKEY_PublicKeyStrength(key);
 	if (len < 28) { /* 28 bytes == 224 bits */
 	    *hashalg = SEC_OID_SHA1;
 	} else if (len < 32) { /* 32 bytes == 256 bits */
-	    /* SHA 224 not supported in NSS */
-	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	    return SECFailure;
+	    *hashalg = SEC_OID_SHA224;
 	} else if (len < 48) { /* 48 bytes == 384 bits */
 	    *hashalg = SEC_OID_SHA256;
 	} else if (len < 64) { /* 48 bytes == 512 bits */
 	    *hashalg = SEC_OID_SHA384;
 	} else {
 	    /* use the largest in this case */
 	    *hashalg = SEC_OID_SHA512;
 	}
@@ -318,16 +320,17 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
     /* get the "encryption" algorithm */ 
     switch (sigAlg) {
       case SEC_OID_PKCS1_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
       case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
       case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
+      case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
 	*encalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
 	break;
       case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
 	*encalg = SEC_OID_PKCS1_RSA_PSS_SIGNATURE;
 	break;
@@ -339,16 +342,17 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
 	break;
       case SEC_OID_MISSI_DSS:
       case SEC_OID_MISSI_KEA_DSS:
       case SEC_OID_MISSI_KEA_DSS_OLD:
       case SEC_OID_MISSI_DSS_OLD:
 	*encalg = SEC_OID_MISSI_DSS;
 	break;
       case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
+      case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
       case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
       case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
       case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
       case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
       case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
 	*encalg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
 	break;
       /* we don't implement MD4 hashes */
--- a/security/nss/lib/pk11wrap/pk11mech.c
+++ b/security/nss/lib/pk11wrap/pk11mech.c
@@ -558,16 +558,17 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE
     case CKM_CAST5_KEY_GEN:
 	return CKM_CAST5_KEY_GEN;
     case CKM_RSA_PKCS:
     case CKM_RSA_9796:
     case CKM_RSA_X_509:
     case CKM_MD2_RSA_PKCS:
     case CKM_MD5_RSA_PKCS:
     case CKM_SHA1_RSA_PKCS:
+    case CKM_SHA224_RSA_PKCS:
     case CKM_SHA256_RSA_PKCS:
     case CKM_SHA384_RSA_PKCS:
     case CKM_SHA512_RSA_PKCS:
     case CKM_KEY_WRAP_SET_OAEP:
     case CKM_RSA_PKCS_KEY_PAIR_GEN:
 	return CKM_RSA_PKCS_KEY_PAIR_GEN;
     case CKM_RSA_X9_31_KEY_PAIR_GEN:
 	return CKM_RSA_X9_31_KEY_PAIR_GEN;
@@ -591,16 +592,18 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE
     case CKM_SSL3_KEY_AND_MAC_DERIVE:
     case CKM_SSL3_SHA1_MAC:
     case CKM_SSL3_MD5_MAC:
     case CKM_TLS_MASTER_KEY_DERIVE:
     case CKM_TLS_KEY_AND_MAC_DERIVE:
 	return CKM_SSL3_PRE_MASTER_KEY_GEN;
     case CKM_SHA_1_HMAC:
     case CKM_SHA_1_HMAC_GENERAL:
+    case CKM_SHA224_HMAC:
+    case CKM_SHA224_HMAC_GENERAL:
     case CKM_SHA256_HMAC:
     case CKM_SHA256_HMAC_GENERAL:
     case CKM_SHA384_HMAC:
     case CKM_SHA384_HMAC_GENERAL:
     case CKM_SHA512_HMAC:
     case CKM_SHA512_HMAC_GENERAL:
     case CKM_MD2_HMAC:
     case CKM_MD2_HMAC_GENERAL:
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -54,30 +54,31 @@
 
 /*************************************************************
  * local static and global data
  *************************************************************/
 
 /*
  * This array helps parsing between names, mechanisms, and flags.
  * to make the config files understand more entries, add them
- * to this table. (NOTE: we need function to export this table and it's size)
+ * to this table. (NOTE: we need function to export this table and its size)
  */
 PK11DefaultArrayEntry PK11_DefaultArray[] = {
 	{ "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
 	{ "DSA", SECMOD_DSA_FLAG, CKM_DSA },
 	{ "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
 	{ "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
 	{ "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
 	{ "DES", SECMOD_DES_FLAG, CKM_DES_CBC },
 	{ "AES", SECMOD_AES_FLAG, CKM_AES_CBC },
 	{ "Camellia", SECMOD_CAMELLIA_FLAG, CKM_CAMELLIA_CBC },
 	{ "SEED", SECMOD_SEED_FLAG, CKM_SEED_CBC },
 	{ "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC },
 	{ "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 },
+/*	{ "SHA224", SECMOD_SHA256_FLAG, CKM_SHA224 }, */
 	{ "SHA256", SECMOD_SHA256_FLAG, CKM_SHA256 },
 /*	{ "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */
 	{ "SHA512", SECMOD_SHA512_FLAG, CKM_SHA512 },
 	{ "MD5", SECMOD_MD5_FLAG, CKM_MD5 },
 	{ "MD2", SECMOD_MD2_FLAG, CKM_MD2 },
 	{ "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN },
 	{ "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE },
 	{ "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 },
@@ -852,16 +853,17 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type)
     case CKM_DES3_CBC:
 	return &pk11_desSlotList;
     case CKM_RC4:
 	return &pk11_rc4SlotList;
     case CKM_RC5_CBC:
 	return &pk11_rc5SlotList;
     case CKM_SHA_1:
 	return &pk11_sha1SlotList;
+    case CKM_SHA224:
     case CKM_SHA256:
 	return &pk11_sha256SlotList;
     case CKM_SHA384:
     case CKM_SHA512:
 	return &pk11_sha512SlotList;
     case CKM_MD5:
 	return &pk11_md5SlotList;
     case CKM_MD2:
@@ -2019,16 +2021,17 @@ PK11_GetBestSlotMultiple(CK_MECHANISM_TY
 
     PORT_SetError(0);
 
 
     listNeedLogin = PR_FALSE;
     for (i=0; i < mech_count; i++) {
 	if ((type[i] != CKM_FAKE_RANDOM) && 
 	    (type[i] != CKM_SHA_1) &&
+	    (type[i] != CKM_SHA224) &&
 	    (type[i] != CKM_SHA256) &&
 	    (type[i] != CKM_SHA384) &&
 	    (type[i] != CKM_SHA512) &&
 	    (type[i] != CKM_MD5) && 
 	    (type[i] != CKM_MD2)) {
 	    listNeedLogin = PR_TRUE;
 	    break;
 	}
--- a/security/nss/lib/pkcs12/p12local.c
+++ b/security/nss/lib/pkcs12/p12local.c
@@ -57,16 +57,18 @@ sec_pkcs12_algtag_to_mech(SECOidTag algt
 {
     switch (algtag) {
     case SEC_OID_MD2:
 	return CKM_MD2_HMAC;
     case SEC_OID_MD5:
 	return CKM_MD5_HMAC;
     case SEC_OID_SHA1:
 	return CKM_SHA_1_HMAC;
+    case SEC_OID_SHA224:
+	return CKM_SHA224_HMAC;
     case SEC_OID_SHA256:
 	return CKM_SHA256_HMAC;
     case SEC_OID_SHA384:
 	return CKM_SHA384_HMAC;
     case SEC_OID_SHA512:
 	return CKM_SHA512_HMAC;
     default:
 	break;
--- a/security/nss/lib/softoken/rsawrapr.c
+++ b/security/nss/lib/softoken/rsawrapr.c
@@ -33,17 +33,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: rsawrapr.c,v 1.18 2011/10/04 22:05:53 wtc%google.com Exp $ */
+/* $Id: rsawrapr.c,v 1.19 2011/10/22 14:35:43 wtc%google.com Exp $ */
 
 #include "blapi.h"
 #include "softoken.h"
 #include "sechash.h"
 
 #include "lowkeyi.h"
 #include "secerr.h"
 
@@ -1164,21 +1164,23 @@ emsa_pss_verify(const unsigned char *mHa
 
     PORT_Free(H_);
     return rv;
 }
 
 static HASH_HashType
 GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
 {
-    /* TODO(wtc): add SHA-224. */
     switch (mech) {
         case CKM_SHA_1:
         case CKG_MGF1_SHA1:
 	    return HASH_AlgSHA1;
+        case CKM_SHA224:
+        case CKG_MGF1_SHA224:
+	    return HASH_AlgSHA224;
         case CKM_SHA256:
         case CKG_MGF1_SHA256:
 	    return HASH_AlgSHA256;
         case CKM_SHA384:
         case CKG_MGF1_SHA384:
 	    return HASH_AlgSHA384;
         case CKM_SHA512:
         case CKG_MGF1_SHA512:
--- a/security/nss/lib/ssl/ssl3ecc.c
+++ b/security/nss/lib/ssl/ssl3ecc.c
@@ -35,17 +35,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /* ECC code moved here from ssl3con.c */
-/* $Id: ssl3ecc.c,v 1.24 2010/03/15 08:03:14 nelson%bolyard.com Exp $ */
+/* $Id: ssl3ecc.c,v 1.25 2011/10/22 14:35:44 wtc%google.com Exp $ */
 
 #include "nss.h"
 #include "cert.h"
 #include "ssl.h"
 #include "cryptohi.h"	/* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
 #include "secitem.h"
@@ -963,16 +963,17 @@ ssl3_FilterECCipherSuitesByServerCerts(s
 	SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature);
 
 	switch (sigTag) {
 	case SEC_OID_PKCS1_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
 	case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
 	    ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
 	    break;
 	case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
 	case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
 	case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
--- a/security/nss/lib/ssl/sslerrstrs.c
+++ b/security/nss/lib/ssl/sslerrstrs.c
@@ -33,17 +33,16 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 #include "prerror.h"
 #include "sslerr.h"
 #include "prinit.h"
 #include "nssutil.h"
 #include "ssl.h"
-#include "sslerrstrs.h"
 
 #define ER3(name, value, str) {#name, str},
 
 static const struct PRErrorMessage ssltext[] = {
 #include "SSLerrs.h"
     {0,0}
 };
 
@@ -54,13 +53,14 @@ static const struct PRErrorTable ssl_et 
 
 static PRStatus
 ssl_InitializePRErrorTableOnce(void) {
     return PR_ErrorInstallTable(&ssl_et);
 }
 
 static PRCallOnceType once;
 
-PRStatus
+SECStatus
 ssl_InitializePRErrorTable(void)
 {
-    return PR_CallOnce(&once, ssl_InitializePRErrorTableOnce);
+    return (PR_SUCCESS == PR_CallOnce(&once, ssl_InitializePRErrorTableOnce))
+		? SECSuccess : SECFailure;
 }
deleted file mode 100644
--- a/security/nss/lib/ssl/sslerrstrs.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * This file contains prototypes for the public SSL functions.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id: sslerrstrs.h,v 1.1 2011/08/17 14:41:02 emaldona%redhat.com Exp $ */
-
-#ifndef __sslerrstrs_h_
-#define __sslerrstrs_h_
-
-#include "prtypes.h"
-
-SEC_BEGIN_PROTOS
-
-extern PRStatus 
-ssl_InitializePRErrorTable(void);
-
-SEC_END_PROTOS
-
-#endif /* __sslerrstrs_h_ */
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -34,17 +34,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslimpl.h,v 1.83 2011/10/01 03:59:54 bsmith%mozilla.com Exp $ */
+/* $Id: sslimpl.h,v 1.84 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
 
 #ifndef __sslimpl_h_
 #define __sslimpl_h_
 
 #ifdef DEBUG
 #undef NDEBUG
 #else
 #undef NDEBUG
@@ -1146,16 +1146,20 @@ extern const char * const      ssl3_ciph
 extern sslSessionIDLookupFunc  ssl_sid_lookup;
 extern sslSessionIDCacheFunc   ssl_sid_cache;
 extern sslSessionIDUncacheFunc ssl_sid_uncache;
 
 /************************************************************************/
 
 SEC_BEGIN_PROTOS
 
+/* Internal initialization and installation of the SSL error tables */
+extern SECStatus ssl_Init(void);
+extern SECStatus ssl_InitializePRErrorTable(void);
+
 /* Implementation of ops for default (non socks, non secure) case */
 extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
 extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
 extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
 extern int ssl_DefListen(sslSocket *ss, int backlog);
 extern int ssl_DefShutdown(sslSocket *ss, int how);
 extern int ssl_DefClose(sslSocket *ss);
 extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
--- a/security/nss/lib/ssl/sslinit.c
+++ b/security/nss/lib/ssl/sslinit.c
@@ -31,30 +31,31 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslinit.c,v 1.1 2011/08/17 14:41:05 emaldona%redhat.com Exp $ */
+/* $Id: sslinit.c,v 1.2 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
 
 #include "prtypes.h"
 #include "prinit.h"
 #include "seccomon.h"
 #include "secerr.h"
 #include "ssl.h"
-#include "sslerrstrs.h"
+#include "sslimpl.h"
 
 static int ssl_inited = 0;
 
 SECStatus
 ssl_Init(void)
 {
     if (!ssl_inited) {
-	if (ssl_InitializePRErrorTable() == PR_FAILURE) {
-	   return (SEC_ERROR_NO_MEMORY);
+	if (ssl_InitializePRErrorTable() != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return (SECFailure);
 	}
 	ssl_inited = 1;
     }
     return SECSuccess;
 }
--- a/security/nss/lib/ssl/sslsnce.c
+++ b/security/nss/lib/ssl/sslsnce.c
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsnce.c,v 1.58 2011/10/01 00:11:02 wtc%google.com Exp $ */
+/* $Id: sslsnce.c,v 1.59 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
 
 /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server 
  * cache sids!
  *
  * About record locking among different server processes:
  *
  * All processes that are part of the same conceptual server (serving on 
  * the same address and port) MUST share a common SSL session cache. 
@@ -78,17 +78,16 @@
 #include "seccomon.h"
 
 #if defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS)
 
 #include "cert.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
-#include "sslutil.h"
 #include "pk11func.h"
 #include "base64.h"
 #include "keyhi.h"
 #include "blapi.h"
 
 #include <stdio.h>
 
 #if defined(XP_UNIX) || defined(XP_BEOS)
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -35,24 +35,23 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsock.c,v 1.74 2011/10/06 22:42:34 wtc%google.com Exp $ */
+/* $Id: sslsock.c,v 1.75 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
-#include "sslutil.h"
 #include "nspr.h"
 #include "private/pprio.h"
 #include "blapi.h"
 #include "nss.h"
 
 #define SET_ERROR_CODE   /* reminder */
 
 struct cipherPolicyStr {
deleted file mode 100644
--- a/security/nss/lib/ssl/sslutil.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * This file contains prototypes for the public SSL functions.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id: sslutil.h,v 1.1 2011/08/17 14:41:20 emaldona%redhat.com Exp $ */
-
-#ifndef __sslutil_h_
-#define __sslutil_h_
-
-#include "prtypes.h"
-
-SEC_BEGIN_PROTOS
-
-extern PRStatus SSL_InitializePRErrorTable(void);
-extern SECStatus ssl_Init(void);
-
-SEC_END_PROTOS
-
-#endif /* __sslutil_h_ */
--- a/security/nss/lib/util/secalgid.c
+++ b/security/nss/lib/util/secalgid.c
@@ -65,24 +65,26 @@ SECOID_SetAlgorithmID(PRArenaPool *arena
     if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
 	return SECFailure;
 
     switch (which) {
       case SEC_OID_MD2:
       case SEC_OID_MD4:
       case SEC_OID_MD5:
       case SEC_OID_SHA1:
+      case SEC_OID_SHA224:
       case SEC_OID_SHA256:
       case SEC_OID_SHA384:
       case SEC_OID_SHA512:
       case SEC_OID_PKCS1_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
       case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
 	add_null_param = PR_TRUE;
 	break;
       default:
 	add_null_param = PR_FALSE;
 	break;