fixup commit for tag 'NSS_3_3_1_RTM' FORMREWRITE_20011008_BRANCH NSS_3_3_1_RTM
authorcvs2hg
Fri, 28 Sep 2001 22:30:38 +0000
branchFORMREWRITE_20011008_BRANCH
changeset 2086 214c7d1b0ceebf80db158bbf29928aaf1b998cae
parent 2042 2c223b79cacfcb4a5abe9b9fe316ca270e442877
child 10660 3af98a6927fc1fd4d500360a5f8b303f7a42b50a
push idunknown
push userunknown
push dateunknown
fixup commit for tag 'NSS_3_3_1_RTM'
dbm/include/Makefile.win
dbm/include/cdefs.h
dbm/include/mcom_db.h
dbm/tests/lots.c
security/dbm/Makefile
security/dbm/include/Makefile
security/dbm/include/manifest.mn
security/dbm/manifest.mn
security/dbm/src/Makefile
security/dbm/src/config.mk
security/dbm/src/manifest.mn
security/dbm/tests/Makefile
security/nss/cmd/certutil/certutil.c
security/nss/cmd/certutil/keystuff.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/pk12util/pk12util.c
security/nss/cmd/signtool/util.c
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/ssl/sslcon.c
security/nss/tests/all.sh
security/nss/tests/cert/cert.sh
security/nss/tests/common/init.sh
security/nss/tests/fips/fips.sh
security/nss/tests/ssl/ssl_dist_stress.sh
security/nss/tests/tools/tools.sh
--- a/dbm/include/Makefile.win
+++ b/dbm/include/Makefile.win
@@ -42,19 +42,22 @@ DEPTH= ..\..
 MAKE_OBJ_TYPE=EXE
 !endif
 
 #//------------------------------------------------------------------------
 #//
 #// install headers
 #//
 #//------------------------------------------------------------------------
-EXPORTS=nsres.h cdefs.h mcom_db.h ncompat.h winfile.h
+INSTALL_DIR=$(XPDIST)\include
+INSTALL_FILE_LIST= nsres.h cdefs.h mcom_db.h ncompat.h winfile.h
 
 #//------------------------------------------------------------------------
 #//
 #// Include the common makefile rules
 #//
 #//------------------------------------------------------------------------
 include <$(DEPTH)/config/rules.mak>
 
 CFLAGS = $(CFLAGS) -DMOZILLA_CLIENT
 
+export:: INSTALL_FILES
+
--- a/dbm/include/cdefs.h
+++ b/dbm/include/cdefs.h
@@ -1,45 +1,29 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: NPL 1.1/GPL 2.0/LGPL 2.1
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
- * The contents of this file are subject to the Netscape Public License
- * Version 1.1 (the "License"); you may not use this file except in
- * compliance with the License. You may obtain a copy of the License at
- * http://www.mozilla.org/NPL/
+ * The contents of this file are subject to the Netscape Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/NPL/
  *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
  *
  * The Original Code is mozilla.org code.
  *
- * The Initial Developer of the Original Code is 
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are
+ * Copyright (C) 1998 Netscape Communications Corporation. All
+ * Rights Reserved.
  *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the NPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the NPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
+ * Contributor(s): 
+ */
 
 /*
  * Copyright (c) 1991, 1993
  *	The Regents of the University of California.  All rights reserved.
  *
  * This code is derived from software contributed to Berkeley by
  * Berkeley Software Design, Inc.
  *
--- a/dbm/include/mcom_db.h
+++ b/dbm/include/mcom_db.h
@@ -1,45 +1,29 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: NPL 1.1/GPL 2.0/LGPL 2.1
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
- * The contents of this file are subject to the Netscape Public License
- * Version 1.1 (the "License"); you may not use this file except in
- * compliance with the License. You may obtain a copy of the License at
- * http://www.mozilla.org/NPL/
+ * The contents of this file are subject to the Netscape Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/NPL/
  *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
  *
  * The Original Code is mozilla.org code.
  *
- * The Initial Developer of the Original Code is 
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are
+ * Copyright (C) 1998 Netscape Communications Corporation. All
+ * Rights Reserved.
  *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the NPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the NPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
+ * Contributor(s): 
+ */
 
 /*- 
  * Copyright (c) 1990, 1993, 1994
  *	The Regents of the University of California.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
--- a/dbm/tests/lots.c
+++ b/dbm/tests/lots.c
@@ -1,45 +1,29 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: NPL 1.1/GPL 2.0/LGPL 2.1
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
- * The contents of this file are subject to the Netscape Public License
- * Version 1.1 (the "License"); you may not use this file except in
- * compliance with the License. You may obtain a copy of the License at
- * http://www.mozilla.org/NPL/
+ * The contents of this file are subject to the Netscape Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/NPL/
  *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
  *
  * The Original Code is mozilla.org code.
  *
- * The Initial Developer of the Original Code is 
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are
+ * Copyright (C) 1998 Netscape Communications Corporation. All
+ * Rights Reserved.
  *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the NPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the NPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
+ * Contributor(s): 
+ */
 
 /* use sequental numbers printed to strings
  * to store lots and lots of entries in the
  * database.
  *
  * Start with 100 entries, put them and then
  * read them out.  Then delete the first
  * half and verify that all of the first half
new file mode 100644
--- /dev/null
+++ b/security/dbm/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+coreconf_hack:
+	cd ../coreconf; gmake
+	gmake import
+
+RelEng_bld: coreconf_hack
+	gmake
new file mode 100644
--- /dev/null
+++ b/security/dbm/include/Makefile
@@ -0,0 +1,86 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+DBM_SRCS = $(EXPORTS) $(PRIVATE_EXPORTS) watcomfx.h
+
+export:: $(DBM_SRCS)
+
+libs:: $(DBM_SRCS)
+
+program:: $(DBM_SRCS)
+
+private_export:: $(DBM_SRCS)
+
+echo::
+	echo "$(DBM_SRCS)"
new file mode 100644
--- /dev/null
+++ b/security/dbm/include/manifest.mn
@@ -0,0 +1,57 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+CORE_DEPTH = ../..
+
+VPATH  = $(CORE_DEPTH)/../dbm/include
+
+MODULE = dbm
+
+EXPORTS =	nsres.h   \
+		cdefs.h   \
+		mcom_db.h \
+		ncompat.h \
+		winfile.h \
+		$(NULL)
+
+PRIVATE_EXPORTS =	hsearch.h \
+			page.h    \
+			extern.h  \
+			ndbm.h    \
+			queue.h   \
+			hash.h    \
+			mpool.h   \
+			search.h  \
+			$(NULL)
+
new file mode 100644
--- /dev/null
+++ b/security/dbm/manifest.mn
@@ -0,0 +1,46 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+CORE_DEPTH = ..
+
+MODULE = dbm
+
+#IMPORTS = nspr20/v3.5
+IMPORTS = nspr20/v4.0
+
+RELEASE = dbm
+
+DIRS =  include \
+        src     \
+	$(NULL)
new file mode 100644
--- /dev/null
+++ b/security/dbm/src/Makefile
@@ -0,0 +1,85 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+DBM_SRCS = $(CSRCS)
+
+export:: $(DBM_SRCS)
+
+libs:: $(DBM_SRCS)
+
+program:: $(DBM_SRCS)
+
+private_export:: $(DBM_SRCS)
+
+echo::
+	echo "$(DBM_SRCS)"
new file mode 100644
--- /dev/null
+++ b/security/dbm/src/config.mk
@@ -0,0 +1,66 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+DEFINES += -DMEMMOVE -D__DBINTERFACE_PRIVATE $(SECURITY_FLAG) -DNSPR20=1
+
+INCLUDES += -I../include
+INCLUDES += -I$(CORE_DEPTH)/../dbm/include
+
+#
+#  Currently, override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PURE_LIBRARY   =
+PROGRAM        =
+
+ifdef SHARED_LIBRARY
+	ifeq ($(OS_ARCH),WINNT)
+		ifneq ($(OS_TARGET),WIN16)
+			DLLBASE=/BASE:0x30000000
+			RES=$(OBJDIR)/dbm.res
+			RESNAME=../include/dbm.rc
+		endif
+	endif
+	ifeq ($(DLL_SUFFIX),dll)
+		DEFINES += -D_DLL
+	endif
+endif
+
+ifeq ($(OS_ARCH),AIX)
+	OS_LIBS += -lc_r
+endif
new file mode 100644
--- /dev/null
+++ b/security/dbm/src/manifest.mn
@@ -0,0 +1,57 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+CORE_DEPTH = ../..
+
+VPATH  = $(CORE_DEPTH)/../dbm/src
+
+MODULE = dbm
+
+CSRCS = db.c	   \
+	h_bigkey.c \
+	h_func.c   \
+	h_log2.c   \
+	h_page.c   \
+	hash.c	   \
+	hash_buf.c \
+	hsearch.c  \
+	memmove.c  \
+	mktemp.c   \
+	ndbm.c	   \
+#	snprintf.c \
+	strerror.c \
+	nsres.c	   \
+	$(NULL)
+
+LIBRARY_NAME = dbm
new file mode 100644
--- /dev/null
+++ b/security/dbm/tests/Makefile
@@ -0,0 +1,125 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+DEPTH		= ../..
+CORE_DEPTH	= ../..
+
+VPATH		= $(CORE_DEPTH)/../dbm/tests
+
+MODULE		= dbm
+
+CSRCS		= lots.c
+
+PROGRAM		= lots
+
+include $(DEPTH)/coreconf/config.mk
+
+ifeq ($(OS_ARCH),WINNT)
+DEFINES		+= -DSTDARG -DSTDC_HEADERS
+LIBDBM		= ../src/$(PLATFORM)/dbm$(STATIC_LIB_SUFFIX)
+else
+LIBDBM		= ../src/$(PLATFORM)/libdbm$(STATIC_LIB_SUFFIX)
+endif
+
+ifeq ($(OS_ARCH),AIX)
+CFLAGS		+= -DSTDARG
+endif
+
+ifeq ($(OS_ARCH),BSD_386)
+CFLAGS		+= -g -I../../../include -DXP_UNIX -g -DBSDI -DHAVE_STRERROR -D__386BSD__ -DDEBUG -DMEMMOVE -D__DBINTERFACE_PRIVATE 
+endif
+
+ifeq ($(OS_ARCH),FreeBSD)
+CFLAGS		+= -DSTDARG
+endif
+
+ifeq ($(OS_ARCH),HP-UX)
+CFLAGS		+= -DSTDARG
+endif
+
+ifeq ($(OS_ARCH),IRIX)
+CFLAGS		+= -g -I../../../include -DDEBUG -DSTDARG
+endif
+
+ifeq ($(OS_ARCH),OSF1)
+CFLAGS		+= -DSTDARG
+endif
+
+ifeq ($(OS_ARCH),Linux)
+CFLAGS		+= -DSTDARG
+endif
+
+ifeq ($(OS_ARCH),NCR)
+CFLAGS		+= -DSTDARG
+endif
+
+ifeq ($(OS_ARCH),SCO_SV)
+CFLAGS		+= -DSTDARG
+endif
+
+ifeq ($(OS_ARCH),SunOS)
+CFLAGS		+= -g -I../../../include -D_sun_
+endif
+
+ifeq ($(OS_ARCH),UNIXWARE)
+CFLAGS		+= -DSTDARG
+endif
+
+INCLUDES	+= -I../include
+INCLUDES	+= -I$(CORE_DEPTH)/../dbm/include
+
+LDFLAGS		= $(LDOPTS) $(LIBDBM)
+
+include $(DEPTH)/coreconf/rules.mk
+
+lots.pure: lots
+	purify $(CC) -o lots.pure $(CFLAGS) $(OBJS) $(MYLIBS)
+
+crash: crash.o $(MYLIBS)
+	$(CC) -o crash $(CFLAGS) $^
+
+crash.pure: crash.o $(MYLIBS)
+	purify $(CC) -o crash.pure $(CFLAGS) $^
+
+
+
+DBM_SRCS = $(CSRCS)
+
+export:: $(DBM_SRCS)
+
+libs:: $(DBM_SRCS)
+
+program:: $(DBM_SRCS)
+
+private_export:: $(DBM_SRCS)
+
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -73,17 +73,17 @@
 
 extern SECKEYPrivateKey *CERTUTIL_GeneratePrivateKey(KeyType keytype,
 						     PK11SlotInfo *slot, 
                                                      int rsasize,
 						     int publicExponent,
 						     char *noise,
 						     SECKEYPublicKey **pubkeyp,
 						     char *pqgFile,
-                                                     char *passFile);
+                                                     secuPWData *pwdata);
 
 static char *progName;
 
 static CERTGeneralName *
 GetGeneralName (PRArenaPool *arena)
 {
     CERTGeneralName *namesList = NULL;
     CERTGeneralName *current;
@@ -506,28 +506,34 @@ ChangeTrustAttributes(CERTCertDBHandle *
     return SECSuccess;
 }
 
 static SECStatus
 printCertCB(CERTCertificate *cert, void *arg)
 {
     SECStatus rv;
     SECItem data;
+    CERTCertTrust *trust = (CERTCertTrust *)arg;
     
     data.data = cert->derCert.data;
     data.len = cert->derCert.len;
 
     rv = SECU_PrintSignedData(stdout, &data, "Certificate", 0,
 			      SECU_PrintCertificate);
     if (rv) {
 	SECU_PrintError(progName, "problem printing certificate");
 	return(SECFailure);
     }
-    SECU_PrintTrustFlags(stdout, &cert->dbEntry->trust,
-			 "Certificate Trust Flags", 1);
+    if (trust) {
+	SECU_PrintTrustFlags(stdout, trust,
+	                     "Certificate Trust Flags", 1);
+    } else {
+	SECU_PrintTrustFlags(stdout, &cert->dbEntry->trust,
+	                     "Certificate Trust Flags", 1);
+    }
 
     printf("\n");
 
     return(SECSuccess);
 }
 
 static SECStatus
 listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
@@ -576,49 +582,53 @@ listCerts(CERTCertDBHandle *handle, char
 	    /* Pretty-print cert. */
 	    rv = CERT_TraversePermCertsForNickname(handle, name, printCertCB,
 	                                           NULL);
 	}
     } else {
 	/* List certs on a non-internal slot. */
 	if (PK11_NeedLogin(slot))
 	    PK11_Authenticate(slot, PR_TRUE, pwarg);
-	rv = PK11_TraverseCertsInSlot(slot, SECU_PrintCertNickname, stdout);
+	if (name) {
+	    CERTCertificate *the_cert;
+	    the_cert = PK11_FindCertFromNickname(name, NULL);
+	    if (!the_cert) {
+		SECU_PrintError(progName, "Could not find: %s\n", name);
+		return SECFailure;
+	    }
+	    rv = printCertCB(the_cert, the_cert->trust);
+	} else {
+	    rv = PK11_TraverseCertsInSlot(slot, SECU_PrintCertNickname, stdout);
+	}
 	if (rv) {
 	    SECU_PrintError(progName, "problem printing certificate nicknames");
 	    return SECFailure;
 	}
     }
 
     return SECSuccess;	/* not rv ?? */
 }
 
 static SECStatus
 ListCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
-          PRBool raw, PRBool ascii, PRFileDesc *outfile, char *passFile)
+          PRBool raw, PRBool ascii, PRFileDesc *outfile, secuPWData *pwdata)
 {
     SECStatus rv;
-    secuPWData pwdata = { PW_NONE, 0 };
-
-    if (passFile) {
-        pwdata.source = PW_FROMFILE;
-        pwdata.data = passFile;
-    }
 
     if (slot == NULL) {
 	PK11SlotList *list;
 	PK11SlotListElement *le;
 
 	list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,
-						PR_FALSE,PR_FALSE,&pwdata);
+						PR_FALSE,PR_FALSE,pwdata);
 	if (list) for (le = list->head; le; le = le->next) {
-	    rv = listCerts(handle,name,le->slot,raw,ascii,outfile,&pwdata);
+	    rv = listCerts(handle,name,le->slot,raw,ascii,outfile,pwdata);
 	}
     } else {
-	rv = listCerts(handle,name,slot,raw,ascii,outfile,&pwdata);
+	rv = listCerts(handle,name,slot,raw,ascii,outfile,pwdata);
     }
     return rv;
 }
 
 
 static SECStatus 
 DeleteCert(CERTCertDBHandle *handle, char *name)
 {
@@ -638,17 +648,17 @@ DeleteCert(CERTCertDBHandle *handle, cha
 	return SECFailure;
     }
 
     return SECSuccess;
 }
 
 static SECStatus
 ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
-	     char *certUsage, PRBool checkSig, PRBool logit)
+	     char *certUsage, PRBool checkSig, PRBool logit, secuPWData *pwdata)
 {
     SECStatus rv;
     CERTCertificate *cert;
     int64 timeBoundary;
     SECCertUsage usage;
     CERTVerifyLog reallog;
     CERTVerifyLog *log = NULL;
     
@@ -696,17 +706,17 @@ ValidateCert(CERTCertDBHandle *handle, c
 	    log->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
 	    if ( log->arena == NULL ) {
 		SECU_PrintError(progName, "out of memory");
 		GEN_BREAK (SECFailure)
 	    }
 	}
  
 	rv = CERT_VerifyCert(handle, cert, checkSig, usage,
-			     timeBoundary, NULL, log);
+			     timeBoundary, pwdata, log);
 	if ( log ) {
 	    if ( log->head == NULL ) {
 		fprintf(stdout, "%s: certificate is valid\n", progName);
 		GEN_BREAK (SECSuccess)
 	    } else {
 		char *name;
 		CERTVerifyLogNode *node;
 		
@@ -827,21 +837,20 @@ printKeyCB(SECKEYPublicKey *key, SECItem
     return SECSuccess;
 }
 
 /* callback for listing certs through pkcs11 */
 SECStatus
 secu_PrintKeyFromCert(CERTCertificate *cert, void *data)
 {
     FILE *out;
-    char *name;
-    SECKEYPublicKey *key;
+    SECKEYPrivateKey *key;
 
     out = (FILE *)data;
-    key = CERT_ExtractPublicKey(cert);
+    key = PK11_FindPrivateKeyFromCert(PK11_GetInternalKeySlot(), cert, NULL);
     if (!key) {
 	fprintf(out, "XXX could not extract key for %s.\n", cert->nickname);
 	return SECFailure;
     }
     /* XXX should have a type field also */
     fprintf(out, "<%d> %s\n", 0, cert->nickname);
 
     return SECSuccess;
@@ -877,25 +886,19 @@ listKeys(PK11SlotInfo *slot, KeyType key
 #ifdef notdef
     }
     return rv;
 #endif
 }
 
 static SECStatus
 ListKeys(PK11SlotInfo *slot, char *keyname, int index, 
-         KeyType keyType, PRBool dopriv, char *passFile)
+         KeyType keyType, PRBool dopriv, secuPWData *pwdata)
 {
     SECStatus rv = SECSuccess;
-    secuPWData pwdata = { PW_NONE, 0 };
-
-    if (passFile) {
-        pwdata.source = PW_FROMFILE;
-        pwdata.data = passFile;
-    }
 
 #ifdef notdef
     if (keyname) {
 	if (dopriv) {
 	    return DumpPrivateKey(index, keyname, stdout);
 	} else {
 	    return DumpPublicKey(index, keyname, stdout);
 	}
@@ -904,39 +907,44 @@ ListKeys(PK11SlotInfo *slot, char *keyna
     /* For now, split handling of slot to internal vs. other.  slot should
      * probably be allowed to be NULL so that all slots can be listed.
      * In that case, need to add a call to PK11_TraverseSlotCerts().
      */
     if (slot == NULL) {
 	PK11SlotList *list;
 	PK11SlotListElement *le;
 
-	list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,&pwdata);
+	list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,pwdata);
 	if (list) for (le = list->head; le; le = le->next) {
-	    rv = listKeys(le->slot,keyType,&pwdata);
+	    rv = listKeys(le->slot,keyType,pwdata);
 	}
     } else {
-	rv = listKeys(slot,keyType,&pwdata);
+	rv = listKeys(slot,keyType,pwdata);
     }
     return rv;
 }
 
-#ifdef notdef
 static SECStatus
-DeleteKey(SECKEYKeyDBHandle *handle, char *nickname)
+DeleteKey(char *nickname, secuPWData *pwdata)
 {
     SECStatus rv;
+    CERTCertificate *cert;
+    PK11SlotInfo *slot;
 
-    rv = SECU_DeleteKeyByName(handle, nickname);
+    slot = PK11_GetInternalKeySlot();
+    if (PK11_NeedLogin(slot))
+	PK11_Authenticate(slot, PR_TRUE, pwdata);
+    cert = PK11_FindCertFromNickname(nickname, pwdata);
+    if (!cert) return SECFailure;
+    rv = PK11_DeleteTokenCertAndKey(cert, pwdata);
     if (rv != SECSuccess) {
 	SECU_PrintError("problem deleting private key \"%s\"\n", nickname);
     }
     return rv;
 }
-#endif
 
 
 /*
  *  L i s t M o d u l e s
  *
  *  Print a list of the PKCS11 modules that are
  *  available. This is useful for smartcard people to
  *  make sure they have the drivers loaded.
@@ -996,17 +1004,17 @@ Usage(char *progName)
 	progName);
     FPS "\t%s -S -n cert-name -s subj [-c issuer-name | -x]  -t trustargs\n"
 	"\t\t [-k key-type] [-h token-name] [-g key-size]\n"
         "\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
 	"\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
         "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6]\n",
 	progName);
     FPS "\t%s -U [-d certdir] [-P dbprefix]\n", progName);
-    exit(-1);
+    exit(1);
 }
 
 static void LongUsage(char *progName)
 {
 
     FPS "%-15s Add a certificate to the database        (create if needed)\n",
 	"-A");
     FPS "%-15s Add an Email certificate to the database (create if needed)\n",
@@ -1155,17 +1163,16 @@ static void LongUsage(char *progName)
 
     FPS "%-15s Create a new certificate database\n",
 	"-N");
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
 	"   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
 	"   -P dbprefix");
     FPS "\n");
-
     FPS "%-15s Reset the Key database or token\n",
 	"-T");
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
 	"   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
 	"   -P dbprefix");
     FPS "%-20s Token to reset (default is internal)\n"
 	"   -h token-name");
@@ -1255,17 +1262,17 @@ static void LongUsage(char *progName)
     FPS "%-20s Create crl distribution point extension\n",
 	"   -4 ");
     FPS "%-20s Create netscape cert type extension\n",
 	"   -5 ");
     FPS "%-20s Create extended key usage extension\n",
 	"   -6 ");
     FPS "\n");
 
-    exit(-1);
+    exit(1);
 #undef FPS
 }
 
 
 static CERTCertificate *
 MakeV1Cert(	CERTCertDBHandle *	handle, 
 		CERTCertificateRequest *req,
 	    	char *			issuerNickName, 
@@ -2209,17 +2216,17 @@ main(int argc, char **argv)
 	SECU_ConfigDirectory(certutil.options[opt_CertDir].arg);
 
     if (certutil.options[opt_KeySize].activated) {
 	keysize = PORT_Atoi(certutil.options[opt_KeySize].arg);
 	if ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS)) {
 	    PR_fprintf(PR_STDERR, 
                        "%s -g:  Keysize must be between %d and %d.\n",
 	               MIN_KEY_BITS, MAX_KEY_BITS);
-	    return -1;
+	    return 255;
 	}
     }
 
     /*  -h specify token name  */
     if (certutil.options[opt_TokenName].activated) {
 	if (PL_strcmp(certutil.options[opt_TokenName].arg, "all") == 0)
 	    slotname = NULL;
 	else
@@ -2232,77 +2239,77 @@ main(int argc, char **argv)
 	    keytype = rsaKey;
 	} else if (PL_strcmp(certutil.options[opt_KeyType].arg, "dsa") == 0) {
 	    keytype = dsaKey;
 	} else if (PL_strcmp(certutil.options[opt_KeyType].arg, "all") == 0) {
 	    keytype = nullKey;
 	} else {
 	    PR_fprintf(PR_STDERR, "%s -k:  %s is not a recognized type.\n",
 	               progName, certutil.options[opt_KeyType].arg);
-	    return -1;
+	    return 255;
 	}
     }
 
     /*  -m serial number */
     if (certutil.options[opt_SerialNumber].activated) {
 	serialNumber = PORT_Atoi(certutil.options[opt_SerialNumber].arg);
 	if (serialNumber < 0) {
 	    PR_fprintf(PR_STDERR, "%s -m:  %s is not a valid serial number.\n",
 	               progName, certutil.options[opt_SerialNumber].arg);
-	    return -1;
+	    return 255;
 	}
     }
 
     /*  -P certdb name prefix */
     if (certutil.options[opt_DBPrefix].activated)
 	certPrefix = strdup(certutil.options[opt_DBPrefix].arg);
 
     /*  -q PQG file  */
     if (certutil.options[opt_PQGFile].activated) {
 	if (keytype != dsaKey) {
 	    PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)",
 	               progName);
-	    return -1;
+	    return 255;
 	}
     }
 
     /*  -s subject name  */
     if (certutil.options[opt_Subject].activated) {
 	subject = CERT_AsciiToName(certutil.options[opt_Subject].arg);
 	if (!subject) {
 	    PR_fprintf(PR_STDERR, "%s -s: improperly formatted name: \"%s\"\n",
 	               progName, certutil.options[opt_Subject].arg);
-	    return -1;
+	    return 255;
 	}
     }
 
     /*  -v validity period  */
     if (certutil.options[opt_Validity].activated) {
 	validitylength = PORT_Atoi(certutil.options[opt_Validity].arg);
 	if (validitylength < 0) {
 	    PR_fprintf(PR_STDERR, "%s -v: incorrect validity period: \"%s\"\n",
 	               progName, certutil.options[opt_Validity].arg);
-	    return -1;
+	    return 255;
 	}
     }
 
     /*  -w warp months  */
     if (certutil.options[opt_OffsetMonths].activated)
 	warpmonths = PORT_Atoi(certutil.options[opt_OffsetMonths].arg);
 
     /*  -y public exponent (for RSA)  */
     if (certutil.options[opt_Exponent].activated) {
 	publicExponent = PORT_Atoi(certutil.options[opt_Exponent].arg);
 	if ((publicExponent != 3) &&
 	    (publicExponent != 17) &&
 	    (publicExponent != 65537)) {
 	    PR_fprintf(PR_STDERR, "%s -y: incorrect public exponent %d.", 
 	                           progName, publicExponent);
 	    PR_fprintf(PR_STDERR, "Must be 3, 17, or 65537.\n");
-	    return -1;
+	    return 255;
 	}
     }
 
     /*  Check number of commands entered.  */
     commandsEntered = 0;
     for (i=0; i< certutil.numCommands; i++) {
 	if (certutil.commands[i].activated) {
 	    commandToRun = certutil.commands[i].flag;
@@ -2314,17 +2321,17 @@ main(int argc, char **argv)
     if (commandsEntered > 1) {
 	PR_fprintf(PR_STDERR, "%s: only one command at a time!\n", progName);
 	PR_fprintf(PR_STDERR, "You entered: ");
 	for (i=0; i< certutil.numCommands; i++) {
 	    if (certutil.commands[i].activated)
 		PR_fprintf(PR_STDERR, " -%c", certutil.commands[i].flag);
 	}
 	PR_fprintf(PR_STDERR, "\n");
-	return -1;
+	return 255;
     }
     if (commandsEntered == 0) {
 	PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName);
 	Usage(progName);
     }
 
     /*  -A, -D, -F, -M, -S, -V, and all require -n  */
     if ((certutil.commands[cmd_AddCert].activated ||
@@ -2332,69 +2339,69 @@ main(int argc, char **argv)
          certutil.commands[cmd_DeleteKey].activated ||
          certutil.commands[cmd_ModifyCertTrust].activated ||
          certutil.commands[cmd_CreateAndAddCert].activated ||
          certutil.commands[cmd_CheckCertValidity].activated) &&
         !certutil.options[opt_Nickname].activated) {
 	PR_fprintf(PR_STDERR, 
 	          "%s -%c: nickname is required for this command (-n).\n",
 	           progName, commandToRun);
-	return -1;
+	return 255;
     }
 
     /*  -A, -E, -M, -S require trust  */
     if ((certutil.commands[cmd_AddCert].activated ||
          certutil.commands[cmd_AddEmailCert].activated ||
          certutil.commands[cmd_ModifyCertTrust].activated ||
          certutil.commands[cmd_CreateAndAddCert].activated) &&
         !certutil.options[opt_Trust].activated) {
 	PR_fprintf(PR_STDERR, 
 	          "%s -%c: trust is required for this command (-t).\n",
 	           progName, commandToRun);
-	return -1;
+	return 255;
     }
 
     /*  if -L is given raw or ascii mode, it must be for only one cert.  */
     if (certutil.commands[cmd_ListCerts].activated &&
         (certutil.options[opt_ASCIIForIO].activated ||
          certutil.options[opt_BinaryDER].activated) &&
         !certutil.options[opt_Nickname].activated) {
 	PR_fprintf(PR_STDERR, 
 	        "%s: nickname is required to dump cert in raw or ascii mode.\n",
 	           progName);
-	return -1;
+	return 255;
     }
     
     /*  -L can only be in (raw || ascii).  */
     if (certutil.commands[cmd_ListCerts].activated &&
         certutil.options[opt_ASCIIForIO].activated &&
         certutil.options[opt_BinaryDER].activated) {
 	PR_fprintf(PR_STDERR, 
 	           "%s: cannot specify both -r and -a when dumping cert.\n",
 	           progName);
-	return -1;
+	return 255;
     }
 
     /*  For now, deny -C -x combination */
     if (certutil.commands[cmd_CreateNewCert].activated &&
         certutil.options[opt_SelfSign].activated) {
 	PR_fprintf(PR_STDERR,
 	           "%s: self-signing a cert request is not supported.\n",
 	           progName);
-	return -1;
+	return 255;
     }
 
     /*  If making a cert request, need a subject.  */
     if ((certutil.commands[cmd_CertReq].activated ||
          certutil.commands[cmd_CreateAndAddCert].activated) &&
         !certutil.options[opt_Subject].activated) {
 	PR_fprintf(PR_STDERR, 
 	           "%s -%c: subject is required to create a cert request.\n",
 	           progName, commandToRun);
-	return -1;
+	return 255;
     }
 
     /*  If making a cert, need a serial number.  */
     if ((certutil.commands[cmd_CreateNewCert].activated ||
          certutil.commands[cmd_CreateAndAddCert].activated) &&
          !certutil.options[opt_SerialNumber].activated) {
 	/*  Make a default serial number from the current time.  */
 	PRTime now = PR_Now();
@@ -2402,95 +2409,95 @@ main(int argc, char **argv)
     }
 
     /*  Validation needs the usage to validate for.  */
     if (certutil.commands[cmd_CheckCertValidity].activated &&
         !certutil.options[opt_Usage].activated) {
 	PR_fprintf(PR_STDERR, 
 	           "%s -V: specify a usage to validate the cert for (-u).\n",
 	           progName);
-	return -1;
+	return 255;
     }
     
     /*  To make a cert, need either a issuer or to self-sign it.  */
     if (certutil.commands[cmd_CreateAndAddCert].activated &&
 	!(certutil.options[opt_IssuerName].activated ||
           certutil.options[opt_SelfSign].activated)) {
 	PR_fprintf(PR_STDERR,
 	           "%s -S: must specify issuer (-c) or self-sign (-x).\n",
 	           progName);
-	return -1;
+	return 255;
     }
 
     /*  Using slotname == NULL for listing keys and certs on all slots, 
      *  but only that. */
     if (!(certutil.commands[cmd_ListKeys].activated ||
     	  certutil.commands[cmd_ListCerts].activated) && slotname == NULL) {
 	PR_fprintf(PR_STDERR,
 	           "%s -%c: cannot use \"-h all\" for this command.\n",
 	           progName, commandToRun);
-	return -1;
+	return 255;
     }
 
     /*  Using keytype == nullKey for list all key types, but only that.  */
     if (!certutil.commands[cmd_ListKeys].activated && keytype == nullKey) {
 	PR_fprintf(PR_STDERR,
 	           "%s -%c: cannot use \"-k all\" for this command.\n",
 	           progName, commandToRun);
-	return -1;
+	return 255;
     }
 
     /*  -S  open outFile, temporary file for cert request.  */
     if (certutil.commands[cmd_CreateAndAddCert].activated) {
 	outFile = PR_Open(certreqfile, PR_RDWR | PR_CREATE_FILE, 00660);
 	if (!outFile) {
 	    PR_fprintf(PR_STDERR, 
 		       "%s -o: unable to open \"%s\" for writing (%ld, %ld)\n",
 		       progName, certreqfile,
 		       PR_GetError(), PR_GetOSError());
-	    return -1;
+	    return 255;
 	}
     }
 
     /*  Open the input file.  */
     if (certutil.options[opt_InputFile].activated) {
 	inFile = PR_Open(certutil.options[opt_InputFile].arg, PR_RDONLY, 0);
 	if (!inFile) {
 	    PR_fprintf(PR_STDERR,
 	               "%s:  unable to open \"%s\" for reading (%ld, %ld).\n",
 	               progName, certutil.options[opt_InputFile].arg,
 	               PR_GetError(), PR_GetOSError());
-	    return -1;
+	    return 255;
 	}
     }
 
     /*  Open the output file.  */
     if (certutil.options[opt_OutputFile].activated && !outFile) {
 	outFile = PR_Open(certutil.options[opt_OutputFile].arg, 
                           PR_CREATE_FILE | PR_RDWR, 00660);
 	if (!outFile) {
 	    PR_fprintf(PR_STDERR,
 	               "%s:  unable to open \"%s\" for writing (%ld, %ld).\n",
 	               progName, certutil.options[opt_OutputFile].arg,
 	               PR_GetError(), PR_GetOSError());
-	    return -1;
+	    return 255;
 	}
     }
 
     name = SECU_GetOptionArg(&certutil, opt_Nickname);
 
     PK11_SetPasswordFunc(SECU_GetModulePassword);
 
     /*  Initialize NSPR and NSS.  */
     PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
     rv = NSS_Initialize(SECU_ConfigDirectory(NULL), certPrefix, certPrefix,
                         "secmod.db", 0);
     if (rv != SECSuccess) {
 	SECU_PrintPRandOSError(progName);
-	return -1;
+	return 255;
     }
     certHandle = CERT_GetDefaultCertDB();
 
     if (certutil.commands[cmd_Version].activated) {
 	int version = CERT_GetDBContentVersion(certHandle);
 	printf("Certificate database content version:  %d\n", version);
     }
 
@@ -2506,74 +2513,78 @@ main(int argc, char **argv)
 
     /* The following 8 options are mutually exclusive with all others. */
 
     /*  List certs (-L)  */
     if (certutil.commands[cmd_ListCerts].activated) {
 	rv = ListCerts(certHandle, name, slot,
 	               certutil.options[opt_BinaryDER].activated,
 	               certutil.options[opt_ASCIIForIO].activated, 
-                       (outFile) ? outFile : PR_STDOUT,
-		       certutil.options[opt_PasswordFile].arg);
-	return !rv - 1;
+                       (outFile) ? outFile : PR_STDOUT, &pwdata);
+	return rv ? 255 : 0;
     }
     /*  XXX needs work  */
     /*  List keys (-K)  */
     if (certutil.commands[cmd_ListKeys].activated) {
 	rv = ListKeys(slot, name, 0 /*keyindex*/, keytype, PR_FALSE /*dopriv*/,
-		       certutil.options[opt_PasswordFile].arg);
-	return !rv - 1;
+	              &pwdata);
+	return rv ? 255 : 0;
     }
     /*  List modules (-U)  */
     if (certutil.commands[cmd_ListModules].activated) {
 	rv = ListModules();
-	return !rv - 1;
+	return rv ? 255 : 0;
     }
     /*  Delete cert (-D)  */
     if (certutil.commands[cmd_DeleteCert].activated) {
 	rv = DeleteCert(certHandle, name);
-	return !rv - 1;
+	return rv ? 255 : 0;
     }
-#ifdef notdef
     /*  Delete key (-F)  */
     if (certutil.commands[cmd_DeleteKey].activated) {
-	rv = DeleteKey(keyHandle, name);
-	return !rv - 1;
+	rv = DeleteKey(name, &pwdata);
+	return rv ? 255 : 0;
     }
-#endif
     /*  Modify trust attribute for cert (-M)  */
     if (certutil.commands[cmd_ModifyCertTrust].activated) {
 	rv = ChangeTrustAttributes(certHandle, name, 
 	                           certutil.options[opt_Trust].arg);
-	return !rv - 1;
+	return rv ? 255 : 0;
     }
     /*  Change key db password (-W) (future - change pw to slot?)  */
     if (certutil.commands[cmd_ChangePassword].activated) {
 	rv = SECU_ChangePW(slot, 0, certutil.options[opt_PasswordFile].arg);
-	return !rv - 1;
+	return rv ? 255 : 0;
     }
     /*  Reset the a token */
     if (certutil.commands[cmd_TokenReset].activated) {
 	char *sso_pass = "";
 
 	if (certutil.options[opt_SSOPass].activated) {
 	    sso_pass = certutil.options[opt_SSOPass].arg;
  	}
 	rv = PK11_ResetToken(slot,sso_pass);
 
-	return !rv - 1;
+ 	return !rv - 1;
     }
+
     /*  Check cert validity against current time (-V)  */
     if (certutil.commands[cmd_CheckCertValidity].activated) {
+	/* XXX temporary hack for fips - must log in to get priv key */
+	if (certutil.options[opt_VerifySig].activated) {
+	    if (PK11_NeedLogin(slot))
+		PK11_Authenticate(slot, PR_TRUE, &pwdata);
+	}
 	rv = ValidateCert(certHandle, name, 
 	                  certutil.options[opt_ValidityTime].arg,
 			  certutil.options[opt_Usage].arg,
 			  certutil.options[opt_VerifySig].activated,
-			  certutil.options[opt_DetailedInfo].activated);
-	return !rv - 1;
+			  certutil.options[opt_DetailedInfo].activated,
+	                  &pwdata);
+	return rv ? 255 : 0;
     }
 
     /*
      *  Key generation
      */
 
     /*  These commands require keygen.  */
     if (certutil.commands[cmd_CertReq].activated ||
@@ -2581,21 +2592,22 @@ main(int argc, char **argv)
 	certutil.commands[cmd_GenKeyPair].activated) {
 	/*  XXX Give it a nickname.  */
 	privkey = 
 	    CERTUTIL_GeneratePrivateKey(keytype, slot, keysize,
 	                                publicExponent, 
 	                                certutil.options[opt_NoiseFile].arg,
 	                                &pubkey, 
 	                                certutil.options[opt_PQGFile].arg,
-	                                certutil.options[opt_PasswordFile].arg);
+	                                &pwdata);
 	if (privkey == NULL) {
 	    SECU_PrintError(progName, "unable to generate key(s)\n");
-	    return -1;
+	    return 255;
 	}
+	privkey->wincx = &pwdata;
 	PORT_Assert(pubkey != NULL);
 
 	/*  If all that was needed was keygen, exit.  */
 	if (certutil.commands[cmd_GenKeyPair].activated) {
 	    return SECSuccess;
 	}
     }
 
@@ -2606,39 +2618,40 @@ main(int argc, char **argv)
     /*  Make a cert request (-R or -S).  */
     if (certutil.commands[cmd_CreateAndAddCert].activated ||
          certutil.commands[cmd_CertReq].activated) {
 	rv = CertReq(privkey, pubkey, keytype, subject,
 	             certutil.options[opt_PhoneNumber].arg,
 	             certutil.options[opt_ASCIIForIO].activated,
 		     outFile ? outFile : PR_STDOUT);
 	if (rv) 
-	    return -1;
+	    return 255;
+	privkey->wincx = &pwdata;
     }
 
     /*
      *  Certificate creation
      */
 
     /*  If making and adding a cert, load the cert request file
      *  and output the cert to another file.
      */
     if (certutil.commands[cmd_CreateAndAddCert].activated) {
 	PR_Close(outFile);
 	inFile  = PR_Open(certreqfile, PR_RDONLY, 0);
 	if (!inFile) {
 	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
                        certreqfile, PR_GetError(), PR_GetOSError());
-	    return -1;
+	    return 255;
 	}
 	outFile = PR_Open(certfile, PR_RDWR | PR_CREATE_FILE, 00660);
 	if (!outFile) {
 	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
                        certfile, PR_GetError(), PR_GetOSError());
-	    return -1;
+	    return 255;
 	}
     }
 
     /*  Create a certificate (-C or -S).  */
     if (certutil.commands[cmd_CreateAndAddCert].activated ||
          certutil.commands[cmd_CreateNewCert].activated) {
 	rv = CreateCert(certHandle, 
 	                certutil.options[opt_IssuerName].arg,
@@ -2648,44 +2661,44 @@ main(int argc, char **argv)
 	                certutil.options[opt_SelfSign].activated,
 	                certutil.options[opt_AddKeyUsageExt].activated,
 	                certutil.options[opt_AddExtKeyUsageExt].activated,
 	                certutil.options[opt_AddBasicConstraintExt].activated,
 	                certutil.options[opt_AddAuthorityKeyIDExt].activated,
 	                certutil.options[opt_AddCRLDistPtsExt].activated,
 	                certutil.options[opt_AddNSCertTypeExt].activated);
 	if (rv) 
-	    return -1;
+	    return 255;
     }
 
     /* 
      * Adding a cert to the database (or slot)
      */
  
     if (certutil.commands[cmd_CreateAndAddCert].activated) { 
 	PR_Close(inFile);
 	PR_Close(outFile);
 	inFile = PR_Open(certfile, PR_RDONLY, 0);
 	if (!inFile) {
 	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
                        certfile, PR_GetError(), PR_GetOSError());
-	    return -1;
+	    return 255;
 	}
     }
 
     if (certutil.commands[cmd_CreateAndAddCert].activated ||
          certutil.commands[cmd_AddCert].activated ||
 	 certutil.commands[cmd_AddEmailCert].activated) {
 	rv = AddCert(slot, certHandle, name, 
 	             certutil.options[opt_Trust].arg,
 	             inFile, 
 	             certutil.options[opt_ASCIIForIO].activated,
 	             certutil.commands[cmd_AddEmailCert].activated);
 	if (rv) 
-	    return -1;
+	    return 255;
     }
 
     if (certutil.commands[cmd_CreateAndAddCert].activated) {
 	PR_Close(inFile);
 	PR_Delete(certfile);
 	PR_Delete(certreqfile);
     }
 
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -301,24 +301,24 @@ found_match:
     PORT_Free(str);
     return decode_pqg_params(str);
 }
 
 SECKEYPrivateKey *
 CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
 			    int publicExponent, char *noise, 
 			    SECKEYPublicKey **pubkeyp, char *pqgFile,
-                            char *passFile)
+                            secuPWData *pwdata)
 {
     CK_MECHANISM_TYPE mechanism;
     SECOidTag algtag;
     PK11RSAGenParams rsaparams;
     PQGParams *dsaparams = NULL;
     void *params;
-    secuPWData pwdata = { PW_NONE, 0 };
+    PRArenaPool *dsaparena;
 
     /*
      * Do some random-number initialization.
      */
     RNG_SystemInfoForRNG();
 
     if (noise) {
     	RNG_FileForRNG(noise);
@@ -339,40 +339,46 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
 	params = &rsaparams;
 	break;
       case dsaKey:
 	mechanism = CKM_DSA_KEY_PAIR_GEN;
 	algtag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
 	if (pqgFile) {
 	    dsaparams = getpqgfromfile(size, pqgFile);
 	} else {
-	    dsaparams = &default_pqg_params;
+	    dsaparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	    if (dsaparena == NULL) return NULL;
+	    dsaparams = PORT_ArenaZAlloc(dsaparena, sizeof(PQGParams));
+	    if (dsaparams == NULL) return NULL;
+	    dsaparams->arena = dsaparena;
+	    SECITEM_AllocItem(dsaparena, &dsaparams->prime, sizeof P);
+	    SECITEM_AllocItem(dsaparena, &dsaparams->subPrime, sizeof Q);
+	    SECITEM_AllocItem(dsaparena, &dsaparams->base, sizeof G);
+	    PORT_Memcpy(dsaparams->prime.data, P, dsaparams->prime.len);
+	    PORT_Memcpy(dsaparams->subPrime.data, Q, dsaparams->subPrime.len);
+	    PORT_Memcpy(dsaparams->base.data, G, dsaparams->base.len);
 	}
 	params = dsaparams;
+	break;
       default:
 	return NULL;
     }
 
     if (slot == NULL)
 	return NULL;
 
-    if (passFile) {
-	pwdata.source = PW_FROMFILE;
-	pwdata.data = passFile;
-    }
-
-    if (PK11_Authenticate(slot, PR_TRUE, &pwdata) != SECSuccess)
+    if (PK11_Authenticate(slot, PR_TRUE, pwdata) != SECSuccess)
 	return NULL;
 
     fprintf(stderr, "\n\n");
     fprintf(stderr, "Generating key.  This may take a few moments...\n\n");
 
     return PK11_GenerateKeyPair(slot, mechanism, params, pubkeyp,
 				PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/, 
-				NULL /*wincx*/);
+				pwdata /*wincx*/);
 }
 
 /*
  * The following is all functionality moved over from keyutil, which may
  * or may not become completely obsolete.  So, some of this stuff may
  * end up being turned on from within certutil.  Some is probably not
  * even feasible anymore (Add/Delete?).
  */
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -209,41 +209,49 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBo
     }
     return (char*) PORT_Strdup((char*)phrase);
 }
 
 char *
 SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) 
 {
     char prompt[255];
-    secuPWData *pwdata = arg;
+    secuPWData *pwdata = (secuPWData *)arg;
     secuPWData pwnull = { PW_NONE, 0 };
+    char *pw;
 
-    if (arg == NULL)
+    if (pwdata == NULL)
 	pwdata = &pwnull;
 
     if (retry && pwdata->source != PW_NONE) {
 	PR_fprintf(PR_STDERR, "incorrect password entered at command line.\n");
     	return NULL;
     }
 
-    sprintf(prompt, "Enter Password or Pin for \"%s\":",
-	    PK11_GetTokenName(slot));
-
     switch (pwdata->source) {
     case PW_NONE:
+	sprintf(prompt, "Enter Password or Pin for \"%s\":",
+	                 PK11_GetTokenName(slot));
 	return SECU_GetPasswordString(NULL, prompt);
     case PW_FROMFILE:
-	return SECU_FilePasswd(slot, retry, pwdata->data);
+	/* Instead of opening and closing the file every time, get the pw
+	 * once, then keep it in memory (duh).
+	 */
+	pw = SECU_FilePasswd(slot, retry, pwdata->data);
+	pwdata->source = PW_PLAINTEXT;
+	pwdata->data = PL_strdup(pw);
+	/* it's already been dup'ed */
+	return pw;
     case PW_PLAINTEXT:
-	return PL_strdup(arg);
+	return PL_strdup(pwdata->data);
     default:
 	break;
     }
 
+    PR_fprintf(PR_STDERR, "Password check failed:  No password found.\n");
     return NULL;
 }
 
 char *
 secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 {
     char *p0 = NULL;
     char *p1 = NULL;
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -541,17 +541,17 @@ P12U_ImportPKCS12Object(char *in_file, P
     tmpcxt = p12u_CreateTemporaryDigestFile();
     if(!tmpcxt) {
 	SECU_PrintError(progName,"Create Temporary digest file failed");
 	pk12uErrno = PK12UERR_TMPDIGCREATE;
 	goto loser;
     }
 
     /* init the decoder context */
-    p12dcx = SEC_PKCS12DecoderStart(&uniPwitem, slot, NULL,
+    p12dcx = SEC_PKCS12DecoderStart(&uniPwitem, slot, slotPw,
 				    p12u_DigestOpen, p12u_DigestClose,
 				    p12u_DigestRead, p12u_DigestWrite,
 				    tmpcxt);
     if(!p12dcx) {
 	SECU_PrintError(progName,"PKCS12 decoder start failed");
 	pk12uErrno = PK12UERR_PK12DECODESTART;
 	goto loser;
     }
@@ -690,52 +690,52 @@ p12u_WriteToExportFile(void *arg, const 
 	p12cxt->filename = NULL;
 	p12cxt->file = NULL;
 	p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE;
 	p12cxt->error = PR_TRUE;
     }
 }
 
 void
-P12U_ExportPKCS12Object(char *nn, char *outfile,
+P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot,
 			secuPWData *slotPw, secuPWData *p12FilePw)
 {
     SEC_PKCS12ExportContext *p12ecx = NULL;
     SEC_PKCS12SafeInfo *keySafe = NULL, *certSafe = NULL;
     SECItem *pwitem = NULL;
     PK11SlotInfo *slot = NULL;
     p12uContext *p12cxt = NULL;
     CERTCertificate *cert;
 
-    cert = PK11_FindCertFromNickname(nn, NULL);
+    if (P12U_InitSlot(inSlot, slotPw) != SECSuccess) {
+	SECU_PrintError(progName,"Failed to authenticate to \"%s\"",
+			  PK11_GetSlotName(inSlot));
+	pk12uErrno = PK12UERR_PK11GETSLOT;
+	goto loser;
+    }
+    cert = PK11_FindCertFromNickname(nn, slotPw);
     if(!cert) {
 	SECU_PrintError(progName,"find cert by nickname failed");
 	pk12uErrno = PK12UERR_FINDCERTBYNN;
 	return;
     }
 
     if (!cert->slot) {
 	SECU_PrintError(progName,"cert does not have a slot");
 	pk12uErrno = PK12UERR_FINDCERTBYNN;
 	goto loser;
     }
-    if (P12U_InitSlot(cert->slot, slotPw) != SECSuccess) {
-	SECU_PrintError(progName,"Failed to authenticate to \"%s\"",
-			  PK11_GetSlotName(cert->slot));
-	pk12uErrno = PK12UERR_PK11GETSLOT;
-	goto loser;
-    }
 
     /*	Password to use for PKCS12 file.  */
     pwitem = P12U_GetP12FilePassword(PR_TRUE, p12FilePw);
     if(!pwitem) {
 	goto loser;
     }
 
-    p12ecx = SEC_PKCS12CreateExportContext(NULL, NULL, cert->slot, NULL);
+    p12ecx = SEC_PKCS12CreateExportContext(NULL, NULL, cert->slot, slotPw);
     if(!p12ecx) {
 	SECU_PrintError(progName,"export context creation failed");
 	pk12uErrno = PK12UERR_EXPORTCXCREATE;
 	goto loser;
     }
 
     if(SEC_PKCS12AddPasswordIntegrity(p12ecx, pwitem, SEC_OID_SHA1)
        != SECSuccess) {
@@ -947,36 +947,35 @@ main(int argc, char **argv)
     if (pk12util.options[opt_CertDir].activated) {
 	SECU_ConfigDirectory(pk12util.options[opt_CertDir].arg);
     }
     if (pk12util.options[opt_DBPrefix].activated) {
     	dbprefix = pk12util.options[opt_DBPrefix].arg;
     }
     P12U_Init(SECU_ConfigDirectory(NULL),dbprefix);
 
-    if (pk12util.options[opt_Import].activated) {
+    if (!slotname || PL_strcmp(slotname, "internal") == 0)
+	slot = PK11_GetInternalKeySlot();
+    else
+	slot = PK11_FindSlotByName(slotname);
 
-	if (!slotname || PL_strcmp(slotname, "internal") == 0)
-	    slot = PK11_GetInternalKeySlot();
-	else
-	    slot = PK11_FindSlotByName(slotname);
+    if (!slot) {
+	SECU_PrintError(progName,"Invalid slot \"%s\"", slotname);
+	goto done;
+    }
 
-	if (!slot) {
-	    SECU_PrintError(progName,"Invalid slot \"%s\"", slotname);
-	    goto done;
-	}
+    if (pk12util.options[opt_Import].activated) {
 
 	if ((ret = P12U_ImportPKCS12Object(import_file, slot, &slotPw,
 					   &p12FilePw)) != 0)
 	    goto done;
 
     } else if (pk12util.options[opt_Export].activated) {
-
 	P12U_ExportPKCS12Object(pk12util.options[opt_Nickname].arg,
-				export_file, &slotPw, &p12FilePw);
+				export_file, slot, &slotPw, &p12FilePw);
     } else {
 	Usage(progName);
 	pk12uErrno = PK12UERR_USAGE;
     }
 
 done:
     NSS_Shutdown();
     exit(pk12uErrno);
--- a/security/nss/cmd/signtool/util.c
+++ b/security/nss/cmd/signtool/util.c
@@ -347,18 +347,22 @@ foreach(char *dirname, char *prefix,
 		strcat (newdir, "/");
 		strcat (newdir, prefix);
 	}
 
 	dir = PR_OpenDir (newdir);
 	if (!dir) return -1;
 
 	for (entry = PR_ReadDir (dir,0); entry; entry = PR_ReadDir (dir,0)) {
-		if (*entry->name == '.' || *entry->name == '#')
-			continue;
+		if ( strcmp(entry->name, ".")==0   ||
+                     strcmp(entry->name, "..")==0 )
+                {
+                    /* no infinite recursion, please */   
+		    continue;
+                }
 
 		/* can't sign self */
 		if (!strcmp (entry->name, "META-INF"))
 			continue;
 
 		/* -x option */
 		if (PL_HashTableLookup(excludeDirs, entry->name))
 			continue;
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -304,18 +304,16 @@ PK11_FindPrivateKeyFromCert;
 PK11_FortezzaMapSig;
 PK11_GetKeyLength;
 PK11_GetKeyStrength;
 PK11_ImportCertForKeyToSlot;
 PK11_ImportEncryptedPrivateKeyInfo;
 PK11_ImportPrivateKeyInfo;
 PK11_MapPBEMechanismToCryptoMechanism;
 PK11_PBEKeyGen;
-PK11_CreatePBEParams;
-PK11_DestroyPBEParams;
 PK11_ParamFromAlgid;
 PK11_ParamToAlgid;
 PK11_TraverseCertsForNicknameInSlot;
 PK11_TraverseCertsForSubjectInSlot;
 PORT_ArenaGrow;
 PORT_ArenaMark;
 PORT_ArenaRelease;
 PORT_ArenaStrdup;
@@ -544,8 +542,19 @@ SECKEY_GetPrivateKeyType;
 SECKEY_HashPassword;
 SECKEY_ImportDERPublicKey;
 SECKEY_NewPrivateKeyList;
 SECKEY_RemovePrivateKeyListNode;
 VFY_EndWithSignature;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.3.1 { 	# NSS 3.3.1 release
+;+    global:
+;+#
+;+# The following symbols are exported only to make libsmime3.so work. 
+;+# These are still private!!!
+;+#
+PK11_CreatePBEParams;
+PK11_DestroyPBEParams;
+;+    local:
+;+       *;
+;+};
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -44,20 +44,20 @@ SEC_BEGIN_PROTOS
 
 /*
  * NSS's major version, minor version, patch level, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>] [<Beta>]"
  */
-#define NSS_VERSION  "3.3"
+#define NSS_VERSION  "3.3.1"
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   3
-#define NSS_VPATCH   0
+#define NSS_VPATCH   1
 #define NSS_BETA     PR_FALSE
 
 
 /*
  * Return a boolean that indicates whether the underlying library
  * will perform as the caller expects.
  *
  * The only argument is a string, which should be the verson
--- a/security/nss/lib/ssl/sslcon.c
+++ b/security/nss/lib/ssl/sslcon.c
@@ -2971,17 +2971,34 @@ ssl2_BeginClientHandshake(sslSocket *ss)
      */
     rv = ssl2_CheckConfigSanity(ss);
     if (rv != SECSuccess)
 	goto loser;
 
     /* Get peer name of server */
     rv = ssl_GetPeerInfo(ss);
     if (rv < 0) {
+#ifdef HPUX11
+        /*
+         * On some HP-UX B.11.00 systems, getpeername() occasionally
+         * fails with ENOTCONN after a successful completion of
+         * non-blocking connect.  I found that if we do a write()
+         * and then retry getpeername(), it will work.
+         */
+        if (PR_GetError() == PR_NOT_CONNECTED_ERROR) {
+            char dummy;
+            (void) PR_Write(ss->fd->lower, &dummy, 0);
+            rv = ssl_GetPeerInfo(ss);
+            if (rv < 0) {
+                goto loser;
+            }
+        }
+#else
 	goto loser;
+#endif
     }
 
     SSL_TRC(3, ("%d: SSL[%d]: sending client-hello", SSL_GETPID(), ss->fd));
 
     /* Try to find server in our session-id cache */
     if (ss->noCache) {
 	sid = NULL;
     } else {
--- a/security/nss/tests/all.sh
+++ b/security/nss/tests/all.sh
@@ -47,16 +47,17 @@
 #   cert.sh   - exercises certutil and creates certs necessary for all 
 #               other tests
 #   ssl.sh    - tests SSL V2 SSL V3 and TLS
 #   smime.sh  - S/MIME testing
 #   sdr.sh    - test NSS SDR
 #   cipher.sh - test NSS ciphers
 #   perf.sh   - Nightly performance measurments
 #   tools.sh  - Tests the majority of the NSS tools
+#   fips.sh   - Tests basic functionallity of NSS in FIPS-compliant mode
 #
 # special strings
 # ---------------
 #   FIXME ... known problems, search for this string
 #   NOTE .... unexpected behavior
 #
 # NOTE:
 # -----
@@ -64,28 +65,25 @@
 #    This is done to save time, since a great portion of time is lost
 #    in calling and sourcing the same things multiple times over the
 #    network. Also, this way all scripts have all shell function  available
 #    and a completely common environment
 #
 # file tells the test suite that the output is going to a log, so any
 #  forked() children need to redirect their output to prevent them from
 #  being over written.
-# I need to test how this works with the sourced scripts now...
 #
 ########################################################################
 
-#FIXME - all will be sourced by the wrapper wrapper will do cleanup etc
-
-TESTS="cert ssl sdr cipher smime perf tools"
+TESTS="cert ssl sdr cipher smime perf tools fips"
 SCRIPTNAME=all.sh
 CLEANUP="${SCRIPTNAME}"
-cd `dirname $0`	#FIXME - if sourced 
+cd `dirname $0`	# will cause problems if sourced 
 
-#all.sh is the one that always needs to source the init - just to be consistant
+#all.sh should be the first one to try to source the init 
 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
     cd common
     . init.sh
 fi
 
 if [ -z "O_CRON" -o "$O_CRON" != "ON" ]
 then
     tail -f ${LOGFILE}  &
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -424,16 +424,47 @@ cert_stresscerts()
   done
   if [ "$CERTFAILED" != 0 ] ; then
       cert_log "ERROR: StressCert failed $RET"
   else
       cert_log "SUCCESS: StressCert passed"
   fi
 }
 
+############################## cert_fips #####################################
+# local shell function to create certificates for FIPS tests 
+##############################################################################
+cert_fips()
+{
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating FIPS 140-1 DSA Certificates =============="
+  cert_init_cert "${FIPSDIR}" "FIPS PUB 140-1 Test Certificate" 1000
+
+  CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
+  certu -N -d "${CERTDIR}" -f "${R_FIPSPWFILE}" 2>&1
+
+  echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
+  modutil -dbdir ${CERTDIR} -fips true 2>&1 <<MODSCRIPT
+y
+MODSCRIPT
+  CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
+  if [ "$?" -ne 0 ]; then
+    html_failed "<TR><TD>${CU_ACTION} ($?) " 
+    cert_log "ERROR: ${CU_ACTION} failed $?"
+  else
+    html_passed "<TR><TD>${CU_ACTION}"
+  fi
+
+  CU_ACTION="Generate Certificate for ${CERTNAME}"
+  CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140-1, L=Mountain View, ST=California, C=US"
+  certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${CERTDIR}" -f "${R_FIPSPWFILE}" -k dsa -m ${CERTSERIAL} -z "${R_NOISE_FILE}" 2>&1
+  if [ "$RET" -eq 0 ]; then
+    cert_log "SUCCESS: FIPS passed"
+  fi
+}
 
 ############################## cert_cleanup ############################
 # local shell function to finish this script (no exit since it might be
 # sourced)
 ########################################################################
 cert_cleanup()
 {
   cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
@@ -450,9 +481,10 @@ cert_ssl
 cert_smime_client        
 if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
     cert_stresscerts 
     #following lines to be used when databases are to be reused
     #cp -r /u/sonmi/tmp/stress/kentuckyderby.13/* $HOSTDIR
     #cp -r $HOSTDIR/../clio.8/* $HOSTDIR
 
 fi
+cert_fips
 cert_cleanup
--- a/security/nss/tests/common/init.sh
+++ b/security/nss/tests/common/init.sh
@@ -37,26 +37,27 @@
 # mozilla/security/nss/tests/common/init.sh
 #
 # initialization for NSS QA, can be included multiple times
 # from all.sh and the individual scripts
 #
 # variables, utilities and shellfunctions global to NSS QA
 # needs to work on all Unix and Windows platforms
 #
-# included from (don't expect this to be up to date)
-# --------------------------------------------------
+# included from 
+# -------------
 #   all.sh
 #   ssl.sh
 #   sdr.sh
 #   cipher.sh
 #   perf.sh
 #   cert.sh
 #   smime.sh
 #   tools.sh
+#   fips.sh
 #
 # special strings
 # ---------------
 #   FIXME ... known problems, search for this string
 #   NOTE .... unexpected behavior
 #
 # NOTE:
 # -----
@@ -66,16 +67,17 @@
 #    network. Also, this way all scripts have all shell function  available
 #    and a completely common environment
 #
 ########################################################################
 
 
 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
 
+# Exit shellfunction to clean up at exit (error, regular or signal)
     Exit()
     {
         if [ -n "$1" ] ; then
             echo "$SCRIPTNAME: Exit: $*"
             html_failed "<TR><TD>$*"
         fi
         echo "</TABLE><BR>" >> ${RESULTS}
         if [ -n "${TAILPID}" ]; then
@@ -92,16 +94,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
                 exit $1;
                 ;;
             *)
                 exit 1
                 ;;
         esac
     }
 
+#html functions to give the resultfiles a consistant look
     html() #########################    write the results.html file
     {      # 3 functions so we can put targets in the output.log easier
         echo $* >>${RESULTS}
     }
     html_passed()
     {
         html "$* ${HTML_PASSED}"
     }
@@ -124,17 +127,21 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
             fi
         else
             html_passed "<TR><TD>$3"
             if [ -n "$4" ] ; then
                 echo "$SCRIPTNAME: $3 $4 PASSED"
             fi
         fi
     }
+    HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
+    HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
 
+
+#directory name init
     SCRIPTNAME=init.sh
 
     mozilla_root=`(cd ../../../..; pwd)`
     MOZILLA_ROOT=${MOZILLA_ROOT-$mozilla_root}
 
     qadir=`(cd ..; pwd)`
     QADIR=${QADIR-$qadir}
 
@@ -144,85 +151,106 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
 
     DIST=${DIST-${MOZILLA_ROOT}/dist}
     SECURITY_ROOT=${SECURITY_ROOT-${MOZILLA_ROOT}/security/nss}
     TESTDIR=${TESTDIR-${MOZILLA_ROOT}/tests_results/security}
     OBJDIR=`(cd $COMMON; gmake objdir_name)`
     OS_ARCH=`(cd $COMMON; gmake os_arch)`
     OS_NAME=`uname -s | sed -e "s/-[0-9]*\.[0-9]*//"`
 
+#in case of backward comp. tests the calling scripts set the
+#PATH and LD_LIBRARY_PATH and do not want them to be changed
     if [ -z "${DON_T_SET_PATHS}" -o "${DON_T_SET_PATHS}" != "TRUE" ] ; then
         if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME"  != "CYGWIN_NT" ]; then
-            PATH=${DIST}/${OBJDIR}/bin\;${DIST}/${OBJDIR}/lib\;$PATH
+            PATH=.\;${DIST}/${OBJDIR}/bin\;${DIST}/${OBJDIR}/lib\;$PATH
             PATH=`perl ../path_uniq -d ';' "$PATH"`
         else
-            PATH=${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:$PATH
+            PATH=.:/bin:/usr/bin:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:$PATH
+            # added /bin and /usr/bin in the beginning so a local perl will 
+            # be used
             PATH=`perl ../path_uniq -d ':' "$PATH"`
         fi
 
         LD_LIBRARY_PATH=${DIST}/${OBJDIR}/lib
         SHLIB_PATH=${DIST}/${OBJDIR}/lib
         LIBPATH=${DIST}/${OBJDIR}/lib
     fi
 
     if [ ! -d "${TESTDIR}" ]; then
         echo "$SCRIPTNAME init: Creating ${TESTDIR}"
         mkdir -p ${TESTDIR}
     fi
 
+#HOST and DOMSUF are needed for the server cert 
     case $HOST in
         *\.*)
             HOST=`echo $HOST | sed -e "s/\..*//"`
             ;;
         ?*)
             ;;
         *)
-            echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
-            exit 1 #does not need to be Exit, very early in script
+            HOST=`uname -n`
+            case $HOST in
+                *\.*)
+                    HOST=`echo $HOST | sed -e "s/\..*//"`
+                    ;;
+                ?*)
+                    ;;
+                *)
+                    echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
+                    exit 1 #does not need to be Exit, very early in script
+                    ;;
+            esac
             ;;
     esac
 
     if [ -z "${DOMSUF}" ]; then
         DOMSUF=`domainname`
         if  [ -z "${DOMSUF}" ]; then
             echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined."
             exit 1 #does not need to be Exit, very early in script
         fi
     fi
+#HOSTADDR was a workaround for the dist. stress test, and is probably 
+#not needed anymore (purpose: be able to use IP address for the server 
+#cert instead of PC name which was not in the DNS because of dyn IP address
     if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then
         HOSTADDR=${HOST}.${DOMSUF}
     else
         HOSTADDR=${IP_ADDRESS}
     fi
 
-    #if running remote side of the distributed stress test we need to use the files that
-    #the server side gives us...
+#if running remote side of the distributed stress test we need to use 
+#the files that the server side gives us...
     if [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
         for w in `ls -rtd ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null |
             sed -e "s/.*${HOST}.//"` ; do
                 version=$w
         done
         HOSTDIR=${TESTDIR}/${HOST}.$version
         echo "$SCRIPTNAME init: HOSTDIR $HOSTDIR"
         echo $HOSTDIR
         if [ ! -d $HOSTDIR ] ; then
             echo "$SCRIPTNAME: Fatal: Remote side of dist. stress test "
             echo "       - server HOSTDIR $HOSTDIR does not exist"
             exit 1 #does not need to be Exit, very early in script
         fi
     fi
 
+#find the HOSTDIR, where the results are supposed to go
     if [ -n "${HOSTDIR}" ]; then
         version=`echo $HOSTDIR | sed  -e "s/.*${HOST}.//"` 
     else
         if [ -f "${TESTDIR}/${HOST}" ]; then
             version=`cat ${TESTDIR}/${HOST}`
         else
             version=1
         fi
+#file has a tendency to disappear, messing up the rest of QA - 
+#workaround to find the next higher number if version file is not there
         if [ -z "${version}" ]; then    # for some strange reason this file
                                         # gets truncated at times... Windos
             for w in `ls -d ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null |
                 sort -t '.' -n | sed -e "s/.*${HOST}.//"` ; do
                 version=`expr $w + 1`
             done
             if [ -z "${version}" ]; then
                 version=1
@@ -230,16 +258,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
         fi
         expr $version + 1 > ${TESTDIR}/${HOST}
 
         HOSTDIR=${TESTDIR}/${HOST}'.'$version
 
         mkdir -p ${HOSTDIR}
     fi
 
+#result and log file and filename init,
     if [ -z "${LOGFILE}" ]; then
         LOGFILE=${HOSTDIR}/output.log
     fi
     if [ ! -f "${LOGFILE}" ]; then
         touch ${LOGFILE}
     fi
     if [ -z "${RESULTS}" ]; then
         RESULTS=${HOSTDIR}/results.html
@@ -267,87 +296,111 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
         echo "********************************************" | tee ${LOGFILE}
     fi
 
     echo "$SCRIPTNAME init: Testing PATH $PATH against LIB $LD_LIBRARY_PATH" |
         tee ${LOGFILE}
 
     KILL="kill"
     if  [ "${OS_ARCH}" = "Linux" ]; then
+#on linux the selfserv needs up to 30 seconds to fully die and free 
+#the socket
         SLEEP="sleep 30"
     fi
     if [ `uname -s` = "SunOS" ]; then
         PS="/usr/5bin/ps"
     else
         PS="ps"
     fi
-    #found 3 rsh's so far that do not work as expected - cygnus mks6 (restricted sh) and mks 7
+#found 3 rsh's so far that do not work as expected - cygnus mks6 
+#(restricted sh) and mks 7 - if it is not in c:/winnt/system32 it
+#needs to be set in the environ.ksh
     if [ -z "$RSH" ]; then
         if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME"  = "CYGWIN_NT" ]; then
             RSH=/cygdrive/c/winnt/system32/rsh
         elif [ "${OS_ARCH}" = "WINNT" ]; then
             RSH=c:/winnt/system32/rsh
         else
             RSH=rsh
         fi
     fi
    
 
+#more filename and directoryname init
     CURDIR=`pwd`
 
-    HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
-    HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
-
     CU_ACTION='Unknown certutil action'
 
     # would like to preserve some tmp files, also easier to see if there 
     # are "leftovers" - another possibility ${HOSTDIR}/tmp
 
     TMP=${HOSTDIR}      #TMP=${TMP-/tmp}
+    TEMP=${TMP}
+    TMPDIR=${TMP}
 
     CADIR=${HOSTDIR}/CA
     SERVERDIR=${HOSTDIR}/server
     CLIENTDIR=${HOSTDIR}/client
     ALICEDIR=${HOSTDIR}/alicedir
     BOBDIR=${HOSTDIR}/bobdir
     DAVEDIR=${HOSTDIR}/dave
+    FIPSDIR=${HOSTDIR}/fips
 
     PWFILE=${TMP}/tests.pw.$$
     NOISE_FILE=${TMP}/tests_noise.$$
 
+    FIPSPWFILE=${TMP}/tests.fipspw.$$
+    FIPSBADPWFILE=${TMP}/tests.fipsbadpw.$$
+    FIPSP12PWFILE=${TMP}/tests.fipsp12pw.$$
+    FIPSCERTNICK="FIPS_PUB_140-1_Test_Certificate"
+
     # we need relative pathnames of these files abd directories, since our 
     # tools can't handle the unix style absolut pathnames on cygnus
 
     R_CADIR=../CA
     R_SERVERDIR=../server
     R_CLIENTDIR=../client
     R_ALICEDIR=../alicedir
     R_BOBDIR=../bobdir
     R_DAVEDIR=../dave
 
     R_PWFILE=../tests.pw.$$
     R_NOISE_FILE=../tests_noise.$$
 
+    R_FIPSPWFILE=../tests.fipspw.$$
+    R_FIPSBADPWFILE=../tests.fipsbadpw.$$
+    R_FIPSP12PWFILE=../tests.fipsp12pw.$$
+
+    echo "fips140" > ${FIPSPWFILE}
+    echo "fips104" > ${FIPSBADPWFILE}
+    echo "pkcs12fips140" > ${FIPSP12PWFILE}
+
     # a new log file, short - fast to search, mostly for tools to
     # see if their portion of the cert has succeeded, also for me -
     CERT_LOG_FILE=${HOSTDIR}/cert.log      #the output.log is so crowded...
 
     TEMPFILES="${PWFILE} ${NOISE_FILE}"
     trap "Exit $0 Signal_caught" 2 3
 
     export PATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH
     export DOMSUF HOSTADDR
     export KILL SLEEP PS
     export MOZILLA_ROOT SECURITY_ROOT DIST TESTDIR OBJDIR HOSTDIR QADIR
     export LOGFILE SCRIPTNAME
 
+#used for the distributed stress test, the server generates certificates 
+#from GLOB_MIN_CERT to GLOB_MAX_CERT 
+# NOTE - this variable actually gets initialized by directly by the 
+# ssl_dist_stress.shs sl_ds_init() before init is called - need to change 
+# in  both places. speaking of data encapsulatioN...
+
     if [ -z "$GLOB_MIN_CERT" ] ; then
         GLOB_MIN_CERT=0
     fi
-    if [ -z "$GLOBMAX_CERT" ] ; then
+    if [ -z "$GLOB_MAX_CERT" ] ; then
         GLOB_MAX_CERT=200
     fi
     if [ -z "$MIN_CERT" ] ; then
         MIN_CERT=$GLOB_MIN_CERT
     fi
     if [ -z "$MAX_CERT" ] ; then
         MAX_CERT=$GLOB_MAX_CERT
     fi
new file mode 100755
--- /dev/null
+++ b/security/nss/tests/fips/fips.sh
@@ -0,0 +1,178 @@
+#! /bin/sh  
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+#
+########################################################################
+#
+# mozilla/security/nss/tests/fips/fips.sh
+#
+# Script to test basic functionallity of NSS in FIPS-compliant mode
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+#
+# special strings
+# ---------------
+#
+########################################################################
+
+############################## fips_init ##############################
+# local shell function to initialize this script 
+########################################################################
+fips_init()
+{
+  SCRIPTNAME=fips.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . cert.sh
+  fi
+  SCRIPTNAME=fips.sh
+  html_head "FIPS 140-1 Compliance Tests"
+
+  grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
+  }
+
+  COPYDIR=${FIPSDIR}/copydir
+
+  R_FIPSDIR=../fips
+  R_COPYDIR=../fips/copydir
+
+  mkdir -p ${FIPSDIR}
+  mkdir -p ${COPYDIR}
+
+  cd ${FIPSDIR}
+}
+
+############################## fips_140_1 ##############################
+# local shell function to test basic functionality of NSS while in
+# FIPS 140-1 compliant mode
+########################################################################
+fips_140_1()
+{
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${R_FIPSDIR} -L"
+  certutil -d ${R_FIPSDIR} -L 2>&1
+  html_msg $? 0 "List the FIPS module certificates (certutil -L)"
+
+  echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
+  echo "certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)"
+
+  echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
+  echo "certutil -d ${R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
+  certutil -d ${R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
+  RET=$?
+  html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)"
+  echo "certutil -K returned $RET"
+
+  echo "$SCRIPTNAME: Validate the certificate --------------------------"
+  echo "certutil -d ${R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
+  certutil -d ${R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
+  html_msg $? 0 "Validate the certificate (certutil -V -e)"
+
+  echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
+  echo "pk12util -d ${R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  pk12util -d ${R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)"
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${R_FIPSDIR} -L"
+  certutil -d ${R_FIPSDIR} -L 2>&1
+  html_msg $? 0 "List the FIPS module certificates (certutil -L)"
+
+  echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
+  echo "certutil -d ${R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
+  certutil -d ${R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -D)"
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${R_FIPSDIR} -L"
+  certutil -d ${R_FIPSDIR} -L 2>&1
+  html_msg $? 0 "List the FIPS module certificates (certutil -L)"
+
+  echo "$SCRIPTNAME: List the FIPS module keys."
+  echo "certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)"
+
+  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
+  echo "pk12util -d ${R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  pk12util -d ${R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)"
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${R_FIPSDIR} -L"
+  certutil -d ${R_FIPSDIR} -L 2>&1
+  html_msg $? 0 "List the FIPS module certificates (certutil -L)"
+
+  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
+  echo "certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)"
+
+  echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
+  echo "certutil -d ${R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
+  certutil -d ${R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
+  html_msg $? 0 "Export the certificate as a DER (certutil -L -r)"
+}
+
+############################## fips_cleanup ############################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+fips_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+fips_init
+
+fips_140_1
+fips_cleanup
+
--- a/security/nss/tests/ssl/ssl_dist_stress.sh
+++ b/security/nss/tests/ssl/ssl_dist_stress.sh
@@ -59,17 +59,17 @@
 ############################## ssl_ds_init #############################
 # local shell function to initialize this script
 ########################################################################
 ssl_ds_init()
 {
   if [ -z "$GLOB_MIN_CERT" ] ; then
       GLOB_MIN_CERT=0
   fi
-  if [ -z "$GLOBMAX_CERT" ] ; then
+  if [ -z "$GLOB_MAX_CERT" ] ; then
       GLOB_MAX_CERT=200
   fi
   IP_PARAM=""
   CD_QADIR_SSL=""
 
 
   if [ -n "$1" ] ; then
       ssl_ds_eval_opts $*
@@ -238,20 +238,18 @@ ssl_ds_dist_stress()
                hbombaix-10
                raven-10
                jordan-10
                phaedrus-10
                louie-10
                trex-10
                compaqtor-10"
 
-  #clientlist="  box-200 washer-50 charm-10 jordan-10 louie-10 smarch-10 phaedrus-10 charm-10 hbombaix-20 box-200 washer-50 "
-  #clientlist=" box-200 washer-50 louie-10 hbombaix-10 charm-10 trex-20 jordan-10 box-200 compaqtor-10 "
   #clientlist=" box-2 washer-5" #FIXME ADJUST
-  clientlist="  box-200 charm-10 jordan-10 louie-10 smarch-10 phaedrus-10 charm-10 "
+  clientlist="  box-200 washer-200"
 
   html_head "SSL Distributed Stress Test"
 
   testname="SSL distributed Stress test"
 
   echo cd "${CLIENTDIR}"
   cd "${CLIENTDIR}"
   if [ -z "CD_QADIR_SSL" ] ; then
@@ -284,19 +282,19 @@ ssl_ds_dist_stress()
   done
 
   echo cd "${CLIENTDIR}"
   cd "${CLIENTDIR}"
 
   sleep 300 # give the clients time to finish #FIXME ADJUST
  
   echo "GET /stop HTTP/1.0\n\n" > stdin.txt #check to make sure it has /r/n
-  echo "tstclnt -h clio.red.iplanet.com -p  8443 -d ${CLIENTDIR} -n TestUser0 "
+  echo "tstclnt -h $HOSTADDR -p  8443 -d ${CLIENTDIR} -n TestUser0 "
   echo "        -w nss -f < stdin.txt"
-  tstclnt -h clio.red.iplanet.com -p  8443 -d ${CLIENTDIR} -n TestUser0 \
+  tstclnt -h $HOSTADDR -p  8443 -d ${CLIENTDIR} -n TestUser0 \
 	  -w nss -f < stdin.txt
   
   html_msg 0 0 "${testname}"
   html "</TABLE><BR>"
 }
 
 ############################ get_certrange #############################
 # local shell function to find the range of certs that the next remote 
--- a/security/nss/tests/tools/tools.sh
+++ b/security/nss/tests/tools/tools.sh
@@ -137,27 +137,28 @@ y
 TEST
 MOZ
 NSS
 NY
 US
 liz
 liz@moz.org
 SIGNSCRIPT
+  html_msg $? 0 "Create objsign cert (signtool -G)"
 
   echo "$SCRIPTNAME: Signing a set of files ----------------------------"
   echo "signtool -Z nojs.jar -d ${R_ALICEDIR} -p \"nss\" -k objsigner \\"
   echo "         ${R_TOOLSDIR}/html"
   signtool -Z nojs.jar -d ${R_ALICEDIR} -p "nss" -k objsigner ${R_TOOLSDIR}/html
   html_msg $? 0 "Signing a set of files (signtool -Z)"
 
   echo "$SCRIPTNAME: Listing signed files in jar ----------------------"
-  echo "signtool -w nojs.jar -d ${R_ALICEDIR}"
-  signtool -w nojs.jar -d ${R_ALICEDIR}
-  html_msg $? 0 "Listing signed files in jar (signtool -w)"
+  echo "signtool -v nojs.jar -d ${R_ALICEDIR} -p nss -k objsigner"
+  signtool -v nojs.jar -d ${R_ALICEDIR} -p nss -k objsigner
+  html_msg $? 0 "Listing signed files in jar (signtool -v)"
   
   echo "$SCRIPTNAME: Show who signed jar ------------------------------"
   echo "signtool -w nojs.jar -d ${R_ALICEDIR}"
   signtool -w nojs.jar -d ${R_ALICEDIR}
   html_msg $? 0 "Show who signed jar (signtool -w)"
 }
 
 ############################## tools_cleanup ###########################
@@ -170,22 +171,14 @@ tools_cleanup()
   cd ${QADIR}
   . common/cleanup.sh
 }
 
 ################## main #################################################
 
 tools_init
 
-#FIXME - tmp workaround for tests that do not work in 3.2 RTM
-#echo $BC_ACTION | grep "forward compatibility"  && RUN_TOOLS_P12="FALSE"
-echo $BC_ACTION | grep "compatibility"  && RUN_TOOLS_P12="FALSE"
-if [ -n "${RUN_TOOLS_P12}" -a "${RUN_TOOLS_P12}" = "FALSE" ] ; then
-  html_msg 0 0 "Can't run pk12util tests  for NSS 3.2 (pk12util -i)"
-  html_msg 0 0 "Can't run pk12util tests  for NSS 3.2 (pk12util -o)"
-else
-    tools_p12
-fi
+tools_p12
 
 tools_sign
 tools_cleanup