fixup commit for branch 'GECKO181_20070501_RELBRANCH' GECKO181_20070501_RELBRANCH CAMINO_1_1_B_RELEASE CAMINO_1_5_RELEASE FIREFOX_2_0_0_2_RC1 FIREFOX_2_0_0_2_RC2 FIREFOX_2_0_0_2_RC3 FIREFOX_2_0_0_2_RC4 FIREFOX_2_0_0_2_RC5 FIREFOX_2_0_0_2_RELEASE FIREFOX_2_0_0_3_RC1 FIREFOX_2_0_0_3_RELEASE FIREFOX_2_0_0_4_RC1 FIREFOX_2_0_0_4_RC2 FIREFOX_2_0_0_4_RC3 FIREFOX_2_0_0_4_RELEASE LIGHTNING_0_5_RC1 LIGHTNING_0_5_RELEASE SEAMONKEY_1_1_1_RELEASE SEAMONKEY_1_1_2_RELEASE SUNBIRD_0_5_RC1 SUNBIRD_0_5_RELEASE THUNDERBIRD_2_0_0_0_RC1 THUNDERBIRD_2_0_0_0_RELEASE THUNDERBIRD_2_0_0_4_RC1 THUNDERBIRD_2_0_0_4_RELEASE
authorcvs2hg
Wed, 17 Jan 2007 18:58:59 +0000
branchGECKO181_20070501_RELBRANCH
changeset 7641 35f4f16a363e1437e3da2cd4a034106db719891a
parent 6338 d5ef185710a56c56c0ff7df8acb94bddf6623de5
child 7642 5b069e061226b54b16d5201aaf10938eaca901f0
child 7643 a465b716bb5b80173397abc7ad1c3a508370929b
child 7644 081bf4d26b775342c97ad6cc13012306eb30e148
child 7645 b79e50420d90b7a3828331e6e02ff414f3984cca
child 7887 7be84714297b24fb508308ec8502330b5099648d
child 10680 877f17933f86ebadac7caf0f952fff1a934ad4ff
push idunknown
push userunknown
push dateunknown
fixup commit for branch 'GECKO181_20070501_RELBRANCH'
dbm/Makefile.in
dbm/include/Makefile.in
dbm/include/Makefile.win
dbm/include/cdefs.h
dbm/include/extern.h
dbm/include/hash.h
dbm/include/hsearch.h
dbm/include/mcom_db.h
dbm/include/mpool.h
dbm/include/ncompat.h
dbm/include/ndbm.h
dbm/include/page.h
dbm/include/queue.h
dbm/include/search.h
dbm/src/Makefile.in
dbm/src/Makefile.win
dbm/src/db.c
dbm/src/h_bigkey.c
dbm/src/h_func.c
dbm/src/h_log2.c
dbm/src/h_page.c
dbm/src/hash.c
dbm/src/hash_buf.c
dbm/src/hsearch.c
dbm/src/memmove.c
dbm/src/mktemp.c
dbm/src/ndbm.c
dbm/src/strerror.c
dbm/tests/Makefile.in
dbm/tests/lots.c
security/coreconf/Darwin.mk
security/coreconf/FreeBSD.mk
security/coreconf/Linux.mk
security/coreconf/Linux2.6.mk
security/coreconf/OS2.mk
security/coreconf/SunOS5.11.mk
security/coreconf/SunOS5.11_i86pc.mk
security/coreconf/WIN32.mk
security/coreconf/config.mk
security/coreconf/jdk.mk
security/coreconf/location.mk
security/coreconf/rules.mk
security/dbm/Makefile
security/dbm/config/config.mk
security/dbm/include/Makefile
security/dbm/include/manifest.mn
security/dbm/manifest.mn
security/dbm/src/Makefile
security/dbm/src/config.mk
security/dbm/src/dirent.c
security/dbm/src/dirent.h
security/dbm/src/manifest.mn
security/dbm/tests/Makefile
security/nss/Makefile
security/nss/cmd/Makefile
security/nss/cmd/SSLsample/NSPRerrs.h
security/nss/cmd/SSLsample/SECerrs.h
security/nss/cmd/SSLsample/SSLerrs.h
security/nss/cmd/SSLsample/client.mn
security/nss/cmd/SSLsample/server.mn
security/nss/cmd/bltest/blapitest.c
security/nss/cmd/certutil/certutil.c
security/nss/cmd/crlutil/crlgen.c
security/nss/cmd/crlutil/crlutil.c
security/nss/cmd/dbck/Makefile
security/nss/cmd/dbck/dbck.c
security/nss/cmd/dbck/dbrecover.c
security/nss/cmd/dbck/manifest.mn
security/nss/cmd/dbtest/Makefile
security/nss/cmd/fipstest/Makefile
security/nss/cmd/fipstest/dsa.sh
security/nss/cmd/fipstest/ecdsa.sh
security/nss/cmd/fipstest/fipstest.c
security/nss/cmd/fipstest/hmac.sh
security/nss/cmd/fipstest/rng.sh
security/nss/cmd/fipstest/rsa.sh
security/nss/cmd/fipstest/sha.sh
security/nss/cmd/fipstest/tdea.sh
security/nss/cmd/lib/SECerrs.h
security/nss/cmd/lib/SSLerrs.h
security/nss/cmd/lib/manifest.mn
security/nss/cmd/lib/secpwd.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/lib/secutil.h
security/nss/cmd/modutil/modutil.c
security/nss/cmd/modutil/pk11.c
security/nss/cmd/modutil/specification.html
security/nss/cmd/pk11mode/Makefile
security/nss/cmd/pk11mode/manifest.mn
security/nss/cmd/pk11mode/pk11mode.c
security/nss/cmd/pk12util/pk12util.c
security/nss/cmd/platlibs.mk
security/nss/cmd/pp/pp.c
security/nss/cmd/rsaperf/Makefile
security/nss/cmd/selfserv/selfserv.c
security/nss/cmd/shlibsign/Makefile
security/nss/cmd/shlibsign/sign.sh
security/nss/cmd/ssltap/ssltap.c
security/nss/cmd/strsclnt/strsclnt.c
security/nss/cmd/tstclnt/Makefile
security/nss/cmd/tstclnt/tstclnt.c
security/nss/cmd/vfychain/Makefile
security/nss/cmd/vfyserv/Makefile
security/nss/cmd/vfyserv/vfyserv.c
security/nss/cmd/vfyserv/vfyutil.c
security/nss/lib/base/arena.c
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/crl.c
security/nss/lib/certdb/stanpcertdb.c
security/nss/lib/certdb/xauthkid.c
security/nss/lib/certhigh/certhigh.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/manifest.mn
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocsp.h
security/nss/lib/certhigh/ocspi.h
security/nss/lib/certhigh/ocspt.h
security/nss/lib/ckfw/builtins/binst.c
security/nss/lib/ckfw/builtins/certdata.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/constants.c
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/ckfw/builtins/nssckbi.rc
security/nss/lib/ckfw/capi/nsscapi.rc
security/nss/lib/ckfw/dbm/Makefile
security/nss/lib/ckfw/dbm/anchor.c
security/nss/lib/ckfw/dbm/ckdbm.h
security/nss/lib/ckfw/dbm/config.mk
security/nss/lib/ckfw/dbm/db.c
security/nss/lib/ckfw/dbm/find.c
security/nss/lib/ckfw/dbm/instance.c
security/nss/lib/ckfw/dbm/manifest.mn
security/nss/lib/ckfw/dbm/object.c
security/nss/lib/ckfw/dbm/session.c
security/nss/lib/ckfw/dbm/slot.c
security/nss/lib/ckfw/dbm/token.c
security/nss/lib/ckfw/find.c
security/nss/lib/ckfw/session.c
security/nss/lib/ckfw/wrap.c
security/nss/lib/crmf/challcli.c
security/nss/lib/crmf/crmf.h
security/nss/lib/crmf/crmfcont.c
security/nss/lib/crmf/crmfit.h
security/nss/lib/crmf/crmfpop.c
security/nss/lib/crmf/crmfreq.c
security/nss/lib/crmf/crmftmpl.c
security/nss/lib/crmf/respcmn.c
security/nss/lib/crmf/servget.c
security/nss/lib/cryptohi/cryptohi.h
security/nss/lib/cryptohi/keyhi.h
security/nss/lib/cryptohi/seckey.c
security/nss/lib/cryptohi/secsign.c
security/nss/lib/cryptohi/secvfy.c
security/nss/lib/freebl/GF2m_ecl.c
security/nss/lib/freebl/GF2m_ecl.h
security/nss/lib/freebl/GFp_ecl.c
security/nss/lib/freebl/GFp_ecl.h
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/arcfour-amd64-gas.s
security/nss/lib/freebl/blapi.h
security/nss/lib/freebl/config.mk
security/nss/lib/freebl/des.c
security/nss/lib/freebl/ec.c
security/nss/lib/freebl/ecl/Makefile
security/nss/lib/freebl/ecl/ec2_aff.c
security/nss/lib/freebl/ecl/ecl-curve.h
security/nss/lib/freebl/ecl/ecl-priv.h
security/nss/lib/freebl/ecl/ecl.c
security/nss/lib/freebl/ecl/ecl_curve.c
security/nss/lib/freebl/ecl/ecl_gf.c
security/nss/lib/freebl/ecl/ecl_mult.c
security/nss/lib/freebl/ecl/ecp_192.c
security/nss/lib/freebl/ecl/ecp_224.c
security/nss/lib/freebl/ecl/ecp_256.c
security/nss/lib/freebl/ecl/ecp_384.c
security/nss/lib/freebl/ecl/ecp_521.c
security/nss/lib/freebl/ecl/tests/ec2_test.c
security/nss/lib/freebl/ecl/tests/ecp_test.c
security/nss/lib/freebl/freebl.rc
security/nss/lib/freebl/ldvector.c
security/nss/lib/freebl/loader.c
security/nss/lib/freebl/loader.h
security/nss/lib/freebl/manifest.mn
security/nss/lib/freebl/mpi/Makefile
security/nss/lib/freebl/mpi/mp_gf2m.c
security/nss/lib/freebl/mpi/mpi.c
security/nss/lib/freebl/mpi/mpi_amd64_gas.s
security/nss/lib/freebl/mpi/mpi_sparc.c
security/nss/lib/freebl/mpi/mpi_x86.asm
security/nss/lib/freebl/mpi/mpi_x86_asm.c
security/nss/lib/freebl/mpi/mpmontg.c
security/nss/lib/freebl/mpi/mpprime.c
security/nss/lib/freebl/mpi/target.mk
security/nss/lib/freebl/mpi/tests/mptest-7.c
security/nss/lib/freebl/mpi/tests/mptest-8.c
security/nss/lib/freebl/nss.h
security/nss/lib/freebl/os2_rand.c
security/nss/lib/freebl/pqg.c
security/nss/lib/freebl/prng_fips1861.c
security/nss/lib/freebl/secrng.h
security/nss/lib/freebl/sha256.h
security/nss/lib/freebl/sha512.c
security/nss/lib/freebl/unix_rand.c
security/nss/lib/freebl/win_rand.c
security/nss/lib/nss/config.mk
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/nss/nss.rc
security/nss/lib/nss/nssinit.c
security/nss/lib/pk11wrap/Makefile
security/nss/lib/pk11wrap/pk11akey.c
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11cxt.c
security/nss/lib/pk11wrap/pk11err.c
security/nss/lib/pk11wrap/pk11kea.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/pk11wrap/pk11nobj.c
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11pbe.c
security/nss/lib/pk11wrap/pk11pk12.c
security/nss/lib/pk11wrap/pk11pqg.c
security/nss/lib/pk11wrap/pk11priv.h
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pk11wrap/pk11skey.c
security/nss/lib/pk11wrap/pk11slot.c
security/nss/lib/pk11wrap/secmod.h
security/nss/lib/pkcs12/p12d.c
security/nss/lib/pkcs7/p7decode.c
security/nss/lib/pki/certificate.c
security/nss/lib/pki/cryptocontext.c
security/nss/lib/pki/nsspki.h
security/nss/lib/pki/pki3hack.c
security/nss/lib/pki/pkibase.c
security/nss/lib/pki/pkim.h
security/nss/lib/pki/pkistore.c
security/nss/lib/pki/pkistore.h
security/nss/lib/pki/pkit.h
security/nss/lib/pki/tdcache.c
security/nss/lib/pki/trustdomain.c
security/nss/lib/smime/cmscipher.c
security/nss/lib/smime/cmsencode.c
security/nss/lib/smime/cmsrecinfo.c
security/nss/lib/smime/cmsreclist.c
security/nss/lib/smime/cmssiginfo.c
security/nss/lib/smime/cmsutil.c
security/nss/lib/smime/smime.rc
security/nss/lib/smime/smimeutil.c
security/nss/lib/softoken/config.mk
security/nss/lib/softoken/dbinit.c
security/nss/lib/softoken/dbmshim.c
security/nss/lib/softoken/ecdecode.c
security/nss/lib/softoken/fipsaudt.c
security/nss/lib/softoken/fipstest.c
security/nss/lib/softoken/fipstokn.c
security/nss/lib/softoken/keydb.c
security/nss/lib/softoken/lowcert.c
security/nss/lib/softoken/lowkey.c
security/nss/lib/softoken/lowpbe.c
security/nss/lib/softoken/manifest.mn
security/nss/lib/softoken/nss.h
security/nss/lib/softoken/pcert.h
security/nss/lib/softoken/pcertdb.c
security/nss/lib/softoken/pcertt.h
security/nss/lib/softoken/pk11db.c
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/pkcs11i.h
security/nss/lib/softoken/pkcs11u.c
security/nss/lib/softoken/rsawrapr.c
security/nss/lib/softoken/softoken.h
security/nss/lib/softoken/softokn.rc
security/nss/lib/softoken/softoknt.h
security/nss/lib/ssl/derive.c
security/nss/lib/ssl/emulate.c
security/nss/lib/ssl/manifest.mn
security/nss/lib/ssl/ssl.def
security/nss/lib/ssl/ssl.rc
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/ssl3prot.h
security/nss/lib/ssl/sslauth.c
security/nss/lib/ssl/sslcon.c
security/nss/lib/ssl/ssldef.c
security/nss/lib/ssl/sslenum.c
security/nss/lib/ssl/sslerr.h
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslinfo.c
security/nss/lib/ssl/sslmutex.c
security/nss/lib/ssl/sslproto.h
security/nss/lib/ssl/sslsecur.c
security/nss/lib/ssl/sslsnce.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/derenc.c
security/nss/lib/util/secasn1d.c
security/nss/lib/util/secasn1e.c
security/nss/lib/util/secdig.c
security/nss/lib/util/secerr.h
security/nss/lib/util/secitem.h
security/nss/lib/util/secoid.c
security/nss/lib/util/secoidt.h
security/nss/lib/util/secport.c
security/nss/lib/util/secport.h
security/nss/manifest.mn
security/nss/pkg/linux/Makefile
security/nss/pkg/solaris/Makefile-devl.com
security/nss/pkg/solaris/Makefile-tlsu.com
security/nss/pkg/solaris/Makefile.com
security/nss/tests/all.sh
security/nss/tests/cert/cert.sh
security/nss/tests/cert/certext.txt
security/nss/tests/cert/eccert.sh
security/nss/tests/cipher/cipher.sh
security/nss/tests/common/init.sh
security/nss/tests/dbtests/dbtests.sh
security/nss/tests/fips/fips.sh
security/nss/tests/fixtests.sh
security/nss/tests/perf/perf.sh
security/nss/tests/pkcs11/netscape/trivial/configure.in
security/nss/tests/smime/ecsmime.sh
security/nss/tests/smime/smime.sh
security/nss/tests/ssl/ecssl.sh
security/nss/tests/ssl/ecsslauth.txt
security/nss/tests/ssl/ecsslcov.txt
security/nss/tests/ssl/ecsslstress.txt
security/nss/tests/ssl/ssl.sh
security/nss/tests/ssl/sslauth.txt
security/nss/tests/ssl/sslcov.txt
security/nss/tests/ssl/sslstress.txt
security/nss/tests/tools/ectools.sh
security/nss/tests/tools/tools.sh
--- a/dbm/Makefile.in
+++ b/dbm/Makefile.in
@@ -1,44 +1,28 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
+# Contributor(s): 
 #
-# ***** END LICENSE BLOCK *****
 
 DEPTH		= ..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
 
 include $(DEPTH)/config/autoconf.mk
 
--- a/dbm/include/Makefile.in
+++ b/dbm/include/Makefile.in
@@ -1,44 +1,28 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
+# Contributor(s): 
 #
-# ***** END LICENSE BLOCK *****
 
 DEPTH		= ../..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
 
 include $(DEPTH)/config/autoconf.mk
 
--- a/dbm/include/Makefile.win
+++ b/dbm/include/Makefile.win
@@ -1,43 +1,26 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# Contributor(s): 
 
 
 #//------------------------------------------------------------------------
 #//
 #// Makefile to build the cert library
 #//
 #//------------------------------------------------------------------------
 
--- a/dbm/include/cdefs.h
+++ b/dbm/include/cdefs.h
@@ -1,26 +1,65 @@
 /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: NPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Netscape Public License
+ * Version 1.1 (the "License"); you may not use this file except in
+ * compliance with the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/NPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is 
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the NPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the NPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
 /*
  * Copyright (c) 1991, 1993
  *	The Regents of the University of California.  All rights reserved.
  *
  * This code is derived from software contributed to Berkeley by
  * Berkeley Software Design, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. ***REMOVED*** - see 
- *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/extern.h
+++ b/dbm/include/extern.h
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/hash.h
+++ b/dbm/include/hash.h
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/hsearch.h
+++ b/dbm/include/hsearch.h
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/mcom_db.h
+++ b/dbm/include/mcom_db.h
@@ -1,23 +1,62 @@
 /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: NPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Netscape Public License
+ * Version 1.1 (the "License"); you may not use this file except in
+ * compliance with the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/NPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is 
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the NPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the NPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
 /*- 
  * Copyright (c) 1990, 1993, 1994
  *	The Regents of the University of California.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. ***REMOVED*** - see 
- *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/mpool.h
+++ b/dbm/include/mpool.h
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/ncompat.h
+++ b/dbm/include/ncompat.h
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/ndbm.h
+++ b/dbm/include/ndbm.h
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/page.h
+++ b/dbm/include/page.h
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/queue.h
+++ b/dbm/include/queue.h
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/search.h
+++ b/dbm/include/search.h
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/Makefile.in
+++ b/dbm/src/Makefile.in
@@ -1,44 +1,28 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
+# Contributor(s): 
 #
-# ***** END LICENSE BLOCK *****
 
 DEPTH		= ../..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
 
 include $(DEPTH)/config/autoconf.mk
 
--- a/dbm/src/Makefile.win
+++ b/dbm/src/Makefile.win
@@ -1,43 +1,26 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# Contributor(s): 
 
 
 #//------------------------------------------------------------------------
 #//
 #// Makefile to build the cert library
 #//
 #//------------------------------------------------------------------------
 
--- a/dbm/src/db.c
+++ b/dbm/src/db.c
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/h_bigkey.c
+++ b/dbm/src/h_bigkey.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/h_func.c
+++ b/dbm/src/h_func.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/h_log2.c
+++ b/dbm/src/h_log2.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/h_page.c
+++ b/dbm/src/h_page.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/hash.c
+++ b/dbm/src/hash.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/hash_buf.c
+++ b/dbm/src/hash_buf.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/hsearch.c
+++ b/dbm/src/hsearch.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/memmove.c
+++ b/dbm/src/memmove.c
@@ -9,20 +9,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/mktemp.c
+++ b/dbm/src/mktemp.c
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/ndbm.c
+++ b/dbm/src/ndbm.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/strerror.c
+++ b/dbm/src/strerror.c
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/tests/Makefile.in
+++ b/dbm/tests/Makefile.in
@@ -1,44 +1,28 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
+# Contributor(s): 
 #
-# ***** END LICENSE BLOCK *****
 
 DEPTH		= ../..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
 
 include $(DEPTH)/config/autoconf.mk
 
--- a/dbm/tests/lots.c
+++ b/dbm/tests/lots.c
@@ -1,42 +1,43 @@
 /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ * Version: NPL 1.1/GPL 2.0/LGPL 2.1
  *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
+ * The contents of this file are subject to the Netscape Public License
+ * Version 1.1 (the "License"); you may not use this file except in
+ * compliance with the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/NPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  * for the specific language governing rights and limitations under the
  * License.
  *
  * The Original Code is mozilla.org code.
  *
- * The Initial Developer of the Original Code is
+ * The Initial Developer of the Original Code is 
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 1998
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *
+ *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
+ * use your version of this file under the terms of the NPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
+ * the terms of any one of the NPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /* use sequental numbers printed to strings
  * to store lots and lots of entries in the
  * database.
  *
  * Start with 100 entries, put them and then
--- a/security/coreconf/Darwin.mk
+++ b/security/coreconf/Darwin.mk
@@ -38,54 +38,58 @@
 include $(CORE_DEPTH)/coreconf/UNIX.mk
 
 DEFAULT_COMPILER = cc
 
 CC		= cc
 CCC		= c++
 RANLIB		= ranlib
 
-ifeq (86,$(findstring 86,$(OS_TEST)))
+ifndef CPU_ARCH
+# When cross-compiling, CPU_ARCH should already be defined as the target
+# architecture, set to powerpc or i386.
+CPU_ARCH	:= $(shell uname -p)
+endif
+
+ifeq (,$(filter-out i%86,$(CPU_ARCH)))
 OS_REL_CFLAGS	= -Di386
-CPU_ARCH	= i386
 else
 OS_REL_CFLAGS	= -Dppc
-CPU_ARCH	= ppc
 endif
 
 ifneq (,$(MACOS_SDK_DIR))
     GCC_VERSION_FULL := $(shell $(CC) -v 2>&1 | grep "gcc version" | sed -e "s/^.*gcc version[  ]*//" | awk '{ print $$1 }')
     GCC_VERSION_MAJOR := $(shell echo $(GCC_VERSION_FULL) | awk -F. '{ print $$1 }')
     GCC_VERSION_MINOR := $(shell echo $(GCC_VERSION_FULL) | awk -F. '{ print $$2 }')
     GCC_VERSION = $(GCC_VERSION_MAJOR).$(GCC_VERSION_MINOR)
 
     ifeq (,$(filter-out 2 3,$(GCC_VERSION_MAJOR)))
         # GCC <= 3
         DARWIN_SDK_FRAMEWORKS = -F$(MACOS_SDK_DIR)/System/Library/Frameworks
         ifneq (,$(shell find $(MACOS_SDK_DIR)/Library/Frameworks -maxdepth 0))
             DARWIN_SDK_FRAMEWORKS += -F$(MACOS_SDK_DIR)/Library/Frameworks
         endif
         DARWIN_SDK_CFLAGS = -nostdinc -isystem $(MACOS_SDK_DIR)/usr/include/gcc/darwin/$(GCC_VERSION) -isystem $(MACOS_SDK_DIR)/usr/include $(DARWIN_SDK_FRAMEWORKS)
         DARWIN_SDK_LDFLAGS = -L$(MACOS_SDK_DIR)/usr/lib/gcc/darwin -L$(MACOS_SDK_DIR)/usr/lib/gcc/darwin/$(GCC_VERSION_FULL) -L$(MACOS_SDK_DIR)/usr/lib
-        DARWIN_SDK_DSOFLAGS = $(DARWIN_SDK_LDFLAGS) $(DARWIN_SDK_FRAMEWORKS)
+        DARWIN_SDK_SHLIBFLAGS = $(DARWIN_SDK_LDFLAGS) $(DARWIN_SDK_FRAMEWORKS)
         NEXT_ROOT = $(MACOS_SDK_DIR)
         export NEXT_ROOT
     else
         # GCC >= 4
         DARWIN_SDK_CFLAGS = -isysroot $(MACOS_SDK_DIR)
         ifneq (4.0.0,$(GCC_VERSION_FULL))
             # gcc > 4.0.0 passes -syslibroot to ld based on -isysroot.
             # Don't add -isysroot to DARWIN_SDK_LDFLAGS, because the programs
             # that are linked with those flags also get DARWIN_SDK_CFLAGS.
-            DARWIN_SDK_DSOFLAGS = -isysroot $(MACOS_SDK_DIR)
+            DARWIN_SDK_SHLIBFLAGS = -isysroot $(MACOS_SDK_DIR)
         else
             # gcc 4.0.0 doesn't pass -syslibroot to ld, it needs to be
             # explicit.
             DARWIN_SDK_LDFLAGS = -Wl,-syslibroot,$(MACOS_SDK_DIR)
-            DARWIN_SDK_DSOFLAGS = $(DARWIN_SDK_LDFLAGS)
+            DARWIN_SDK_SHLIBFLAGS = $(DARWIN_SDK_LDFLAGS)
         endif
     endif
 
     LDFLAGS += $(DARWIN_SDK_LDFLAGS)
 endif
 
 # "Commons" are tentative definitions in a global scope, like this:
 #     int x;
@@ -102,16 +106,16 @@ OS_CFLAGS	= $(DSO_CFLAGS) $(OS_REL_CFLAG
 ifdef BUILD_OPT
 OPTIMIZER	= -O2
 endif
 
 ARCH		= darwin
 
 DSO_CFLAGS	= -fPIC
 # May override this with -bundle to create a loadable module.
-DSO_LDOPTS	= -dynamiclib -compatibility_version 1 -current_version 1 -install_name @executable_path/$(notdir $@) -headerpad_max_install_names $(DARWIN_SDK_DSOFLAGS)
+DSO_LDOPTS	= -dynamiclib -compatibility_version 1 -current_version 1 -install_name @executable_path/$(notdir $@) -headerpad_max_install_names
 
-MKSHLIB		= $(CC) -arch $(CPU_ARCH) $(DSO_LDOPTS)
+MKSHLIB		= $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
 DLL_SUFFIX	= dylib
 PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
                 sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@
 
 G++INCLUDES	= -I/usr/include/g++
--- a/security/coreconf/FreeBSD.mk
+++ b/security/coreconf/FreeBSD.mk
@@ -70,16 +70,16 @@ MOZ_OBJFORMAT		:= $(shell test -x /usr/b
 ifeq ($(MOZ_OBJFORMAT),elf)
 DLL_SUFFIX		= so
 else
 DLL_SUFFIX		= so.1.0
 endif
 
 MKSHLIB			= $(CC) $(DSO_LDOPTS)
 ifdef MAPFILE
-# Add LD options to restrict exported symbols to those in the map file
+	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
-# Change PROCESS to put the mapfile in the correct format for this platform
-PROCESS_MAP_FILE = cp $< $@
+PROCESS_MAP_FILE = grep -v ';-' $< | \
+        sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
 G++INCLUDES		= -I/usr/include/g++
 
 INCLUDES		+= -I/usr/X11R6/include
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -160,17 +160,17 @@ OS_LIBS			= $(OS_PTHREAD) -ldl -lc
 
 ifdef USE_PTHREADS
 	DEFINES		+= -D_REENTRANT
 endif
 
 ARCH			= linux
 
 DSO_CFLAGS		= -fPIC
-DSO_LDOPTS		= -shared $(ARCHFLAG) -z defs
+DSO_LDOPTS		= -shared $(ARCHFLAG)
 DSO_LDFLAGS		=
 LDFLAGS			+= $(ARCHFLAG)
 
 # INCLUDES += -I/usr/include -Y/usr/include/linux
 G++INCLUDES		= -I/usr/include/g++
 
 #
 # Always set CPU_TAG on Linux, OpenVMS, WINCE.
--- a/security/coreconf/Linux2.6.mk
+++ b/security/coreconf/Linux2.6.mk
@@ -32,16 +32,18 @@
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 include $(CORE_DEPTH)/coreconf/Linux.mk
 
+DSO_LDOPTS      += -Wl,-z,defs
+
 OS_REL_CFLAGS   += -DLINUX2_1
 MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
 
 ifdef MAPFILE
 	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';-' $< | \
         sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
--- a/security/coreconf/OS2.mk
+++ b/security/coreconf/OS2.mk
@@ -73,28 +73,32 @@ AR_FLAGS                =
 RANLIB 			= @echo OS2 RANLIB
 BSDECHO 		= @echo OS2 BSDECHO
 IMPLIB			= emximp -o
 FILTER			= emxexp -o
 
 # GCC for OS/2 currently predefines these, but we don't want them
 DEFINES 		+= -Uunix -U__unix -U__unix__
 
-DEFINES			+= -DTCPV40HDRS
+DEFINES			+= -DXP_OS2_EMX -DTCPV40HDRS
+
+ifeq ($(MOZ_OS2_HIGH_MEMORY),1)
+HIGHMEM_LDFLAG          = -Zhigh-mem
+endif
 
 ifndef NO_SHARED_LIB
 WRAP_MALLOC_LIB         = 
 WRAP_MALLOC_CFLAGS      = 
 DSO_CFLAGS              = 
 DSO_PIC_CFLAGS          = 
 MKSHLIB                 = $(CXX) $(CXXFLAGS) $(DSO_LDOPTS) -o $@
 MKCSHLIB                = $(CC) $(CFLAGS) $(DSO_LDOPTS) -o $@
 MKSHLIB_FORCE_ALL       = 
 MKSHLIB_UNFORCE_ALL     = 
-DSO_LDOPTS              = -Zomf -Zdll -Zmap
+DSO_LDOPTS              = -Zomf -Zdll -Zmap $(HIGHMEM_LDFLAG)
 SHLIB_LDSTARTFILE	= 
 SHLIB_LDENDFILE		= 
 ifdef MAPFILE
 MKSHLIB += $(MAPFILE)
 endif
 PROCESS_MAP_FILE = \
 	echo LIBRARY $(LIBRARY_NAME)$(LIBRARY_VERSION) INITINSTANCE TERMINSTANCE > $@; \
 	echo PROTMODE >> $@; \
@@ -107,26 +111,26 @@ PROCESS_MAP_FILE = \
 
 endif   #NO_SHARED_LIB
 
 OS_CFLAGS          = -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Zomf -DDEBUG -DTRACING -g
 
 ifdef BUILD_OPT
 OPTIMIZER		= -O2 -s
 DEFINES 		+= -UDEBUG -U_DEBUG -DNDEBUG
-DLLFLAGS		= -DLL -OUT:$@ -MAP:$(@:.dll=.map)
-EXEFLAGS    		= -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE
+DLLFLAGS		= -DLL -OUT:$@ -MAP:$(@:.dll=.map) $(HIGHMEM_LDFLAG)
+EXEFLAGS    		= -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE $(HIGHMEM_LDFLAG)
 OBJDIR_TAG 		= _OPT
 else
 #OPTIMIZER		= -O+ -Oi
 DEFINES 		+= -DDEBUG -D_DEBUG -DDEBUGPRINTS     #HCT Need += to avoid overidding manifest.mn 
-DLLFLAGS		= -DEBUG -DLL -OUT:$@ -MAP:$(@:.dll=.map)
-EXEFLAGS    		= -DEBUG -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE
+DLLFLAGS		= -DEBUG -DLL -OUT:$@ -MAP:$(@:.dll=.map) $(HIGHMEM_LDFLAG)
+EXEFLAGS    		= -DEBUG -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE $(HIGHMEM_LDFLAG)
 OBJDIR_TAG 		= _DBG
-LDFLAGS 		= -DEBUG 
+LDFLAGS 		= -DEBUG $(HIGHMEM_LDFLAG)
 endif   # BUILD_OPT
 
 else    # XP_OS2_VACPP
 
 # Override suffix in suffix.mk
 OBJ_SUFFIX  = .obj
 ASM_SUFFIX  = .asm
 
@@ -235,18 +239,16 @@ else
 		INSTALL += -L `pwd`
 	else
 		# install using relative symbolic links
 		INSTALL  = $(NSINSTALL)
 		INSTALL += -R
 	endif
 endif
 
-DEFINES += -DXP_OS2
-
 define MAKE_OBJDIR
 if test ! -d $(@D); then rm -rf $(@D); $(NSINSTALL) -D $(@D); fi
 endef
 
 #
 # override the definition of DLL_PREFIX in prefix.mk
 #
 
new file mode 100644
--- /dev/null
+++ b/security/coreconf/SunOS5.11.mk
@@ -0,0 +1,46 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+SOL_CFLAGS += -D_SVID_GETTOD
+
+include $(CORE_DEPTH)/coreconf/SunOS5.mk
+
+ifeq ($(OS_RELEASE),5.11)
+	OS_DEFINES += -DSOLARIS2_11
+endif
+
+OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
new file mode 100644
--- /dev/null
+++ b/security/coreconf/SunOS5.11_i86pc.mk
@@ -0,0 +1,53 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+SOL_CFLAGS	= -D_SVID_GETTOD
+
+include $(CORE_DEPTH)/coreconf/SunOS5.mk
+
+ifeq ($(USE_64),1)
+    CPU_ARCH		= x86_64
+else
+    CPU_ARCH		= x86
+    OS_DEFINES		+= -Di386
+endif
+
+ifeq ($(OS_RELEASE),5.11_i86pc)
+	OS_DEFINES += -DSOLARIS2_11
+endif
+
+OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc
--- a/security/coreconf/WIN32.mk
+++ b/security/coreconf/WIN32.mk
@@ -56,16 +56,17 @@ else
 	CC           = cl
 	CCC          = cl
 	LINK         = link
 	AR           = lib
 	AR          += -NOLOGO -OUT:"$@"
 	RANLIB       = echo
 	BSDECHO      = echo
 	RC           = rc.exe
+	MT           = mt.exe
 endif
 
 ifdef BUILD_TREE
 NSINSTALL_DIR  = $(BUILD_TREE)/nss
 else
 NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
 endif
 NSINSTALL      = nsinstall
@@ -84,17 +85,20 @@ XP_DEFINE   += -DXP_PC
 ifdef NS_USE_GCC
 LIB_SUFFIX   = a
 else
 LIB_SUFFIX   = lib
 endif
 DLL_SUFFIX   = dll
 
 ifdef NS_USE_GCC
-    OS_CFLAGS += -mno-cygwin -mms-bitfields
+    # The -mnop-fun-dllimport flag allows us to avoid a drawback of
+    # the dllimport attribute that a pointer to a function marked as
+    # dllimport cannot be used as as a constant address.
+    OS_CFLAGS += -mno-cygwin -mms-bitfields -mnop-fun-dllimport
     _GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
     DLLFLAGS  += -mno-cygwin -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
     ifdef BUILD_OPT
 	OPTIMIZER  += -O2
 	DEFINES    += -UDEBUG -U_DEBUG -DNDEBUG
 	#
 	# Add symbolic information for a profiler
 	#
@@ -121,16 +125,17 @@ else # !NS_USE_GCC
 	ifdef MOZ_PROFILE
 		OPTIMIZER += -Z7
 	endif
 	ifdef MOZ_DEBUG_SYMBOLS
 		OPTIMIZER += -Zi
 	endif
 	ifneq (,$(MOZ_PROFILE)$(MOZ_DEBUG_SYMBOLS))
 		DLLFLAGS += -DEBUG -OPT:REF
+		LDFLAGS += -DEBUG -OPT:REF
 	endif
     else
 	#
 	# Define USE_DEBUG_RTL if you want to use the debug runtime library
 	# (RTL) in the debug build
 	#
 	ifdef USE_DEBUG_RTL
 		OS_CFLAGS += -MDd
@@ -140,19 +145,24 @@ else # !NS_USE_GCC
 	OPTIMIZER  += -Od -Z7
 	#OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
 	NULLSTRING :=
 	SPACE      := $(NULLSTRING) # end of the line
 	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
 	USERNAME   := $(subst -,_,$(USERNAME))
 	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
 	DLLFLAGS   += -DEBUG -OUT:"$@"
+	LDFLAGS    += -DEBUG 
+ifndef MOZ_DEBUG_SYMBOLS
+	LDFLAGS    += -PDB:NONE 
+endif
 	# Purify requires /FIXED:NO when linking EXEs.
-	LDFLAGS    += -DEBUG -PDB:NONE /FIXED:NO
+	LDFLAGS    += /FIXED:NO
     endif
+#   DEFINES += -D_CRT_SECURE_NO_WARNINGS
 endif # NS_USE_GCC
 
 DEFINES += -DWIN32
 ifdef MAPFILE
 ifndef NS_USE_GCC
 DLLFLAGS += -DEF:$(MAPFILE)
 endif
 endif
--- a/security/coreconf/config.mk
+++ b/security/coreconf/config.mk
@@ -165,8 +165,19 @@ include $(CORE_DEPTH)/coreconf/ruleset.m
 endif
 
 #######################################################################
 # [15.0] Dependencies.
 #######################################################################
 
 -include $(MKDEPENDENCIES)
 
+#######################################################################
+# [16.0] Global environ ment defines
+#######################################################################
+
+ifdef NSS_ENABLE_ECC
+DEFINES += -DNSS_ENABLE_ECC
+endif
+
+ifdef NSS_ECC_MORE_THAN_SUITE_B
+DEFINES += -DNSS_ECC_MORE_THAN_SUITE_B
+endif
--- a/security/coreconf/jdk.mk
+++ b/security/coreconf/jdk.mk
@@ -179,16 +179,41 @@ ifeq ($(OS_ARCH), Linux)
 
 	INCLUDES += -I$(JAVA_HOME)/include
 	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
 
 	# no JIT option available on this platform
 	JDK_JIT_OPT =
 endif
 
+# set [Mac OS X] platforms
+ifeq ($(OS_ARCH), Darwin)
+	JAVA_CLASSES = $(JAVA_HOME)/../Classes/classes.jar
+
+	ifeq ($(JRE_HOME),)
+		JRE_HOME = $(JAVA_HOME)
+		JRE_CLASSES = $(JAVA_CLASSES)
+	else
+		ifeq ($(JRE_CLASSES),)
+			JRE_CLASSES = $(JRE_HOME)/../Classes/classes.jar
+		endif
+	endif
+
+	PATH_SEPARATOR = :
+
+	# (2) specify "header" information
+	JAVA_ARCH = darwin
+
+	INCLUDES += -I$(JAVA_HOME)/include
+	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
+
+	# no JIT option available on this platform
+	JDK_JIT_OPT =
+endif
+
 # set [IBM AIX] platforms
 ifeq ($(OS_ARCH), AIX)
 	JAVA_CLASSES = $(JAVA_HOME)/jre/lib/rt.jar
 
 	ifeq ($(JRE_HOME),)
 		JRE_HOME = $(JAVA_HOME)
 		JRE_CLASSES = $(JAVA_CLASSES)
 	else
--- a/security/coreconf/location.mk
+++ b/security/coreconf/location.mk
@@ -70,9 +70,17 @@ GARBAGE += $(DEPENDENCIES) core $(wildca
 ifdef NSPR_INCLUDE_DIR
     INCLUDES += -I$(NSPR_INCLUDE_DIR)
 endif
 
 ifndef NSPR_LIB_DIR
     NSPR_LIB_DIR = $(DIST)/lib
 endif
 
+ifdef NSS_INCLUDE_DIR
+    INCLUDES += -I$(NSS_INCLUDE_DIR)
+endif
+                                                                                
+ifndef NSS_LIB_DIR
+    NSS_LIB_DIR = $(DIST)/lib
+endif
+
 MK_LOCATION = included
--- a/security/coreconf/rules.mk
+++ b/security/coreconf/rules.mk
@@ -109,22 +109,32 @@ release_classes::
 	+$(LOOP_OVER_DIRS)
 
 libs program install:: $(TARGETS)
 ifdef LIBRARY
 	$(INSTALL) -m 664 $(LIBRARY) $(SOURCE_LIB_DIR)
 endif
 ifdef SHARED_LIBRARY
 	$(INSTALL) -m 775 $(SHARED_LIBRARY) $(SOURCE_LIB_DIR)
+ifdef MOZ_DEBUG_SYMBOLS
+ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
+	$(INSTALL) -m 644 $(SHARED_LIBRARY:$(DLL_SUFFIX)=pdb) $(SOURCE_LIB_DIR)
+endif
+endif
 endif
 ifdef IMPORT_LIBRARY
 	$(INSTALL) -m 775 $(IMPORT_LIBRARY) $(SOURCE_LIB_DIR)
 endif
 ifdef PROGRAM
 	$(INSTALL) -m 775 $(PROGRAM) $(SOURCE_BIN_DIR)
+ifdef MOZ_DEBUG_SYMBOLS
+ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
+	$(INSTALL) -m 644 $(PROGRAM:$(PROG_SUFFIX)=.pdb) $(SOURCE_BIN_DIR)
+endif
+endif
 endif
 ifdef PROGRAMS
 	$(INSTALL) -m 775 $(PROGRAMS) $(SOURCE_BIN_DIR)
 endif
 	+$(LOOP_OVER_DIRS)
 
 tests::
 	+$(LOOP_OVER_DIRS)
@@ -270,16 +280,22 @@ ifdef XP_OS2_VACPP
 EXTRA_SHARED_LIBS := $(filter-out -L%,$(EXTRA_SHARED_LIBS))
 EXTRA_SHARED_LIBS := $(patsubst -l%,$(DIST)/lib/%.$(LIB_SUFFIX),$(EXTRA_SHARED_LIBS))
 endif
 
 $(PROGRAM): $(OBJS) $(EXTRA_LIBS)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
+ifdef MT
+	if test -f $@.manifest; then \
+		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
+		rm -f $@.manifest; \
+	fi
+endif	# MSVC with manifest tool
 else
 ifdef XP_OS2_VACPP
 	$(MKPROG) -Fe$@ $(CFLAGS) $(OBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 else
 	$(MKPROG) -o $@ $(CFLAGS) $(OBJS) $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 endif
 endif
 
@@ -324,16 +340,22 @@ ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
 	$(LD) $(XCFLAGS) -o $@ $(OBJS) -bE:$(OBJDIR)/lib$(LIBRARY_NAME)_syms \
 	-bM:SRE -bnoentry $(OS_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS)
 else
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 ifdef NS_USE_GCC
 	$(LINK_DLL) $(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES)
 else
 	$(LINK_DLL) -MAP $(DLLBASE) $(subst /,\\,$(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES))
+ifdef MT
+	if test -f $@.manifest; then \
+		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;2; \
+		rm -f $@.manifest; \
+	fi
+endif	# MSVC with manifest tool
 endif
 else
 ifdef XP_OS2_VACPP
 	$(MKSHLIB) $(DLLFLAGS) $(LDFLAGS) $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 else
 	$(MKSHLIB) -o $@ $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 endif
 	chmod +x $@
@@ -362,67 +384,76 @@ endif
 	$(PROCESS_MAP_FILE)
 
 
 $(OBJDIR)/$(PROG_PREFIX)%$(PROG_SUFFIX): $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $< -Fe$@ -link \
 	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
+ifdef MT
+	if test -f $@.manifest; then \
+		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
+		rm -f $@.manifest; \
+	fi
+endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $< \
 	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 endif
 
 WCCFLAGS1 := $(subst /,\\,$(CFLAGS))
 WCCFLAGS2 := $(subst -I,-i=,$(WCCFLAGS1))
 WCCFLAGS3 := $(subst -D,-d,$(WCCFLAGS2))
 
 # Translate source filenames to absolute paths. This is required for
 # debuggers under Windows & OS/2 to find source files automatically
 
 ifeq (,$(filter-out OS2 AIX,$(OS_TARGET)))
+# OS/2 and AIX
 NEED_ABSOLUTE_PATH := 1
 PWD := $(shell pwd)
-endif
 
+else
+# Windows
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 NEED_ABSOLUTE_PATH := 1
 PWD := $(shell pwd)
 ifeq (,$(findstring ;,$(PATH)))
 ifndef USE_MSYS
 PWD := $(subst \,/,$(shell cygpath -w $(PWD)))
 endif
 endif
+
+else
+# everything else
+PWD := $(shell pwd)
+endif
 endif
 
-ifdef NEED_ABSOLUTE_PATH
-abspath = $(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD)/$(1)))
-else
-abspath = $(1)
-endif
+core_abspath = $(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD)/$(1)))
 
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
 	@$(MAKE_OBJDIR)
 ifdef USE_NT_C_SYNTAX
-	$(CC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+	$(CC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 ifdef NEED_ABSOLUTE_PATH
-	$(CC) -o $@ -c $(CFLAGS) $(call abspath,$<)
+	$(CC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 	$(CC) -o $@ -c $(CFLAGS) $<
 endif
 endif
 
 $(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
 ifdef USE_NT_C_SYNTAX
-	$(CC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+	$(CC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 ifdef NEED_ABSOLUTE_PATH
-	$(CC) -o $@ -c $(CFLAGS) $(call abspath,$<)
+	$(CC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 	$(CC) -o $@ -c $(CFLAGS) $<
 endif
 endif
 
 ifndef XP_OS2_VACPP
 ifneq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.s
@@ -441,20 +472,20 @@ endif
 
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.S
 	@$(MAKE_OBJDIR)
 	$(AS) -o $@ $(ASFLAGS) -c $<
 
 $(OBJDIR)/$(PROG_PREFIX)%: %.cpp
 	@$(MAKE_OBJDIR)
 ifdef USE_NT_C_SYNTAX
-	$(CCC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+	$(CCC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 ifdef NEED_ABSOLUTE_PATH
-	$(CCC) -o $@ -c $(CFLAGS) $(call abspath,$<)
+	$(CCC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 	$(CCC) -o $@ -c $(CFLAGS) $<
 endif
 endif
 
 #
 # Please keep the next two rules in sync.
 #
@@ -465,20 +496,20 @@ endif
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cpp
 	@$(MAKE_OBJDIR)
 ifdef STRICT_CPLUSPLUS_SUFFIX
 	echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc
 	$(CCC) -o $@ -c $(CFLAGS) $(OBJDIR)/t_$*.cc
 	rm -f $(OBJDIR)/t_$*.cc
 else
 ifdef USE_NT_C_SYNTAX
-	$(CCC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+	$(CCC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 ifdef NEED_ABSOLUTE_PATH
-	$(CCC) -o $@ -c $(CFLAGS) $(call abspath,$<)
+	$(CCC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 	$(CCC) -o $@ -c $(CFLAGS) $<
 endif
 endif
 endif #STRICT_CPLUSPLUS_SUFFIX
 
 %.i: %.cpp
 	$(CCC) -C -E $(CFLAGS) $< > $@
@@ -865,18 +896,17 @@ endif
 
 
 ################################################################################
 
 -include $(DEPENDENCIES)
 
 ifneq (,$(filter-out OpenVMS OS2 WIN%,$(OS_TARGET)))
 # Can't use sed because of its 4000-char line length limit, so resort to perl
-.DEFAULT:
-	@perl -e '                                                            \
+PERL_DEPENDENCIES_PROGRAM =                                                   \
 	    open(MD, "< $(DEPENDENCIES)");                                    \
 	    while (<MD>) {                                                    \
 		if (m@ \.*/*$< @) {                                           \
 		    $$found = 1;                                              \
 		    last;                                                     \
 		}                                                             \
 	    }                                                                 \
 	    if ($$found) {                                                    \
@@ -893,17 +923,20 @@ ifneq (,$(filter-out OpenVMS OS2 WIN%,$(
 		}                                                             \
 		close(TMD);                                                   \
 		if (!rename($$tmpname, "$(DEPENDENCIES)")) {                  \
 		    unlink(($$tmpname));                                      \
 		}                                                             \
 	    } elsif ("$<" ne "$(DEPENDENCIES)") {                             \
 		print "$(MAKE): *** No rule to make target $<.  Stop.\n";     \
 		exit(1);                                                      \
-	    }'
+	    }
+
+.DEFAULT:
+	@perl -e '$(PERL_DEPENDENCIES_PROGRAM)'
 endif
 
 #############################################################################
 # X dependency system
 #############################################################################
 
 ifdef MKDEPENDENCIES
 
deleted file mode 100644
--- a/security/dbm/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-coreconf_hack:
-	cd ../coreconf; gmake
-	gmake import
-
-RelEng_bld: coreconf_hack
-	gmake
deleted file mode 100644
--- a/security/dbm/config/config.mk
+++ /dev/null
@@ -1,67 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# These macros are defined by mozilla's configure script.
-# We define them manually here.
-#
-
-DEFINES += -DSTDC_HEADERS -DHAVE_STRERROR
-
-#
-# Most platforms have snprintf, so it's simpler to list the exceptions.
-#
-HAVE_SNPRINTF = 1
-#
-# OSF1 V4.0D doesn't have snprintf but V5.0A does.
-#
-ifeq ($(OS_TARGET)$(OS_RELEASE),OSF1V4.0D)
-HAVE_SNPRINTF =
-endif
-ifdef HAVE_SNPRINTF
-DEFINES += -DHAVE_SNPRINTF
-endif
-
-ifeq (,$(filter-out IRIX Linux,$(OS_TARGET)))
-DEFINES += -DHAVE_SYS_CDEFS_H
-endif
-
-ifeq (,$(filter-out DGUX NCR ReliantUNIX SCO_SV SCOOS UNIXWARE,$(OS_TARGET)))
-DEFINES += -DHAVE_SYS_BYTEORDER_H
-endif
-
-#
-# None of the platforms that we are interested in need to
-# define HAVE_MEMORY_H.
-#
deleted file mode 100644
--- a/security/dbm/include/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/dbm/include/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../..
-
-VPATH  = $(CORE_DEPTH)/../dbm/include
-
-MODULE = dbm
-
-EXPORTS =	nsres.h   \
-		cdefs.h   \
-		mcom_db.h \
-		ncompat.h \
-		winfile.h \
-		$(NULL)
-
-PRIVATE_EXPORTS =	hsearch.h \
-			page.h    \
-			extern.h  \
-			ndbm.h    \
-			queue.h   \
-			hash.h    \
-			mpool.h   \
-			search.h  \
-			$(NULL)
-
deleted file mode 100644
--- a/security/dbm/manifest.mn
+++ /dev/null
@@ -1,45 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ..
-
-MODULE = dbm
-
-IMPORTS = nspr20/v4.4.1
-
-RELEASE = dbm
-
-DIRS =  include \
-        src     \
-	$(NULL)
deleted file mode 100644
--- a/security/dbm/src/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(CORE_DEPTH)/dbm/config/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/dbm/src/config.mk
+++ /dev/null
@@ -1,63 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-DEFINES += -DMEMMOVE -D__DBINTERFACE_PRIVATE $(SECURITY_FLAG)
-
-INCLUDES += -I$(CORE_DEPTH)/../dbm/include
-
-#
-#  Currently, override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
-ifdef SHARED_LIBRARY
-	ifeq (,$(filter-out WINNT WIN95 WINCE,$(OS_TARGET))) # list omits WIN16
-		DLLBASE=/BASE:0x30000000
-		RES=$(OBJDIR)/dbm.res
-		RESNAME=../include/dbm.rc
-	endif
-	ifeq ($(DLL_SUFFIX),dll)
-		DEFINES += -D_DLL
-	endif
-endif
-
-ifeq ($(OS_TARGET),AIX)
-	OS_LIBS += -lc_r
-endif
deleted file mode 100644
--- a/security/dbm/src/dirent.c
+++ /dev/null
@@ -1,348 +0,0 @@
-#ifdef OS2
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-#include <dirent.h>
-#include <errno.h>
-
-/*#ifndef __EMX__ 
-#include <libx.h>
-#endif */
-
-#define INCL_DOSFILEMGR
-#define INCL_DOSERRORS
-#include <os2.h>
-
-#if OS2 >= 2
-# define FFBUF	FILEFINDBUF3
-# define Word	ULONG
-  /*
-   * LS20 recommends a request count of 100, but according to the
-   * APAR text it does not lead to missing files, just to funny
-   * numbers of returned entries.
-   *
-   * LS30 HPFS386 requires a count greater than 2, or some files
-   * are missing (those starting with a character less that '.').
-   *
-   * Novell looses entries which overflow the buffer. In previous
-   * versions of dirent2, this could have lead to missing files
-   * when the average length of 100 directory entries was 40 bytes
-   * or more (quite unlikely for files on a Novell server).
-   *
-   * Conclusion: Make sure that the entries all fit into the buffer
-   * and that the buffer is large enough for more than 2 entries
-   * (each entry is at most 300 bytes long). And ignore the LS20
-   * effect.
-   */
-# define Count	25
-# define BufSz	(25 * (sizeof(FILEFINDBUF3)+1))
-#else
-# define FFBUF	FILEFINDBUF
-# define Word	USHORT
-# define BufSz	1024
-# define Count	3
-#endif
-
-#if defined(__IBMC__) || defined(__IBMCPP__)
-  #define error(rc) _doserrno = rc, errno = EOS2ERR
-#elif defined(MICROSOFT)
-  #define error(rc) _doserrno = rc, errno = 255
-#else
-  #define error(rc) errno = 255
-#endif
-
-struct _dirdescr {
-	HDIR		handle;		/* DosFindFirst handle */
-	char		fstype;		/* filesystem type */
-	Word		count;		/* valid entries in <ffbuf> */
-	long		number;		/* absolute number of next entry */
-	int		index;		/* relative number of next entry */
-	FFBUF *		next;		/* pointer to next entry */
-	char		name[MAXPATHLEN+3]; /* directory name */
-	unsigned	attrmask;	/* attribute mask for seekdir */
-	struct dirent	entry;		/* buffer for directory entry */
-	BYTE		ffbuf[BufSz];
-};
-
-/*
- * Return first char of filesystem type, or 0 if unknown.
- */
-static char
-getFSType(const char *path)
-{
-	static char cache[1+26];
-	char drive[3], info[512];
-	Word unit, infolen;
-	char r;
-
-	if (isalpha(path[0]) && path[1] == ':') {
-		unit = toupper(path[0]) - '@';
-		path += 2;
-	} else {
-		ULONG driveMap;
-#if OS2 >= 2
-		if (DosQueryCurrentDisk(&unit, &driveMap))
-#else
-		if (DosQCurDisk(&unit, &driveMap))
-#endif
-			return 0;
-	}
-
-	if ((path[0] == '\\' || path[0] == '/')
-	 && (path[1] == '\\' || path[1] == '/'))
-		return 0;
-
-	if (cache [unit])
-		return cache [unit];
-
-	drive[0] = '@' + unit;
-	drive[1] = ':';
-	drive[2] = '\0';
-	infolen = sizeof info;
-#if OS2 >= 2
-	if (DosQueryFSAttach(drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen))
-		return 0;
-	if (infolen >= sizeof(FSQBUFFER2)) {
-		FSQBUFFER2 *p = (FSQBUFFER2 *)info;
-		r = p->szFSDName[p->cbName];
-	} else
-#else
-	if (DosQFSAttach((PSZ)drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen, 0))
-		return 0;
-	if (infolen >= 9) {
-		char *p = info + sizeof(USHORT);
-		p += sizeof(USHORT) + *(USHORT *)p + 1 + sizeof(USHORT);
-		r = *p;
-	} else
-#endif
-		r = 0;
-	return cache [unit] = r;
-}
-
-char *
-abs_path(const char *name, char *buffer, int len)
-{
-	char buf[4];
-	if (isalpha(name[0]) && name[1] == ':' && name[2] == '\0') {
-		buf[0] = name[0];
-		buf[1] = name[1];
-		buf[2] = '.';
-		buf[3] = '\0';
-		name = buf;
-	}
-#if OS2 >= 2
-	if (DosQueryPathInfo((PSZ)name, FIL_QUERYFULLNAME, buffer, len))
-#else
-	if (DosQPathInfo((PSZ)name, FIL_QUERYFULLNAME, (PBYTE)buffer, len, 0L))
-#endif
-		return NULL;
-	return buffer;
-}
-
-DIR *
-openxdir(const char *path, unsigned att_mask)
-{
-	DIR *dir;
-	char name[MAXPATHLEN+3];
-	Word rc;
-
-	dir = malloc(sizeof(DIR));
-	if (dir == NULL) {
-		errno = ENOMEM;
-		return NULL;
-	}
-
-	strncpy(name, path, MAXPATHLEN);
-	name[MAXPATHLEN] = '\0';
-	switch (name[strlen(name)-1]) {
-	default:
-		strcat(name, "\\");
-	case '\\':
-	case '/':
-	case ':':
-		;
-	}
-	strcat(name, ".");
-	if (!abs_path(name, dir->name, MAXPATHLEN+1))
-		strcpy(dir->name, name);
-	if (dir->name[strlen(dir->name)-1] == '\\')
-		strcat(dir->name, "*");
-	else
-		strcat(dir->name, "\\*");
-
-	dir->fstype = getFSType(dir->name);
-	dir->attrmask = att_mask | A_DIR;
-
-	dir->handle = HDIR_CREATE;
-	dir->count = 100;
-#if OS2 >= 2
-	rc = DosFindFirst(dir->name, &dir->handle, dir->attrmask,
-		dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD);
-#else
-	rc = DosFindFirst((PSZ)dir->name, &dir->handle, dir->attrmask,
-		(PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0);
-#endif
-	switch (rc) {
-	default:
-		free(dir);
-		error(rc);
-		return NULL;
-	case NO_ERROR:
-	case ERROR_NO_MORE_FILES:
-		;
-	}
-
-	dir->number = 0;
-	dir->index = 0;
-	dir->next = (FFBUF *)dir->ffbuf;
-
-	return (DIR *)dir;
-}
-
-DIR *
-opendir(const char *pathname)
-{
-	return openxdir(pathname, 0);
-}
-
-struct dirent *
-readdir(DIR *dir)
-{
-	static int dummy_ino = 2;
-
-	if (dir->index == dir->count) {
-		Word rc;
-		dir->count = 100;
-#if OS2 >= 2
-		rc = DosFindNext(dir->handle, dir->ffbuf,
-			sizeof dir->ffbuf, &dir->count);
-#else
-		rc = DosFindNext(dir->handle, (PFILEFINDBUF)dir->ffbuf,
-			sizeof dir->ffbuf, &dir->count);
-#endif
-		if (rc) {
-			error(rc);
-			return NULL;
-		}
-
-		dir->index = 0;
-		dir->next = (FFBUF *)dir->ffbuf;
-	}
-
-	if (dir->index == dir->count)
-		return NULL;
-
-	memcpy(dir->entry.d_name, dir->next->achName, dir->next->cchName);
-	dir->entry.d_name[dir->next->cchName] = '\0';
-	dir->entry.d_ino = dummy_ino++;
-	dir->entry.d_reclen = dir->next->cchName;
-	dir->entry.d_namlen = dir->next->cchName;
-	dir->entry.d_size = dir->next->cbFile;
-	dir->entry.d_attribute = dir->next->attrFile;
-	dir->entry.d_time = *(USHORT *)&dir->next->ftimeLastWrite;
-	dir->entry.d_date = *(USHORT *)&dir->next->fdateLastWrite;
-
-	switch (dir->fstype) {
-	case 'F': /* FAT */
-	case 'C': /* CDFS */
-		if (dir->next->attrFile & FILE_DIRECTORY)
-			strupr(dir->entry.d_name);
-		else
-			strlwr(dir->entry.d_name);
-	}
-
-#if OS2 >= 2
-	dir->next = (FFBUF *)((BYTE *)dir->next + dir->next->oNextEntryOffset);
-#else
-	dir->next = (FFBUF *)((BYTE *)dir->next->achName + dir->next->cchName + 1);
-#endif
-	++dir->number;
-	++dir->index;
-
-	return &dir->entry;
-}
-
-long
-telldir(DIR *dir)
-{
-	return dir->number;
-}
-
-void
-seekdir(DIR *dir, long off)
-{
-	if (dir->number > off) {
-		char name[MAXPATHLEN+2];
-		Word rc;
-
-		DosFindClose(dir->handle);
-
-		strcpy(name, dir->name);
-		strcat(name, "*");
-
-		dir->handle = HDIR_CREATE;
-		dir->count = 32767;
-#if OS2 >= 2
-		rc = DosFindFirst(name, &dir->handle, dir->attrmask,
-			dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD);
-#else
-		rc = DosFindFirst((PSZ)name, &dir->handle, dir->attrmask,
-			(PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0);
-#endif
-		switch (rc) {
-		default:
-			error(rc);
-			return;
-		case NO_ERROR:
-		case ERROR_NO_MORE_FILES:
-			;
-		}
-
-		dir->number = 0;
-		dir->index = 0;
-		dir->next = (FFBUF *)dir->ffbuf;
-	}
-
-	while (dir->number < off && readdir(dir))
-		;
-}
-
-void
-closedir(DIR *dir)
-{
-	DosFindClose(dir->handle);
-	free(dir);
-}
-
-/*****************************************************************************/
-
-#ifdef TEST
-
-main(int argc, char **argv)
-{
-	int i;
-	DIR *dir;
-	struct dirent *ep;
-
-	for (i = 1; i < argc; ++i) {
-		dir = opendir(argv[i]);
-		if (!dir)
-			continue;
-		while (ep = readdir(dir))
-			if (strchr("\\/:", argv[i] [strlen(argv[i]) - 1]))
-				printf("%s%s\n", argv[i], ep->d_name);
-			else
-				printf("%s/%s\n", argv[i], ep->d_name);
-		closedir(dir);
-	}
-
-	return 0;
-}
-
-#endif
-
-#endif /* OS2 */
-
deleted file mode 100644
--- a/security/dbm/src/dirent.h
+++ /dev/null
@@ -1,97 +0,0 @@
-#ifndef __DIRENT_H__
-#define __DIRENT_H__
-/*
- * @(#)msd_dir.h 1.4 87/11/06   Public Domain.
- *
- *  A public domain implementation of BSD directory routines for
- *  MS-DOS.  Written by Michael Rendell ({uunet,utai}michael@garfield),
- *  August 1897
- *
- *  Extended by Peter Lim (lim@mullian.oz) to overcome some MS DOS quirks
- *  and returns 2 more pieces of information - file size & attribute.
- *  Plus a little reshuffling of some #define's positions    December 1987
- *
- *  Some modifications by Martin Junius                      02-14-89
- *
- *	AK900712
- *	AK910410	abs_path - make absolute path
- *
- */
-
-#ifdef __EMX__
-#include <sys/param.h>
-#else
-#if defined(__IBMC__) || defined(__IBMCPP__) || defined(XP_W32_MSVC)
-#include <stdio.h>
-#ifdef MAXPATHLEN
-	#undef MAXPATHLEN
-#endif
-#define MAXPATHLEN (FILENAME_MAX*4)
-#define MAXNAMLEN FILENAME_MAX
-
-#else
-#include <param.h>
-#endif
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* attribute stuff */
-#ifndef A_RONLY
-# define A_RONLY   0x01
-# define A_HIDDEN  0x02
-# define A_SYSTEM  0x04
-# define A_LABEL   0x08
-# define A_DIR     0x10
-# define A_ARCHIVE 0x20
-#endif
-
-struct dirent {
-#if defined(OS2) || defined(WIN32)        /* use the layout of EMX to avoid trouble */
-    int            d_ino;                 /* Dummy */
-    int            d_reclen;		  /* Dummy, same as d_namlen */
-    int            d_namlen;              /* length of name */
-    char           d_name[MAXNAMLEN + 1];
-    unsigned long  d_size;
-    unsigned short d_attribute;           /* attributes (see above) */
-    unsigned short d_time;                /* modification time */
-    unsigned short d_date;                /* modification date */
-#else
-    char	   d_name[MAXNAMLEN + 1]; /* garentee null termination */
-    char	   d_attribute;		  /* .. extension .. */
-    unsigned long  d_size;		  /* .. extension .. */
-#endif
-};
-
-typedef struct _dirdescr DIR;
-/* the structs do not have to be defined here */
-
-extern DIR		*opendir(const char *);
-extern DIR		*openxdir(const char *, unsigned);
-extern struct dirent	*readdir(DIR *);
-extern void		seekdir(DIR *, long);
-extern long		telldir(DIR *);
-extern void 		closedir(DIR *);
-#define			rewinddir(dirp) seekdir(dirp, 0L)
-
-extern char *		abs_path(const char *name, char *buffer, int len);
-
-#ifndef S_IFMT
-#define S_IFMT ( S_IFDIR | S_IFREG )
-#endif
-
-#ifndef S_ISDIR
-#define S_ISDIR( m )                    (((m) & S_IFMT) == S_IFDIR)
-#endif
-
-#ifndef S_ISREG
-#define S_ISREG( m )                    (((m) & S_IFMT) == S_IFREG)
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
deleted file mode 100644
--- a/security/dbm/src/manifest.mn
+++ /dev/null
@@ -1,61 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../..
-
-VPATH  = $(CORE_DEPTH)/../dbm/src
-
-MODULE = dbm
-
-#
-# memmove.c, snprintf.c, and strerror.c are not in CSRCS because
-# the Standard C Library has memmove and strerror and DBM is not
-# using snprintf.
-#
-
-CSRCS = db.c	   \
-	h_bigkey.c \
-	h_func.c   \
-	h_log2.c   \
-	h_page.c   \
-	hash.c	   \
-	hash_buf.c \
-	hsearch.c  \
-	mktemp.c   \
-	ndbm.c	   \
-	nsres.c	   \
-	dirent.c	   \
-	$(NULL)
-
-LIBRARY_NAME = dbm
deleted file mode 100644
--- a/security/dbm/tests/Makefile
+++ /dev/null
@@ -1,69 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-DEPTH		= ../..
-CORE_DEPTH	= ../..
-
-VPATH		= $(CORE_DEPTH)/../dbm/tests
-
-MODULE		= dbm
-
-CSRCS		= lots.c
-
-PROGRAM		= lots
-
-include $(DEPTH)/coreconf/config.mk
-
-include $(DEPTH)/dbm/config/config.mk
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET))) 
-LIBDBM		= ../src/$(PLATFORM)/dbm$(STATIC_LIB_SUFFIX)
-else
-LIBDBM		= ../src/$(PLATFORM)/libdbm$(STATIC_LIB_SUFFIX)
-endif
-
-INCLUDES	+= -I$(CORE_DEPTH)/../dbm/include
-
-LDFLAGS		= $(LDOPTS) $(LIBDBM)
-
-include $(DEPTH)/coreconf/rules.mk
-
-lots.pure: lots
-	purify $(CC) -o lots.pure $(CFLAGS) $(OBJS) $(MYLIBS)
-
-crash: crash.o $(MYLIBS)
-	$(CC) -o crash $(CFLAGS) $^
-
-crash.pure: crash.o $(MYLIBS)
-	purify $(CC) -o crash.pure $(CFLAGS) $^
-
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@@ -75,19 +75,24 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
 nss_build_all: build_coreconf build_nspr build_dbm all
 
+nss_clean_all: clobber_coreconf clobber_nspr clobber_dbm clobber
+
 build_coreconf:
 	cd $(CORE_DEPTH)/coreconf ;  $(MAKE)
 
+clobber_coreconf:
+	cd $(CORE_DEPTH)/coreconf ;  $(MAKE) clobber
+
 NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)/config.status
 NSPR_CONFIGURE = $(CORE_DEPTH)/../nsprpub/configure
 
 #
 # Translate coreconf build options to NSPR configure options.
 #
 
 ifdef BUILD_OPT
@@ -133,20 +138,24 @@ endif
 	$(NSPR_COMPILERS) sh ../configure \
 	$(NSPR_CONFIGURE_OPTS) \
 	--with-dist-prefix='$(NSPR_PREFIX)' \
 	--with-dist-includedir='$(NSPR_PREFIX)/include'
 
 build_nspr: $(NSPR_CONFIG_STATUS)
 	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE)
 
+clobber_nspr: $(NSPR_CONFIG_STATUS)
+	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE) clobber
+
 build_dbm:
 	cd $(CORE_DEPTH)/dbm ; $(MAKE) export libs
 
-	
+clobber_dbm:
+	cd $(CORE_DEPTH)/dbm ; $(MAKE) clobber
 
 moz_import::
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 	$(NSINSTALL) -D $(DIST)/include/nspr
 	cp $(DIST)/../include/nspr/*.h $(DIST)/include/nspr
 	cp $(DIST)/../include/* $(DIST)/include
 ifdef BUILD_OPT
 	cp $(DIST)/../WIN32_O.OBJ/lib/* $(DIST)/lib
--- a/security/nss/cmd/Makefile
+++ b/security/nss/cmd/Makefile
@@ -41,150 +41,17 @@ DEPTH = ../..
 
 include manifest.mn
 include $(CORE_DEPTH)/coreconf/config.mk
 
 ifndef USE_SYSTEM_ZLIB
 ZLIB_SRCDIR = zlib  # Add the zlib directory to DIRS.
 endif
 
-# These sources were once in this directory, but now are gone.
-MISSING_SOURCES = \
-	addcert.c \
-	berparse.c \
-	cert.c	\
-	key.c	\
-	key_rand.c \
-	keygen.c \
-	sec_fe.c \
-	sec_read.c \
-	secarb.c \
-	secutil.c \
-	$(NULL)
-
-# we don't build these any more, but the sources are still here
-OBSOLETE = \
-	berdec.c \
-	berdump.c \
-	cypher.c \
-	dumpcert.c \
-	listcerts.c \
-	mkdongle.c \
-	p12exprt.c \
-	p12imprt.c \
-	rc4.c \
-	sign.c \
-	unwrap.c \
-	vector.c \
-	verify.c \
-	wrap.c \
-	$(NULL)
-
-# the base files for the executables
-# hey -- keep these alphabetical, please
-EXEC_SRCS = \
-	$(NULL)
-
-# files that generate two separate objects and executables
-# BI_SRCS	= \
-# 	keyutil.c \
-# 	p7env.c \
-# 	tstclnt.c \
-# 	$(NULL)
-
-#	-I$(CORE_DEPTH)/security/lib/cert \
-#	-I$(CORE_DEPTH)/security/lib/key \
-#	-I$(CORE_DEPTH)/security/lib/util  \
-
 INCLUDES += \
 	-I$(DIST)/../public/security \
 	-I./include \
 	$(NULL)
 
-TBD_DIRS = rsh rshd rdist ssld
-
-# For the time being, sec stuff is export only
-# US_FLAGS = -DEXPORT_VERSION -DUS_VERSION
-
-US_FLAGS = -DEXPORT_VERSION
-EXPORT_FLAGS = -DEXPORT_VERSION
-
-BASE_LIBS = \
-	$(DIST)/lib/libdbm.$(LIB_SUFFIX) \
-	$(DIST)/lib/libxp.$(LIB_SUFFIX) \
-	$(DIST)/lib/libnspr.$(LIB_SUFFIX) \
-	$(NULL)
-
-#	$(DIST)/lib/libpurenspr.$(LIB_SUFFIX) \
-
-#There is a circular dependancy in security/lib, and here is a gross fix
-SEC_LIBS = \
-	$(DIST)/lib/libsecnav.$(LIB_SUFFIX) \
-        $(DIST)/lib/libssl.$(LIB_SUFFIX) \
-        $(DIST)/lib/libpkcs7.$(LIB_SUFFIX) \
-        $(DIST)/lib/libcert.$(LIB_SUFFIX) \
-        $(DIST)/lib/libkey.$(LIB_SUFFIX) \
-	$(DIST)/lib/libsecmod.$(LIB_SUFFIX) \
-        $(DIST)/lib/libcrypto.$(LIB_SUFFIX) \
-        $(DIST)/lib/libsecutil.$(LIB_SUFFIX) \
-        $(DIST)/lib/libssl.$(LIB_SUFFIX) \
-        $(DIST)/lib/libpkcs7.$(LIB_SUFFIX) \
-        $(DIST)/lib/libcert.$(LIB_SUFFIX) \
-        $(DIST)/lib/libkey.$(LIB_SUFFIX) \
-	$(DIST)/lib/libsecmod.$(LIB_SUFFIX) \
-        $(DIST)/lib/libcrypto.$(LIB_SUFFIX) \
-        $(DIST)/lib/libsecutil.$(LIB_SUFFIX) \
-        $(DIST)/lib/libhash.$(LIB_SUFFIX) \
-	$(NULL)
-
-MYLIB	= lib/$(OBJDIR)/libsectool.$(LIB_SUFFIX)
-
-US_LIBS	= $(MYLIB) $(SEC_LIBS) $(BASE_LIBS) $(MYLIB) $(BASE_LIBS)
-EX_LIBS	= $(MYLIB) $(SEC_LIBS) $(BASE_LIBS) $(MYLIB) $(BASE_LIBS) 
-
-REQUIRES = libxp nspr security
-
-CSRCS	= $(EXEC_SRCS) $(BI_SRCS)
-
-OBJS	= $(CSRCS:.c=.o) $(BI_SRCS:.c=-us.o) $(BI_SRCS:.c=-ex.o)
-
-PROGS		= $(addprefix $(OBJDIR)/, $(EXEC_SRCS:.c=$(BIN_SUFFIX)))
-US_PROGS 	= $(addprefix $(OBJDIR)/, $(BI_SRCS:.c=-us$(BIN_SUFFIX)))
-EX_PROGS	= $(addprefix $(OBJDIR)/, $(BI_SRCS:.c=-ex$(BIN_SUFFIX)))
-
-
-NON_DIRS = $(PROGS) $(US_PROGS) $(EX_PROGS)
-TARGETS = $(NON_DIRS)
-
 include $(CORE_DEPTH)/coreconf/rules.mk
 
-
-ifneq ($(OS_TARGET),OS2)
-$(OBJDIR)/%-us.o: %.c
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $(US_FLAGS) -c $*.c
-
-$(OBJDIR)/%-ex.o: %.c
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $(EXPORT_FLAGS) -c $*.c
-
-$(OBJDIR)/%.o: %.c
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $(EXPORT_FLAGS) -c $*.c
-
-$(US_PROGS):$(OBJDIR)/%-us: $(OBJDIR)/%-us.o $(US_LIBS)
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $(OBJDIR)/$*-us.o $(LDFLAGS) $(US_LIBS) $(OS_LIBS)
-
-$(EX_PROGS):$(OBJDIR)/%-ex: $(OBJDIR)/%-ex.o $(EX_LIBS)
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $(OBJDIR)/$*-ex.o $(LDFLAGS) $(EX_LIBS) $(OS_LIBS)
-
-$(PROGS):$(OBJDIR)/%: $(OBJDIR)/%.o $(EX_LIBS)
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $@.o $(LDFLAGS) $(EX_LIBS) $(OS_LIBS)
-
-#install:: $(TARGETS)
-#	$(INSTALL) $(TARGETS) $(DIST)/bin
-endif
-
 symbols::
 	@echo "TARGETS	= $(TARGETS)"
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/NSPRerrs.h
+++ /dev/null
@@ -1,136 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* General NSPR 2.0 errors */
-/* Caller must #include "prerror.h" */
-
-ER2( PR_OUT_OF_MEMORY_ERROR, 	"Memory allocation attempt failed." )
-ER2( PR_BAD_DESCRIPTOR_ERROR, 	"Invalid file descriptor." )
-ER2( PR_WOULD_BLOCK_ERROR, 	"The operation would have blocked." )
-ER2( PR_ACCESS_FAULT_ERROR, 	"Invalid memory address argument." )
-ER2( PR_INVALID_METHOD_ERROR, 	"Invalid function for file type." )
-ER2( PR_ILLEGAL_ACCESS_ERROR, 	"Invalid memory address argument." )
-ER2( PR_UNKNOWN_ERROR, 		"Some unknown error has occurred." )
-ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." )
-ER2( PR_NOT_IMPLEMENTED_ERROR, 	"function not implemented." )
-ER2( PR_IO_ERROR, 		"I/O function error." )
-ER2( PR_IO_TIMEOUT_ERROR, 	"I/O operation timed out." )
-ER2( PR_IO_PENDING_ERROR, 	"I/O operation on busy file descriptor." )
-ER2( PR_DIRECTORY_OPEN_ERROR, 	"The directory could not be opened." )
-ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." )
-ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." )
-ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." )
-ER2( PR_IS_CONNECTED_ERROR, 	"Already connected." )
-ER2( PR_BAD_ADDRESS_ERROR, 	"Network address is invalid." )
-ER2( PR_ADDRESS_IN_USE_ERROR, 	"Local Network address is in use." )
-ER2( PR_CONNECT_REFUSED_ERROR, 	"Connection refused by peer." )
-ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." )
-ER2( PR_CONNECT_TIMEOUT_ERROR, 	"Connection attempt timed out." )
-ER2( PR_NOT_CONNECTED_ERROR, 	"Network file descriptor is not connected." )
-ER2( PR_LOAD_LIBRARY_ERROR, 	"Failure to load dynamic library." )
-ER2( PR_UNLOAD_LIBRARY_ERROR, 	"Failure to unload dynamic library." )
-ER2( PR_FIND_SYMBOL_ERROR, 	
-"Symbol not found in any of the loaded dynamic libraries." )
-ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." )
-ER2( PR_DIRECTORY_LOOKUP_ERROR, 	
-"A directory lookup on a network address has failed." )
-ER2( PR_TPD_RANGE_ERROR, 		
-"Attempt to access a TPD key that is out of range." )
-ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." )
-ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." )
-ER2( PR_NOT_SOCKET_ERROR, 	
-"Network operation attempted on non-network file descriptor." )
-ER2( PR_NOT_TCP_SOCKET_ERROR, 	
-"TCP-specific function attempted on a non-TCP file descriptor." )
-ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." )
-ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." )
-ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, 
-"The requested operation is not supported by the platform." )
-ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, 
-"The host operating system does not support the protocol requested." )
-ER2( PR_REMOTE_FILE_ERROR, 	"Access to the remote file has been severed." )
-ER2( PR_BUFFER_OVERFLOW_ERROR, 	
-"The value requested is too large to be stored in the data buffer provided." )
-ER2( PR_CONNECT_RESET_ERROR, 	"TCP connection reset by peer." )
-ER2( PR_RANGE_ERROR, 		"Unused." )
-ER2( PR_DEADLOCK_ERROR, 	"The operation would have deadlocked." )
-ER2( PR_FILE_IS_LOCKED_ERROR, 	"The file is already locked." )
-ER2( PR_FILE_TOO_BIG_ERROR, 	
-"Write would result in file larger than the system allows." )
-ER2( PR_NO_DEVICE_SPACE_ERROR, 	"The device for storing the file is full." )
-ER2( PR_PIPE_ERROR, 		"Unused." )
-ER2( PR_NO_SEEK_DEVICE_ERROR, 	"Unused." )
-ER2( PR_IS_DIRECTORY_ERROR, 	
-"Cannot perform a normal file operation on a directory." )
-ER2( PR_LOOP_ERROR, 		"Symbolic link loop." )
-ER2( PR_NAME_TOO_LONG_ERROR, 	"File name is too long." )
-ER2( PR_FILE_NOT_FOUND_ERROR, 	"File not found." )
-ER2( PR_NOT_DIRECTORY_ERROR, 	
-"Cannot perform directory operation on a normal file." )
-ER2( PR_READ_ONLY_FILESYSTEM_ERROR, 
-"Cannot write to a read-only file system." )
-ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, 
-"Cannot delete a directory that is not empty." )
-ER2( PR_FILESYSTEM_MOUNTED_ERROR, 
-"Cannot delete or rename a file object while the file system is busy." )
-ER2( PR_NOT_SAME_DEVICE_ERROR, 	
-"Cannot rename a file to a file system on another device." )
-ER2( PR_DIRECTORY_CORRUPTED_ERROR, 
-"The directory object in the file system is corrupted." )
-ER2( PR_FILE_EXISTS_ERROR, 	
-"Cannot create or rename a filename that already exists." )
-ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, 
-"Directory is full.  No additional filenames may be added." )
-ER2( PR_INVALID_DEVICE_STATE_ERROR, 
-"The required device was in an invalid state." )
-ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." )
-ER2( PR_NO_MORE_FILES_ERROR, 	"No more entries in the directory." )
-ER2( PR_END_OF_FILE_ERROR, 	"Encountered end of file." )
-ER2( PR_FILE_SEEK_ERROR, 	"Seek error." )
-ER2( PR_FILE_IS_BUSY_ERROR, 	"The file is busy." )
-ER2( PR_IN_PROGRESS_ERROR,
-"Operation is still in progress (probably a non-blocking connect)." )
-ER2( PR_ALREADY_INITIATED_ERROR,
-"Operation has already been initiated (probably a non-blocking connect)." )
-
-#ifdef PR_GROUP_EMPTY_ERROR
-ER2( PR_GROUP_EMPTY_ERROR, 	"The wait group is empty." )
-#endif
-
-#ifdef PR_INVALID_STATE_ERROR
-ER2( PR_INVALID_STATE_ERROR, 	"Object state improper for request." )
-#endif
-
-ER2( PR_MAX_ERROR, 		"Placeholder for the end of the list" )
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/SECerrs.h
+++ /dev/null
@@ -1,444 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* General security error codes  */
-/* Caller must #include "secerr.h" */
-
-ER3(SEC_ERROR_IO,				SEC_ERROR_BASE + 0,
-"An I/O error occurred during security authorization.")
-
-ER3(SEC_ERROR_LIBRARY_FAILURE,			SEC_ERROR_BASE + 1,
-"security library failure.")
-
-ER3(SEC_ERROR_BAD_DATA,				SEC_ERROR_BASE + 2,
-"security library: received bad data.")
-
-ER3(SEC_ERROR_OUTPUT_LEN,			SEC_ERROR_BASE + 3,
-"security library: output length error.")
-
-ER3(SEC_ERROR_INPUT_LEN,			SEC_ERROR_BASE + 4,
-"security library has experienced an input length error.")
-
-ER3(SEC_ERROR_INVALID_ARGS,			SEC_ERROR_BASE + 5,
-"security library: invalid arguments.")
-
-ER3(SEC_ERROR_INVALID_ALGORITHM,		SEC_ERROR_BASE + 6,
-"security library: invalid algorithm.")
-
-ER3(SEC_ERROR_INVALID_AVA,			SEC_ERROR_BASE + 7,
-"security library: invalid AVA.")
-
-ER3(SEC_ERROR_INVALID_TIME,			SEC_ERROR_BASE + 8,
-"Improperly formatted time string.")
-
-ER3(SEC_ERROR_BAD_DER,				SEC_ERROR_BASE + 9,
-"security library: improperly formatted DER-encoded message.")
-
-ER3(SEC_ERROR_BAD_SIGNATURE,			SEC_ERROR_BASE + 10,
-"Peer's certificate has an invalid signature.")
-
-ER3(SEC_ERROR_EXPIRED_CERTIFICATE,		SEC_ERROR_BASE + 11,
-"Peer's Certificate has expired.")
-
-ER3(SEC_ERROR_REVOKED_CERTIFICATE,		SEC_ERROR_BASE + 12,
-"Peer's Certificate has been revoked.")
-
-ER3(SEC_ERROR_UNKNOWN_ISSUER,			SEC_ERROR_BASE + 13,
-"Peer's Certificate issuer is not recognized.")
-
-ER3(SEC_ERROR_BAD_KEY,				SEC_ERROR_BASE + 14,
-"Peer's public key is invalid.")
-
-ER3(SEC_ERROR_BAD_PASSWORD,			SEC_ERROR_BASE + 15,
-"The security password entered is incorrect.")
-
-ER3(SEC_ERROR_RETRY_PASSWORD,			SEC_ERROR_BASE + 16,
-"New password entered incorrectly.  Please try again.")
-
-ER3(SEC_ERROR_NO_NODELOCK,			SEC_ERROR_BASE + 17,
-"security library: no nodelock.")
-
-ER3(SEC_ERROR_BAD_DATABASE,			SEC_ERROR_BASE + 18,
-"security library: bad database.")
-
-ER3(SEC_ERROR_NO_MEMORY,			SEC_ERROR_BASE + 19,
-"security library: memory allocation failure.")
-
-ER3(SEC_ERROR_UNTRUSTED_ISSUER,			SEC_ERROR_BASE + 20,
-"Peer's certificate issuer has been marked as not trusted by the user.")
-
-ER3(SEC_ERROR_UNTRUSTED_CERT,			SEC_ERROR_BASE + 21,
-"Peer's certificate has been marked as not trusted by the user.")
-
-ER3(SEC_ERROR_DUPLICATE_CERT,			(SEC_ERROR_BASE + 22),
-"Certificate already exists in your database.")
-
-ER3(SEC_ERROR_DUPLICATE_CERT_NAME,		(SEC_ERROR_BASE + 23),
-"Downloaded certificate's name duplicates one already in your database.")
-
-ER3(SEC_ERROR_ADDING_CERT,			(SEC_ERROR_BASE + 24),
-"Error adding certificate to database.")
-
-ER3(SEC_ERROR_FILING_KEY,			(SEC_ERROR_BASE + 25),
-"Error refiling the key for this certificate.")
-
-ER3(SEC_ERROR_NO_KEY,				(SEC_ERROR_BASE + 26),
-"The private key for this certificate cannot be found in key database")
-
-ER3(SEC_ERROR_CERT_VALID,			(SEC_ERROR_BASE + 27),
-"This certificate is valid.")
-
-ER3(SEC_ERROR_CERT_NOT_VALID,			(SEC_ERROR_BASE + 28),
-"This certificate is not valid.")
-
-ER3(SEC_ERROR_CERT_NO_RESPONSE,			(SEC_ERROR_BASE + 29),
-"Cert Library: No Response")
-
-ER3(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE,	(SEC_ERROR_BASE + 30),
-"The certificate issuer's certificate has expired.  Check your system date and time.")
-
-ER3(SEC_ERROR_CRL_EXPIRED,			(SEC_ERROR_BASE + 31),
-"The CRL for the certificate's issuer has expired.  Update it or check your system data and time.")
-
-ER3(SEC_ERROR_CRL_BAD_SIGNATURE,		(SEC_ERROR_BASE + 32),
-"The CRL for the certificate's issuer has an invalid signature.")
-
-ER3(SEC_ERROR_CRL_INVALID,			(SEC_ERROR_BASE + 33),
-"New CRL has an invalid format.")
-
-ER3(SEC_ERROR_EXTENSION_VALUE_INVALID,		(SEC_ERROR_BASE + 34),
-"Certificate extension value is invalid.")
-
-ER3(SEC_ERROR_EXTENSION_NOT_FOUND,		(SEC_ERROR_BASE + 35),
-"Certificate extension not found.")
-
-ER3(SEC_ERROR_CA_CERT_INVALID,			(SEC_ERROR_BASE + 36),
-"Issuer certificate is invalid.")
-   
-ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID,	(SEC_ERROR_BASE + 37),
-"Certificate path length constraint is invalid.")
-
-ER3(SEC_ERROR_CERT_USAGES_INVALID,		(SEC_ERROR_BASE + 38),
-"Certificate usages field is invalid.")
-
-ER3(SEC_INTERNAL_ONLY,				(SEC_ERROR_BASE + 39),
-"**Internal ONLY module**")
-
-ER3(SEC_ERROR_INVALID_KEY,			(SEC_ERROR_BASE + 40),
-"The key does not support the requested operation.")
-
-ER3(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION,	(SEC_ERROR_BASE + 41),
-"Certificate contains unknown critical extension.")
-
-ER3(SEC_ERROR_OLD_CRL,				(SEC_ERROR_BASE + 42),
-"New CRL is not later than the current one.")
-
-ER3(SEC_ERROR_NO_EMAIL_CERT,			(SEC_ERROR_BASE + 43),
-"Not encrypted or signed: you do not yet have an email certificate.")
-
-ER3(SEC_ERROR_NO_RECIPIENT_CERTS_QUERY,		(SEC_ERROR_BASE + 44),
-"Not encrypted: you do not have certificates for each of the recipients.")
-
-ER3(SEC_ERROR_NOT_A_RECIPIENT,			(SEC_ERROR_BASE + 45),
-"Cannot decrypt: you are not a recipient, or matching certificate and \
-private key not found.")
-
-ER3(SEC_ERROR_PKCS7_KEYALG_MISMATCH,		(SEC_ERROR_BASE + 46),
-"Cannot decrypt: key encryption algorithm does not match your certificate.")
-
-ER3(SEC_ERROR_PKCS7_BAD_SIGNATURE,		(SEC_ERROR_BASE + 47),
-"Signature verification failed: no signer found, too many signers found, \
-or improper or corrupted data.")
-
-ER3(SEC_ERROR_UNSUPPORTED_KEYALG,		(SEC_ERROR_BASE + 48),
-"Unsupported or unknown key algorithm.")
-
-ER3(SEC_ERROR_DECRYPTION_DISALLOWED,		(SEC_ERROR_BASE + 49),
-"Cannot decrypt: encrypted using a disallowed algorithm or key size.")
-
-
-/* Fortezza Alerts */
-ER3(XP_SEC_FORTEZZA_BAD_CARD,			(SEC_ERROR_BASE + 50),
-"Fortezza card has not been properly initialized.  \
-Please remove it and return it to your issuer.")
-
-ER3(XP_SEC_FORTEZZA_NO_CARD,			(SEC_ERROR_BASE + 51),
-"No Fortezza cards Found")
-
-ER3(XP_SEC_FORTEZZA_NONE_SELECTED,		(SEC_ERROR_BASE + 52),
-"No Fortezza card selected")
-
-ER3(XP_SEC_FORTEZZA_MORE_INFO,			(SEC_ERROR_BASE + 53),
-"Please select a personality to get more info on")
-
-ER3(XP_SEC_FORTEZZA_PERSON_NOT_FOUND,		(SEC_ERROR_BASE + 54),
-"Personality not found")
-
-ER3(XP_SEC_FORTEZZA_NO_MORE_INFO,		(SEC_ERROR_BASE + 55),
-"No more information on that Personality")
-
-ER3(XP_SEC_FORTEZZA_BAD_PIN,			(SEC_ERROR_BASE + 56),
-"Invalid Pin")
-
-ER3(XP_SEC_FORTEZZA_PERSON_ERROR,		(SEC_ERROR_BASE + 57),
-"Couldn't initialize Fortezza personalities.")
-/* end fortezza alerts. */
-
-ER3(SEC_ERROR_NO_KRL,				(SEC_ERROR_BASE + 58),
-"No KRL for this site's certificate has been found.")
-
-ER3(SEC_ERROR_KRL_EXPIRED,			(SEC_ERROR_BASE + 59),
-"The KRL for this site's certificate has expired.")
-
-ER3(SEC_ERROR_KRL_BAD_SIGNATURE,		(SEC_ERROR_BASE + 60),
-"The KRL for this site's certificate has an invalid signature.")
-
-ER3(SEC_ERROR_REVOKED_KEY,			(SEC_ERROR_BASE + 61),
-"The key for this site's certificate has been revoked.")
-
-ER3(SEC_ERROR_KRL_INVALID,			(SEC_ERROR_BASE + 62),
-"New KRL has an invalid format.")
-
-ER3(SEC_ERROR_NEED_RANDOM,			(SEC_ERROR_BASE + 63),
-"security library: need random data.")
-
-ER3(SEC_ERROR_NO_MODULE,			(SEC_ERROR_BASE + 64),
-"security library: no security module can perform the requested operation.")
-
-ER3(SEC_ERROR_NO_TOKEN,				(SEC_ERROR_BASE + 65),
-"The security card or token does not exist, needs to be initialized, or has been removed.")
-
-ER3(SEC_ERROR_READ_ONLY,			(SEC_ERROR_BASE + 66),
-"security library: read-only database.")
-
-ER3(SEC_ERROR_NO_SLOT_SELECTED,			(SEC_ERROR_BASE + 67),
-"No slot or token was selected.")
-
-ER3(SEC_ERROR_CERT_NICKNAME_COLLISION,		(SEC_ERROR_BASE + 68),
-"A certificate with the same nickname already exists.")
-
-ER3(SEC_ERROR_KEY_NICKNAME_COLLISION,		(SEC_ERROR_BASE + 69),
-"A key with the same nickname already exists.")
-
-ER3(SEC_ERROR_SAFE_NOT_CREATED,			(SEC_ERROR_BASE + 70),
-"error while creating safe object")
-
-ER3(SEC_ERROR_BAGGAGE_NOT_CREATED,		(SEC_ERROR_BASE + 71),
-"error while creating baggage object")
-
-ER3(XP_JAVA_REMOVE_PRINCIPAL_ERROR,		(SEC_ERROR_BASE + 72),
-"Couldn't remove the principal")
-
-ER3(XP_JAVA_DELETE_PRIVILEGE_ERROR,		(SEC_ERROR_BASE + 73),
-"Couldn't delete the privilege")
-
-ER3(XP_JAVA_CERT_NOT_EXISTS_ERROR,		(SEC_ERROR_BASE + 74),
-"This principal doesn't have a certificate")
-
-ER3(SEC_ERROR_BAD_EXPORT_ALGORITHM,		(SEC_ERROR_BASE + 75),
-"Required algorithm is not allowed.")
-
-ER3(SEC_ERROR_EXPORTING_CERTIFICATES,		(SEC_ERROR_BASE + 76),
-"Error attempting to export certificates.")
-
-ER3(SEC_ERROR_IMPORTING_CERTIFICATES,		(SEC_ERROR_BASE + 77),
-"Error attempting to import certificates.")
-
-ER3(SEC_ERROR_PKCS12_DECODING_PFX,		(SEC_ERROR_BASE + 78),
-"Unable to import.  Decoding error.  File not valid.")
-
-ER3(SEC_ERROR_PKCS12_INVALID_MAC,		(SEC_ERROR_BASE + 79),
-"Unable to import.  Invalid MAC.  Incorrect password or corrupt file.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM,	(SEC_ERROR_BASE + 80),
-"Unable to import.  MAC algorithm not supported.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE,(SEC_ERROR_BASE + 81),
-"Unable to import.  Only password integrity and privacy modes supported.")
-
-ER3(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE,	(SEC_ERROR_BASE + 82),
-"Unable to import.  File structure is corrupt.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, (SEC_ERROR_BASE + 83),
-"Unable to import.  Encryption algorithm not supported.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION,	(SEC_ERROR_BASE + 84),
-"Unable to import.  File version not supported.")
-
-ER3(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT,(SEC_ERROR_BASE + 85),
-"Unable to import.  Incorrect privacy password.")
-
-ER3(SEC_ERROR_PKCS12_CERT_COLLISION,		(SEC_ERROR_BASE + 86),
-"Unable to import.  Same nickname already exists in database.")
-
-ER3(SEC_ERROR_USER_CANCELLED,			(SEC_ERROR_BASE + 87),
-"The user pressed cancel.")
-
-ER3(SEC_ERROR_PKCS12_DUPLICATE_DATA,		(SEC_ERROR_BASE + 88),
-"Not imported, already in database.")
-
-ER3(SEC_ERROR_MESSAGE_SEND_ABORTED,		(SEC_ERROR_BASE + 89),
-"Message not sent.")
-
-ER3(SEC_ERROR_INADEQUATE_KEY_USAGE,		(SEC_ERROR_BASE + 90),
-"Certificate key usage inadequate for attempted operation.")
-
-ER3(SEC_ERROR_INADEQUATE_CERT_TYPE,		(SEC_ERROR_BASE + 91),
-"Certificate type not approved for application.")
-
-ER3(SEC_ERROR_CERT_ADDR_MISMATCH,		(SEC_ERROR_BASE + 92),
-"Address in signing certificate does not match address in message headers.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY,	(SEC_ERROR_BASE + 93),
-"Unable to import.  Error attempting to import private key.")
-
-ER3(SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN,	(SEC_ERROR_BASE + 94),
-"Unable to import.  Error attempting to import certificate chain.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, (SEC_ERROR_BASE + 95),
-"Unable to export.  Unable to locate certificate or key by nickname.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY,	(SEC_ERROR_BASE + 96),
-"Unable to export.  Private Key could not be located and exported.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_WRITE, 		(SEC_ERROR_BASE + 97),
-"Unable to export.  Unable to write the export file.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_READ,		(SEC_ERROR_BASE + 98),
-"Unable to import.  Unable to read the import file.")
-
-ER3(SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, (SEC_ERROR_BASE + 99),
-"Unable to export.  Key database corrupt or deleted.")
-
-ER3(SEC_ERROR_KEYGEN_FAIL,			(SEC_ERROR_BASE + 100),
-"Unable to generate public/private key pair.")
-
-ER3(SEC_ERROR_INVALID_PASSWORD,			(SEC_ERROR_BASE + 101),
-"Password entered is invalid.  Please pick a different one.")
-
-ER3(SEC_ERROR_RETRY_OLD_PASSWORD,		(SEC_ERROR_BASE + 102),
-"Old password entered incorrectly.  Please try again.")
-
-ER3(SEC_ERROR_BAD_NICKNAME,			(SEC_ERROR_BASE + 103),
-"Certificate nickname already in use.")
-
-ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER,       	(SEC_ERROR_BASE + 104),
-"Peer FORTEZZA chain has a non-FORTEZZA Certificate.")
-
-/* ER3(SEC_ERROR_UNKNOWN, 			(SEC_ERROR_BASE + 105), */
-
-ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, 		(SEC_ERROR_BASE + 106),
-"Invalid module name.")
-
-ER3(SEC_ERROR_JS_INVALID_DLL, 			(SEC_ERROR_BASE + 107),
-"Invalid module path/filename")
-
-ER3(SEC_ERROR_JS_ADD_MOD_FAILURE, 		(SEC_ERROR_BASE + 108),
-"Unable to add module")
-
-ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, 		(SEC_ERROR_BASE + 109),
-"Unable to delete module")
-
-ER3(SEC_ERROR_OLD_KRL,	     			(SEC_ERROR_BASE + 110),
-"New KRL is not later than the current one.")
- 
-ER3(SEC_ERROR_CKL_CONFLICT,	     		(SEC_ERROR_BASE + 111),
-"New CKL has different issuer than current CKL.  Delete current CKL.")
-
-ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, 		(SEC_ERROR_BASE + 112),
-"The Certifying Authority for this certificate is not permitted to issue a \
-certificate with this name.")
-
-ER3(SEC_ERROR_KRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 113),
-"The key revocation list for this certificate is not yet valid.")
-
-ER3(SEC_ERROR_CRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 114),
-"The certificate revocation list for this certificate is not yet valid.")
-
-ER3(SEC_ERROR_UNKNOWN_CERT,			(SEC_ERROR_BASE + 115),
-"The requested certificate could not be found.")
-
-ER3(SEC_ERROR_UNKNOWN_SIGNER,			(SEC_ERROR_BASE + 116),
-"The signer's certificate could not be found.")
-
-ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION,		(SEC_ERROR_BASE + 117),
-"The location for the certificate status server has invalid format.")
-
-ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE,	(SEC_ERROR_BASE + 118),
-"The OCSP response cannot be fully decoded; it is of an unknown type.")
-
-ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE,		(SEC_ERROR_BASE + 119),
-"The OCSP server returned unexpected/invalid HTTP data.")
-
-ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST,		(SEC_ERROR_BASE + 120),
-"The OCSP server found the request to be corrupted or improperly formed.")
-
-ER3(SEC_ERROR_OCSP_SERVER_ERROR,		(SEC_ERROR_BASE + 121),
-"The OCSP server experienced an internal error.")
-
-ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER,		(SEC_ERROR_BASE + 122),
-"The OCSP server suggests trying again later.")
-
-ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG,		(SEC_ERROR_BASE + 123),
-"The OCSP server requires a signature on this request.")
-
-ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST,	(SEC_ERROR_BASE + 124),
-"The OCSP server has refused this request as unauthorized.")
-
-ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS,	(SEC_ERROR_BASE + 125),
-"The OCSP server returned an unrecognizable status.")
-
-ER3(SEC_ERROR_OCSP_UNKNOWN_CERT,		(SEC_ERROR_BASE + 126),
-"The OCSP server has no status for the certificate.")
-
-ER3(SEC_ERROR_OCSP_NOT_ENABLED,			(SEC_ERROR_BASE + 127),
-"You must enable OCSP before performing this operation.")
-
-ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER,	(SEC_ERROR_BASE + 128),
-"You must set the OCSP default responder before performing this operation.")
-
-ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE,		(SEC_ERROR_BASE + 129),
-"The response from the OCSP server was corrupted or improperly formed.")
-
-ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE,	(SEC_ERROR_BASE + 130),
-"The signer of the OCSP response is not authorized to give status for \
-this certificate.")
-
-ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE,		(SEC_ERROR_BASE + 131),
-"The OCSP response is not yet valid (contains a date in the future).")
-
-ER3(SEC_ERROR_OCSP_OLD_RESPONSE,		(SEC_ERROR_BASE + 132),
-"The OCSP response contains out-of-date information.")
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/SSLerrs.h
+++ /dev/null
@@ -1,369 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* SSL-specific security error codes  */
-/* caller must include "sslerr.h" */
-
-ER3(SSL_ERROR_EXPORT_ONLY_SERVER,			SSL_ERROR_BASE + 0,
-"Unable to communicate securely.  Peer does not support high-grade encryption.")
-
-ER3(SSL_ERROR_US_ONLY_SERVER,				SSL_ERROR_BASE + 1,
-"Unable to communicate securely.  Peer requires high-grade encryption which is not supported.")
-
-ER3(SSL_ERROR_NO_CYPHER_OVERLAP,			SSL_ERROR_BASE + 2,
-"Cannot communicate securely with peer: no common encryption algorithm(s).")
-
-ER3(SSL_ERROR_NO_CERTIFICATE,				SSL_ERROR_BASE + 3,
-"Unable to find the certificate or key necessary for authentication.")
-
-ER3(SSL_ERROR_BAD_CERTIFICATE,				SSL_ERROR_BASE + 4,
-"Unable to communicate securely with peer: peers's certificate was rejected.")
-
-/* unused						(SSL_ERROR_BASE + 5),*/
-
-ER3(SSL_ERROR_BAD_CLIENT,				SSL_ERROR_BASE + 6,
-"The server has encountered bad data from the client.")
-
-ER3(SSL_ERROR_BAD_SERVER,				SSL_ERROR_BASE + 7,
-"The client has encountered bad data from the server.")
-
-ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,		SSL_ERROR_BASE + 8,
-"Unsupported certificate type.")
-
-ER3(SSL_ERROR_UNSUPPORTED_VERSION,			SSL_ERROR_BASE + 9,
-"Peer using unsupported version of security protocol.")
-
-/* unused						(SSL_ERROR_BASE + 10),*/
-
-ER3(SSL_ERROR_WRONG_CERTIFICATE,			SSL_ERROR_BASE + 11,
-"Client authentication failed: private key in key database does not match public key in certificate database.")
-
-ER3(SSL_ERROR_BAD_CERT_DOMAIN,				SSL_ERROR_BASE + 12,
-"Unable to communicate securely with peer: requested domain name does not match the server's certificate.")
-
-/* SSL_ERROR_POST_WARNING				(SSL_ERROR_BASE + 13),
-   defined in sslerr.h
-*/
-
-ER3(SSL_ERROR_SSL2_DISABLED,				(SSL_ERROR_BASE + 14),
-"Peer only supports SSL version 2, which is locally disabled.")
-
-
-ER3(SSL_ERROR_BAD_MAC_READ,				(SSL_ERROR_BASE + 15),
-"SSL received a record with an incorrect Message Authentication Code.")
-
-ER3(SSL_ERROR_BAD_MAC_ALERT,				(SSL_ERROR_BASE + 16),
-"SSL peer reports incorrect Message Authentication Code.")
-
-ER3(SSL_ERROR_BAD_CERT_ALERT,				(SSL_ERROR_BASE + 17),
-"SSL peer cannot verify your certificate.")
-
-ER3(SSL_ERROR_REVOKED_CERT_ALERT,			(SSL_ERROR_BASE + 18),
-"SSL peer rejected your certificate as revoked.")
-
-ER3(SSL_ERROR_EXPIRED_CERT_ALERT,			(SSL_ERROR_BASE + 19),
-"SSL peer rejected your certificate as expired.")
-
-ER3(SSL_ERROR_SSL_DISABLED,				(SSL_ERROR_BASE + 20),
-"Cannot connect: SSL is disabled.")
-
-ER3(SSL_ERROR_FORTEZZA_PQG,				(SSL_ERROR_BASE + 21),
-"Cannot connect: SSL peer is in another FORTEZZA domain.")
-
-
-ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE          , (SSL_ERROR_BASE + 22),
-"An unknown SSL cipher suite has been requested.")
-
-ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED          , (SSL_ERROR_BASE + 23),
-"No cipher suites are present and enabled in this program.")
-
-ER3(SSL_ERROR_BAD_BLOCK_PADDING             , (SSL_ERROR_BASE + 24),
-"SSL received a record with bad block padding.")
-
-ER3(SSL_ERROR_RX_RECORD_TOO_LONG            , (SSL_ERROR_BASE + 25),
-"SSL received a record that exceeded the maximum permissible length.")
-
-ER3(SSL_ERROR_TX_RECORD_TOO_LONG            , (SSL_ERROR_BASE + 26),
-"SSL attempted to send a record that exceeded the maximum permissible length.")
-
-/*
- * Received a malformed (too long or short or invalid content) SSL handshake.
- */
-ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST    , (SSL_ERROR_BASE + 27),
-"SSL received a malformed Hello Request handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO     , (SSL_ERROR_BASE + 28),
-"SSL received a malformed Client Hello handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO     , (SSL_ERROR_BASE + 29),
-"SSL received a malformed Server Hello handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE      , (SSL_ERROR_BASE + 30),
-"SSL received a malformed Certificate handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH  , (SSL_ERROR_BASE + 31),
-"SSL received a malformed Server Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST     , (SSL_ERROR_BASE + 32),
-"SSL received a malformed Certificate Request handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE       , (SSL_ERROR_BASE + 33),
-"SSL received a malformed Server Hello Done handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY      , (SSL_ERROR_BASE + 34),
-"SSL received a malformed Certificate Verify handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH  , (SSL_ERROR_BASE + 35),
-"SSL received a malformed Client Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_FINISHED         , (SSL_ERROR_BASE + 36),
-"SSL received a malformed Finished handshake message.")
-
-/*
- * Received a malformed (too long or short) SSL record.
- */
-ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER    , (SSL_ERROR_BASE + 37),
-"SSL received a malformed Change Cipher Spec record.")
-
-ER3(SSL_ERROR_RX_MALFORMED_ALERT            , (SSL_ERROR_BASE + 38),
-"SSL received a malformed Alert record.")
-
-ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE        , (SSL_ERROR_BASE + 39),
-"SSL received a malformed Handshake record.")
-
-ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40),
-"SSL received a malformed Application Data record.")
-
-/*
- * Received an SSL handshake that was inappropriate for the state we're in.
- * E.g. Server received message from server, or wrong state in state machine.
- */
-ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST   , (SSL_ERROR_BASE + 41),
-"SSL received an unexpected Hello Request handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO    , (SSL_ERROR_BASE + 42),
-"SSL received an unexpected Client Hello handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO    , (SSL_ERROR_BASE + 43),
-"SSL received an unexpected Server Hello handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE     , (SSL_ERROR_BASE + 44),
-"SSL received an unexpected Certificate handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45),
-"SSL received an unexpected Server Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST    , (SSL_ERROR_BASE + 46),
-"SSL received an unexpected Certificate Request handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE      , (SSL_ERROR_BASE + 47),
-"SSL received an unexpected Server Hello Done handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY     , (SSL_ERROR_BASE + 48),
-"SSL received an unexpected Certificate Verify handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49),
-"SSL received an unexpected Cllient Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED        , (SSL_ERROR_BASE + 50),
-"SSL received an unexpected Finished handshake message.")
-
-/*
- * Received an SSL record that was inappropriate for the state we're in.
- */
-ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER   , (SSL_ERROR_BASE + 51),
-"SSL received an unexpected Change Cipher Spec record.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_ALERT           , (SSL_ERROR_BASE + 52),
-"SSL received an unexpected Alert record.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE       , (SSL_ERROR_BASE + 53),
-"SSL received an unexpected Handshake record.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54),
-"SSL received an unexpected Application Data record.")
-
-/*
- * Received record/message with unknown discriminant.
- */
-ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE        , (SSL_ERROR_BASE + 55),
-"SSL received a record with an unknown content type.")
-
-ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE          , (SSL_ERROR_BASE + 56),
-"SSL received a handshake message with an unknown message type.")
-
-ER3(SSL_ERROR_RX_UNKNOWN_ALERT              , (SSL_ERROR_BASE + 57),
-"SSL received an alert record with an unknown alert description.")
-
-/*
- * Received an alert reporting what we did wrong.  (more alerts above)
- */
-ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT            , (SSL_ERROR_BASE + 58),
-"SSL peer has closed this connection.")
-
-ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT    , (SSL_ERROR_BASE + 59),
-"SSL peer was not expecting a handshake message it received.")
-
-ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT   , (SSL_ERROR_BASE + 60),
-"SSL peer was unable to succesfully decompress an SSL record it received.")
-
-ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT       , (SSL_ERROR_BASE + 61),
-"SSL peer was unable to negotiate an acceptable set of security parameters.")
-
-ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT       , (SSL_ERROR_BASE + 62),
-"SSL peer rejected a handshake message for unacceptable content.")
-
-ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT        , (SSL_ERROR_BASE + 63),
-"SSL peer does not support certificates of the type it received.")
-
-ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT     , (SSL_ERROR_BASE + 64),
-"SSL peer had some unspecified issue with the certificate it received.")
-
-
-ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE       , (SSL_ERROR_BASE + 65),
-"SSL experienced a failure of its random number generator.")
-
-ER3(SSL_ERROR_SIGN_HASHES_FAILURE           , (SSL_ERROR_BASE + 66),
-"Unable to digitally sign data required to verify your certificate.")
-
-ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE    , (SSL_ERROR_BASE + 67),
-"SSL was unable to extract the public key from the peer's certificate.")
-
-ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE   , (SSL_ERROR_BASE + 68),
-"Unspecified failure while processing SSL Server Key Exchange handshake.")
-
-ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE   , (SSL_ERROR_BASE + 69),
-"Unspecified failure while processing SSL Client Key Exchange handshake.")
-
-ER3(SSL_ERROR_ENCRYPTION_FAILURE            , (SSL_ERROR_BASE + 70),
-"Bulk data encryption algorithm failed in selected cipher suite.")
-
-ER3(SSL_ERROR_DECRYPTION_FAILURE            , (SSL_ERROR_BASE + 71),
-"Bulk data decryption algorithm failed in selected cipher suite.")
-
-ER3(SSL_ERROR_SOCKET_WRITE_FAILURE          , (SSL_ERROR_BASE + 72),
-"Attempt to write encrypted data to underlying socket failed.")
-
-ER3(SSL_ERROR_MD5_DIGEST_FAILURE            , (SSL_ERROR_BASE + 73),
-"MD5 digest function failed.")
-
-ER3(SSL_ERROR_SHA_DIGEST_FAILURE            , (SSL_ERROR_BASE + 74),
-"SHA-1 digest function failed.")
-
-ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE       , (SSL_ERROR_BASE + 75),
-"MAC computation failed.")
-
-ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE       , (SSL_ERROR_BASE + 76),
-"Failure to create Symmetric Key context.")
-
-ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE        , (SSL_ERROR_BASE + 77),
-"Failure to unwrap the Symmetric key in Client Key Exchange message.")
-
-ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED   , (SSL_ERROR_BASE + 78),
-"SSL Server attempted to use domestic-grade public key with export cipher suite.")
-
-ER3(SSL_ERROR_IV_PARAM_FAILURE              , (SSL_ERROR_BASE + 79),
-"PKCS11 code failed to translate an IV into a param.")
-
-ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE     , (SSL_ERROR_BASE + 80),
-"Failed to initialize the selected cipher suite.")
-
-ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE       , (SSL_ERROR_BASE + 81),
-"Client failed to generate session keys for SSL session.")
-
-ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG         , (SSL_ERROR_BASE + 82),
-"Server has no key for the attempted key exchange algorithm.")
-
-ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL       , (SSL_ERROR_BASE + 83),
-"PKCS#11 token was inserted or removed while operation was in progress.")
-
-ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND          , (SSL_ERROR_BASE + 84),
-"No PKCS#11 token could be found to do a required operation.")
-
-ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP        , (SSL_ERROR_BASE + 85),
-"Cannot communicate securely with peer: no common compression algorithm(s).")
-
-ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED       , (SSL_ERROR_BASE + 86),
-"Cannot initiate another SSL handshake until current handshake is complete.")
-
-ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE      , (SSL_ERROR_BASE + 87),
-"Received incorrect handshakes hash values from peer.")
-
-ER3(SSL_ERROR_CERT_KEA_MISMATCH             , (SSL_ERROR_BASE + 88),
-"The certificate provided cannot be used with the selected key exchange algorithm.")
-
-ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA	, (SSL_ERROR_BASE + 89),
-"No certificate authority is trusted for SSL client authentication.")
-
-ER3(SSL_ERROR_SESSION_NOT_FOUND		, (SSL_ERROR_BASE + 90),
-"Client's SSL session ID not found in server's session cache.")
-
-ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT     , (SSL_ERROR_BASE + 91),
-"Peer was unable to decrypt an SSL record it received.")
-
-ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT       , (SSL_ERROR_BASE + 92),
-"Peer received an SSL record that was longer than is permitted.")
-
-ER3(SSL_ERROR_UNKNOWN_CA_ALERT            , (SSL_ERROR_BASE + 93),
-"Peer does not recognize and trust the CA that issued your certificate.")
-
-ER3(SSL_ERROR_ACCESS_DENIED_ALERT         , (SSL_ERROR_BASE + 94),
-"Peer received a valid certificate, but access was denied.")
-
-ER3(SSL_ERROR_DECODE_ERROR_ALERT          , (SSL_ERROR_BASE + 95),
-"Peer could not decode an SSL handshake message.")
-
-ER3(SSL_ERROR_DECRYPT_ERROR_ALERT         , (SSL_ERROR_BASE + 96),
-"Peer reports failure of signature verification or key exchange.")
-
-ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT    , (SSL_ERROR_BASE + 97),
-"Peer reports negotiation not in compliance with export regulations.")
-
-ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT      , (SSL_ERROR_BASE + 98),
-"Peer reports incompatible or unsupported protocol version.")
-
-ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99),
-"Server requires ciphers more secure than those supported by client.")
-
-ER3(SSL_ERROR_INTERNAL_ERROR_ALERT        , (SSL_ERROR_BASE + 100),
-"Peer reports it experienced an internal error.")
-
-ER3(SSL_ERROR_USER_CANCELED_ALERT         , (SSL_ERROR_BASE + 101),
-"Peer user canceled handshake.")
-
-ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT      , (SSL_ERROR_BASE + 102),
-"Peer does not permit renegotiation of SSL security parameters.")
-
--- a/security/nss/cmd/SSLsample/client.mn
+++ b/security/nss/cmd/SSLsample/client.mn
@@ -41,14 +41,10 @@ MODULE = nss
 EXPORTS = 
 
 CSRCS =  client.c \
 	sslsample.c \
 	$(NULL)
 
 PROGRAM = client
 
-REQUIRES = dbm 
-
 IMPORTS = nss/lib/nss
 
-DEFINES = -DNSPR20 
-
--- a/security/nss/cmd/SSLsample/server.mn
+++ b/security/nss/cmd/SSLsample/server.mn
@@ -41,12 +41,8 @@ MODULE  = nss
 EXPORTS = 
 
 CSRCS =  server.c	\
 	sslsample.c	\
 	$(NULL)
 
 PROGRAM  = server
 
-REQUIRES = dbm 
-
-DEFINES  = -DNSPR20
-
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -179,17 +179,17 @@ static void Usage()
     PRINTUSAGE("",	"-k", "file which contains key");
 #ifdef NSS_ENABLE_ECC
     PRINTUSAGE("",	"-n", "name of curve for EC key generation; one of:");
     PRINTUSAGE("",  "",   "  sect163k1, nistk163, sect163r1, sect163r2,");
     PRINTUSAGE("",  "",   "  nistb163, sect193r1, sect193r2, sect233k1, nistk233,");
     PRINTUSAGE("",  "",   "  sect233r1, nistb233, sect239k1, sect283k1, nistk283,");
     PRINTUSAGE("",  "",   "  sect283r1, nistb283, sect409k1, nistk409, sect409r1,");
     PRINTUSAGE("",  "",   "  nistb409, sect571k1, nistk571, sect571r1, nistb571,");
-    PRINTUSAGE("",  "",   "  secp169k1, secp160r1, secp160r2, secp192k1, secp192r1,");
+    PRINTUSAGE("",  "",   "  secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,");
     PRINTUSAGE("",  "",   "  nistp192, secp224k1, secp224r1, nistp224, secp256k1,");
     PRINTUSAGE("",  "",   "  secp256r1, nistp256, secp384r1, nistp384, secp521r1,");
     PRINTUSAGE("",  "",   "  nistp521, prime192v1, prime192v2, prime192v3,");
     PRINTUSAGE("",  "",   "  prime239v1, prime239v2, prime239v3, c2pnb163v1,");
     PRINTUSAGE("",  "",   "  c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,");
     PRINTUSAGE("",  "",   "  c2tnb191v2, c2tnb191v3, c2onb191v4, c2onb191v5,");
     PRINTUSAGE("",  "",   "  c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,");
     PRINTUSAGE("",  "",   "  c2onb239v4, c2onb239v5, c2pnb272w1, c2pnb304w1,");
@@ -2494,19 +2494,22 @@ print_td:
               fprintf(stdout, "%8s", "pqg_mod");
           else
               fprintf(stdout, "%8d", PQG_INDEX_TO_PBITS(info->params.dsa.j));
           break;
 #ifdef NSS_ENABLE_ECC
       case bltestECDSA:
           if (td)
               fprintf(stdout, "%12s", "ec_curve");
-          else
+          else {
+	      ECCurveName curveName = info->params.ecdsa.eckey->ecParams.name;
               fprintf(stdout, "%12s",
-                      ecCurve_map[info->params.ecdsa.eckey->ecParams.name]->text);
+                      ecCurve_map[curveName]? ecCurve_map[curveName]->text:
+					      "Unsupported curve");
+	  }
           break;
 #endif
       case bltestMD2:
       case bltestMD5:
       case bltestSHA1:
       case bltestSHA256:
       case bltestSHA384:
       case bltestSHA512:
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -65,17 +65,18 @@
 #include "secasn1.h"
 #include "cert.h"
 #include "cryptohi.h"
 #include "secoid.h"
 #include "certdb.h"
 #include "nss.h"
 
 #define MIN_KEY_BITS		512
-#define MAX_KEY_BITS		2048
+/* MAX_KEY_BITS should agree with MAX_RSA_MODULUS in freebl */
+#define MAX_KEY_BITS		8192
 #define DEFAULT_KEY_BITS	1024
 
 #define GEN_BREAK(e) rv=e; break;
 
 
 extern SECKEYPrivateKey *CERTUTIL_GeneratePrivateKey(KeyType keytype,
 						     PK11SlotInfo *slot, 
                                                      int rsasize,
@@ -757,16 +758,19 @@ ValidateCert(CERTCertDBHandle *handle, c
     CERTVerifyLog *log = NULL;
 
     if (!certUsage) {
 	    PORT_SetError (SEC_ERROR_INVALID_ARGS);
 	    return (SECFailure);
     }
     
     switch (*certUsage) {
+	case 'O':
+	    usage = certificateUsageStatusResponder;
+	    break;
 	case 'C':
 	    usage = certificateUsageSSLClient;
 	    break;
 	case 'V':
 	    usage = certificateUsageSSLServer;
 	    break;
 	case 'S':
 	    usage = certificateUsageEmailSigner;
@@ -988,16 +992,17 @@ static void
 Usage(char *progName)
 {
 #define FPS fprintf(stderr, 
     FPS "Type %s -H for more detailed descriptions\n", progName);
     FPS "Usage:  %s -N [-d certdir] [-P dbprefix] [-f pwfile]\n", progName);
     FPS "Usage:  %s -T [-d certdir] [-P dbprefix] [-h token-name] [-f pwfile]\n", progName);
     FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
     	progName);
+    FPS "\t%s -B -i batch-file\n", progName);
     FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
 	"\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
         "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-1] [-2] [-3] [-4] [-5]\n"
 	"\t\t [-6] [-7 emailAddrs] [-8 dns-names]\n",
 	progName);
     FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
 	progName);
@@ -1036,16 +1041,18 @@ Usage(char *progName)
     exit(1);
 }
 
 static void LongUsage(char *progName)
 {
 
     FPS "%-15s Add a certificate to the database        (create if needed)\n",
 	"-A");
+    FPS "%-15s Run a series of certutil commands from a batch file\n", "-B");
+    FPS "%-20s Specify the batch file\n", "   -i batch-file");
     FPS "%-15s Add an Email certificate to the database (create if needed)\n",
 	"-E");
     FPS "%-20s Specify the nickname of the certificate to add\n",
 	"   -n cert-name");
     FPS "%-20s Set the certificate trust attributes:\n",
 	"   -t trustargs");
     FPS "%-25s p \t valid peer\n", "");
     FPS "%-25s P \t trusted peer (implies p)\n", "");
@@ -1133,17 +1140,17 @@ static void LongUsage(char *progName)
 #ifdef NSS_ENABLE_ECC
     FPS "%-20s Elliptic curve name (ec only)\n",
 	"   -q curve-name");
     FPS "%-20s One of sect163k1, nistk163, sect163r1, sect163r2,\n", "");
     FPS "%-20s nistb163, sect193r1, sect193r2, sect233k1, nistk233,\n", "");
     FPS "%-20s sect233r1, nistb233, sect239k1, sect283k1, nistk283,\n", "");
     FPS "%-20s sect283r1, nistb283, sect409k1, nistk409, sect409r1,\n", "");
     FPS "%-20s nistb409, sect571k1, nistk571, sect571r1, nistb571,\n", "");
-    FPS "%-20s secp169k1, secp160r1, secp160r2, secp192k1, secp192r1,\n", "");
+    FPS "%-20s secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,\n", "");
     FPS "%-20s nistp192, secp224k1, secp224r1, nistp224, secp256k1,\n", "");
     FPS "%-20s secp256r1, nistp256, secp384r1, nistp384, secp521r1,\n", "");
     FPS "%-20s nistp521, prime192v1, prime192v2, prime192v3, \n", "");
     FPS "%-20s prime239v1, prime239v2, prime239v3, c2pnb163v1, \n", "");
     FPS "%-20s c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, \n", "");
     FPS "%-20s c2tnb191v2, c2tnb191v3, c2onb191v4, c2onb191v5, \n", "");
     FPS "%-20s c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, \n", "");
     FPS "%-20s c2onb239v4, c2onb239v5, c2pnb272w1, c2pnb304w1, \n", "");
@@ -1302,16 +1309,17 @@ static void LongUsage(char *progName)
 	"   -b time");
     FPS "%-20s Check certificate signature \n",
 	"   -e ");   
     FPS "%-20s Specify certificate usage:\n", "   -u certusage");
     FPS "%-25s C \t SSL Client\n", "");
     FPS "%-25s V \t SSL Server\n", "");
     FPS "%-25s S \t Email signer\n", "");
     FPS "%-25s R \t Email Recipient\n", "");   
+    FPS "%-25s O \t OCSP status responder\n", "");   
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
 	"   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
 	"   -P dbprefix");
     FPS "%-20s force the database to open R/W\n",
 	"   -X");
     FPS "\n");
 
@@ -1385,17 +1393,17 @@ static void LongUsage(char *progName)
 
 static CERTCertificate *
 MakeV1Cert(	CERTCertDBHandle *	handle, 
 		CERTCertificateRequest *req,
 	    	char *			issuerNickName, 
 		PRBool 			selfsign, 
 		unsigned int 		serialNumber,
 		int 			warpmonths,
-                int                     validitylength)
+                int                     validityMonths)
 {
     CERTCertificate *issuerCert = NULL;
     CERTValidity *validity;
     CERTCertificate *cert = NULL;
     PRExplodedTime printableTime;
     PRTime now, after;
 
     if ( !selfsign ) {
@@ -1409,18 +1417,17 @@ MakeV1Cert(	CERTCertDBHandle *	handle,
 
     now = PR_Now();
     PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
     if ( warpmonths ) {
 	printableTime.tm_month += warpmonths;
 	now = PR_ImplodeTime (&printableTime);
 	PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
     }
-    printableTime.tm_month += validitylength;
-    printableTime.tm_month += 3;
+    printableTime.tm_month += validityMonths;
     after = PR_ImplodeTime (&printableTime);
 
     /* note that the time is now in micro-second unit */
     validity = CERT_CreateValidity (now, after);
 
     cert = CERT_CreateCertificate(serialNumber, 
 				  (selfsign ? &req->subject 
 				            : &issuerCert->subject), 
@@ -1556,17 +1563,17 @@ AddOidToSequence(CERTOidSequence *os, SE
   }
 
   os->oids = oids;
   os->oids[count] = &od->oid;
 
   return SECSuccess;
 }
 
-SEC_ASN1_MKSUB(SEC_ObjectIDTemplate);
+SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
 
 const SEC_ASN1Template CERT_OidSeqTemplate[] = {
     { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN,
 	  offsetof(CERTOidSequence, oids),
 	  SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
 };
 
 
@@ -2184,17 +2191,17 @@ CreateCert(
 	char *  issuerNickName, 
 	PRFileDesc *inFile,
 	PRFileDesc *outFile, 
 	SECKEYPrivateKey *selfsignprivkey,
 	void 	*pwarg,
 	SECOidTag hashAlgTag,
 	unsigned int serialNumber, 
 	int     warpmonths,
-	int     validitylength,
+	int     validityMonths,
 	const char *emailAddrs,
 	const char *dnsNames,
 	PRBool  ascii,
 	PRBool  selfsign,
 	PRBool	keyUsage, 
 	PRBool  extKeyUsage,
 	PRBool  basicConstraint, 
 	PRBool  authKeyID,
@@ -2219,17 +2226,17 @@ CreateCert(
 	
 	/* Create a certrequest object from the input cert request der */
 	certReq = GetCertRequest(inFile, ascii);
 	if (certReq == NULL) {
 	    GEN_BREAK (SECFailure)
 	}
 
 	subjectCert = MakeV1Cert (handle, certReq, issuerNickName, selfsign,
-				  serialNumber, warpmonths, validitylength);
+				  serialNumber, warpmonths, validityMonths);
 	if (subjectCert == NULL) {
 	    GEN_BREAK (SECFailure)
 	}
         
         
 	extHandle = CERT_StartCertExtensions (subjectCert);
 	if (extHandle == NULL) {
 	    GEN_BREAK (SECFailure)
@@ -2297,17 +2304,18 @@ enum {
     cmd_NewDBs,
     cmd_DumpChain,
     cmd_CertReq,
     cmd_CreateAndAddCert,
     cmd_TokenReset,
     cmd_ListModules,
     cmd_CheckCertValidity,
     cmd_ChangePassword,
-    cmd_Version
+    cmd_Version,
+    cmd_Batch
 };
 
 /*  Certutil options */
 enum {
     opt_SSOPass = 0,
     opt_AddKeyUsageExt,
     opt_AddBasicConstraintExt,
     opt_AddAuthorityKeyIDExt,
@@ -2339,18 +2347,17 @@ enum {
     opt_Trust,
     opt_Usage,
     opt_Validity,
     opt_OffsetMonths,
     opt_SelfSign,
     opt_RW,
     opt_Exponent,
     opt_NoiseFile,
-    opt_Hash,
-    opt_Batch
+    opt_Hash
 };
 
 static int 
 certutil_main(int argc, char **argv, PRBool initialize)
 {
     CERTCertDBHandle *certHandle;
     PK11SlotInfo *slot = NULL;
     CERTName *  subject         = 0;
@@ -2362,21 +2369,22 @@ certutil_main(int argc, char **argv, PRB
     char *      certPrefix      = "";
     KeyType     keytype         = rsaKey;
     char *      name            = NULL;
     SECOidTag   hashAlgTag      = SEC_OID_UNKNOWN;
     int	        keysize	        = DEFAULT_KEY_BITS;
     int         publicExponent  = 0x010001;
     unsigned int serialNumber   = 0;
     int         warpmonths      = 0;
-    int         validitylength  = 0;
+    int         validityMonths  = 3;
     int         commandsEntered = 0;
     char        commandToRun    = '\0';
     secuPWData  pwdata          = { PW_NONE, 0 };
     PRBool 	readOnly	= PR_FALSE;
+    PRBool      initialized     = PR_FALSE;
 
     SECKEYPrivateKey *privkey = NULL;
     SECKEYPublicKey *pubkey = NULL;
 
     int i;
     SECStatus rv;
 
     secuCommand certutil;
@@ -2396,17 +2404,18 @@ secuCommandFlag certutil_commands[] =
 	{ /* cmd_NewDBs              */  'N', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_DumpChain           */  'O', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CertReq             */  'R', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CreateAndAddCert    */  'S', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_TokenReset          */  'T', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_ListModules         */  'U', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CheckCertValidity   */  'V', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_ChangePassword      */  'W', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_Version             */  'Y', PR_FALSE, 0, PR_FALSE }
+	{ /* cmd_Version             */  'Y', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_Batch               */  'B', PR_FALSE, 0, PR_FALSE }
 };
 
 secuCommandFlag certutil_options[] =
 {
 	{ /* opt_SSOPass             */  '0', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_AddKeyUsageExt      */  '1', PR_FALSE, 0, PR_FALSE },
 	{ /* opt_AddBasicConstraintExt*/ '2', PR_FALSE, 0, PR_FALSE },
 	{ /* opt_AddAuthorityKeyIDExt*/  '3', PR_FALSE, 0, PR_FALSE },
@@ -2438,18 +2447,17 @@ secuCommandFlag certutil_options[] =
 	{ /* opt_Trust               */  't', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_Usage               */  'u', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_Validity            */  'v', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_OffsetMonths        */  'w', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_SelfSign            */  'x', PR_FALSE, 0, PR_FALSE },
 	{ /* opt_RW                  */  'X', PR_FALSE, 0, PR_FALSE },
 	{ /* opt_Exponent            */  'y', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_NoiseFile           */  'z', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Hash                */  'Z', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Batch               */  'B', PR_TRUE,  0, PR_FALSE }
+	{ /* opt_Hash                */  'Z', PR_TRUE,  0, PR_FALSE }
 };
 
 
     certutil.numCommands = sizeof(certutil_commands) / sizeof(secuCommandFlag);
     certutil.numOptions = sizeof(certutil_options) / sizeof(secuCommandFlag);
     certutil.commands = certutil_commands;
     certutil.options = certutil_options;
 
@@ -2571,18 +2579,18 @@ secuCommandFlag certutil_options[] =
 	    PR_fprintf(PR_STDERR, "%s -s: improperly formatted name: \"%s\"\n",
 	               progName, certutil.options[opt_Subject].arg);
 	    return 255;
 	}
     }
 
     /*  -v validity period  */
     if (certutil.options[opt_Validity].activated) {
-	validitylength = PORT_Atoi(certutil.options[opt_Validity].arg);
-	if (validitylength < 0) {
+	validityMonths = PORT_Atoi(certutil.options[opt_Validity].arg);
+	if (validityMonths < 0) {
 	    PR_fprintf(PR_STDERR, "%s -v: incorrect validity period: \"%s\"\n",
 	               progName, certutil.options[opt_Validity].arg);
 	    return 255;
 	}
     }
 
     /*  -w warp months  */
     if (certutil.options[opt_OffsetMonths].activated)
@@ -2796,16 +2804,17 @@ secuCommandFlag certutil_options[] =
         PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
         rv = NSS_Initialize(SECU_ConfigDirectory(NULL), certPrefix, certPrefix,
                             "secmod.db", readOnly ? NSS_INIT_READONLY: 0);
         if (rv != SECSuccess) {
 	    SECU_PrintPRandOSError(progName);
 	    rv = SECFailure;
 	    goto shutdown;
         }
+        initialized = PR_TRUE;
     	SECU_RegisterDynamicOids();
     }
     certHandle = CERT_GetDefaultCertDB();
 
     if (certutil.commands[cmd_Version].activated) {
 	printf("Certificate database content version: command not implemented.\n");
     }
 
@@ -2989,17 +2998,17 @@ secuCommandFlag certutil_options[] =
     }
 
     /*  Create a certificate (-C or -S).  */
     if (certutil.commands[cmd_CreateAndAddCert].activated ||
          certutil.commands[cmd_CreateNewCert].activated) {
 	rv = CreateCert(certHandle, 
 	                certutil.options[opt_IssuerName].arg,
 	                inFile, outFile, privkey, &pwdata, hashAlgTag,
-	                serialNumber, warpmonths, validitylength,
+	                serialNumber, warpmonths, validityMonths,
 		        certutil.options[opt_ExtendedEmailAddrs].arg,
 		        certutil.options[opt_ExtendedDNSNames].arg,
 	                certutil.options[opt_ASCIIForIO].activated,
 	                certutil.options[opt_SelfSign].activated,
 	                certutil.options[opt_AddKeyUsageExt].activated,
 	                certutil.options[opt_AddExtKeyUsageExt].activated,
 	                certutil.options[opt_AddBasicConstraintExt].activated,
 	                certutil.options[opt_AddAuthorityKeyIDExt].activated,
@@ -3069,23 +3078,31 @@ shutdown:
      * command file.
      * - Quoting with double quote characters ("...") is supported
      * to allow white space in a command line argument.  The
      * double quote character cannot be escaped and quoting cannot
      * be nested in this version.
      * - each line in the batch file is limited to 512 characters
     */
 
-    if ((SECSuccess == rv) && certutil.options[opt_Batch].activated) {
-	FILE* batchFile = fopen(certutil.options[opt_Batch].arg, "r");
+    if ((SECSuccess == rv) && certutil.commands[cmd_Batch].activated) {
+	FILE* batchFile = NULL;
         char nextcommand[512];
+        if (!certutil.options[opt_InputFile].activated ||
+            !certutil.options[opt_InputFile].arg) {
+	    PR_fprintf(PR_STDERR,
+	               "%s:  no batch input file specified.\n",
+	               progName);
+	    return 255;
+        }
+        batchFile = fopen(certutil.options[opt_InputFile].arg, "r");
         if (!batchFile) {
 	    PR_fprintf(PR_STDERR,
 	               "%s:  unable to open \"%s\" for reading (%ld, %ld).\n",
-	               progName, certutil.options[opt_Batch].arg,
+	               progName, certutil.options[opt_InputFile].arg,
 	               PR_GetError(), PR_GetOSError());
 	    return 255;
         }
         /* read and execute command-lines in a loop */
         while ( (SECSuccess == rv ) &&
                 fgets(nextcommand, sizeof(nextcommand), batchFile)) {
             /* we now need to split the command into argc / argv format */
             char* commandline = PORT_Strdup(nextcommand);
@@ -3139,17 +3156,17 @@ shutdown:
                     rv = SECFailure;
             }
             PORT_Free(newargv);
             PORT_Free(commandline);
         }
         fclose(batchFile);
     }
 
-    if ((initialize == PR_TRUE) && NSS_Shutdown() != SECSuccess) {
+    if ((initialized == PR_TRUE) && NSS_Shutdown() != SECSuccess) {
         exit(1);
     }
 
     if (rv == SECSuccess) {
 	return 0;
     } else {
 	return 255;
     }
--- a/security/nss/cmd/crlutil/crlgen.c
+++ b/security/nss/cmd/crlutil/crlgen.c
@@ -1,40 +1,43 @@
-/*
- * The contents of this file are subject to the Maxilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
  * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
  * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
 
 /*
 ** crlgen.c
 **
 ** utility for managing certificates revocation lists generation
 **
 */
 
--- a/security/nss/cmd/crlutil/crlutil.c
+++ b/security/nss/cmd/crlutil/crlutil.c
@@ -57,29 +57,57 @@
 
 static char *progName;
 
 static CERTSignedCrl *FindCRL
    (CERTCertDBHandle *certHandle, char *name, int type)
 {
     CERTSignedCrl *crl = NULL;    
     CERTCertificate *cert = NULL;
-
+    SECItem derName;
 
-    cert = CERT_FindCertByNickname(certHandle, name);
+    derName.data = NULL;
+    derName.len = 0;
+
+    cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name);
     if (!cert) {
-	SECU_PrintError(progName, "could not find certificate named %s", name);
-	return ((CERTSignedCrl *)NULL);
+        CERTName *certName = NULL;
+        PRArenaPool *arena = NULL;
+    
+        certName = CERT_AsciiToName(name);
+        if (certName) {
+            arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+            if (arena) {
+                SECItem *nameItem = 
+                    SEC_ASN1EncodeItem (arena, NULL, (void *)certName,
+                                        SEC_ASN1_GET(CERT_NameTemplate));
+                if (nameItem) {
+                    SECITEM_CopyItem(NULL, &derName, nameItem);
+                }
+                PORT_FreeArena(arena, PR_FALSE);
+            }
+            CERT_DestroyName(certName);
+        }
+
+        if (!derName.len || !derName.data) {
+            SECU_PrintError(progName, "could not find certificate named '%s'", name);
+            return ((CERTSignedCrl *)NULL);
+        }
+    } else {
+        SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
+        CERT_DestroyCertificate (cert);
     }
-	
-    crl = SEC_FindCrlByName(certHandle, &cert->derSubject, type);
+ 
+    crl = SEC_FindCrlByName(certHandle, &derName, type);
     if (crl ==NULL) 
 	SECU_PrintError
 		(progName, "could not find %s's CRL", name);
-    CERT_DestroyCertificate (cert);
+    if (derName.data) {
+        SECITEM_FreeItem(&derName, PR_FALSE);
+    }
     return (crl);
 }
 
 static void DisplayCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
 {
     CERTSignedCrl *crl = NULL;
 
     crl = FindCRL (certHandle, nickName, crlType);
@@ -123,26 +151,49 @@ static void ListCRLNames (CERTCertDBHand
 	if (!crlList)
 	    break;
 
 	crlNode  = crlList->first;
 
         fprintf (stdout, "\n");
 	fprintf (stdout, "\n%-40s %-5s\n\n", "CRL names", "CRL Type");
 	while (crlNode) {
-	   char* asciiname = NULL;
-	   name = &crlNode->crl->crl.name;
-	   if (!name){
-		fprintf(stderr, "%s: fail to get the CRL issuer name (%s)\n", progName,
-		SECU_Strerror(PORT_GetError()));
-		break;
+	    char* asciiname = NULL;
+	    CERTCertificate *cert = NULL;
+	    if (crlNode->crl && &crlNode->crl->crl.derName) {
+	        cert = CERT_FindCertByName(certHandle, 
+	                                   &crlNode->crl->crl.derName);
+	        if (!cert) {
+	            SECU_PrintError(progName, "could not find signing "
+	                         "certificate in database");
+	        }
 	    }
-
-	    asciiname = CERT_NameToAscii(name);
-	    fprintf (stdout, "\n%-40s %-5s\n", asciiname, "CRL");
+	    if (cert) {
+	        char* certName = NULL;
+                 if (cert->nickname && PORT_Strlen(cert->nickname) > 0) {
+	            certName = cert->nickname;
+	        } else if (cert->emailAddr && PORT_Strlen(cert->emailAddr) > 0) {
+	            certName = cert->emailAddr;
+	        }
+	        if (certName) {
+	            asciiname = PORT_Strdup(certName);
+	        }
+	        CERT_DestroyCertificate(cert);
+	    }
+                
+	    if (!asciiname) {
+	        name = &crlNode->crl->crl.name;
+	        if (!name){
+	            SECU_PrintError(progName, "fail to get the CRL "
+	                           "issuer name");
+	            continue;
+	        }
+	        asciiname = CERT_NameToAscii(name);
+	    }
+	    fprintf (stdout, "%-40s %-5s\n", asciiname, "CRL");
 	    if (asciiname) {
 		PORT_Free(asciiname);
 	    }
             if ( PR_TRUE == deletecrls) {
                 CERTSignedCrl* acrl = NULL;
                 SECItem* issuer = &crlNode->crl->crl.derName;
                 acrl = SEC_FindCrlByName(certHandle, issuer, crlType);
                 if (acrl)
@@ -295,31 +346,31 @@ FindSigningCert(CERTCertDBHandle *certHa
     if (certTemp)
         CERT_DestroyCertificate(certTemp);
     if (cert && rv != SECSuccess)
         CERT_DestroyCertificate(cert);
     return cert;
 }
 
 static CERTSignedCrl*
-DuplicateModCrl(PRArenaPool *arena, CERTCertDBHandle *certHandle,
+CreateModifiedCRLCopy(PRArenaPool *arena, CERTCertDBHandle *certHandle,
                 CERTCertificate **cert, char *certNickName,
                 PRFileDesc *inFile, PRInt32 decodeOptions,
                 PRInt32 importOptions)
 {
     SECItem crlDER;
     CERTSignedCrl *signCrl = NULL;
     CERTSignedCrl *modCrl = NULL;
     PRArenaPool *modArena = NULL;
     SECStatus rv = SECSuccess;
 
     PORT_Assert(arena != NULL && certHandle != NULL &&
                 certNickName != NULL);
     if (!arena || !certHandle || !certNickName) {
-        SECU_PrintError(progName, "DuplicateModCrl: invalid args\n");
+        SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n");
         return NULL;
     }
 
     modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     if (!modArena) {
         SECU_PrintError(progName, "fail to allocate memory\n");
         return NULL;
     }
@@ -373,17 +424,25 @@ DuplicateModCrl(PRArenaPool *arena, CERT
 
     rv = SECU_CopyCRL(arena, &signCrl->crl, &modCrl->crl);
     if (rv != SECSuccess) {
         SECU_PrintError(progName, "unable to dublicate crl for "
                         "modification.");
         goto loser;
     }  
 
-    signCrl->arena = arena;    
+    /* Make sure the update time is current. It can be modified later
+     * by "update <time>" command from crl generation script */
+    rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "fail to encode current time\n");
+        goto loser;
+    }
+
+    signCrl->arena = arena;
 
   loser:
     SECITEM_FreeItem(&crlDER, PR_FALSE);
     if (modCrl)
         SEC_DestroyCrl(modCrl);
     if (rv != SECSuccess && signCrl) {
         SEC_DestroyCrl(signCrl);
         signCrl = NULL;
@@ -619,17 +678,17 @@ GenerateCRL (CERTCertDBHandle *certHandl
 
     arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
     if (!arena) {
         SECU_PrintError(progName, "fail to allocate memory\n");
         return SECFailure;
     }
 
     if (modifyFlag == PR_TRUE) {
-        signCrl = DuplicateModCrl(arena, certHandle, &cert, certNickName,
+        signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName,
                                          inFile, decodeOptions, importOptions);
         if (signCrl == NULL) {
             goto loser;
         }
     }
 
     if (!cert) {
         cert = FindSigningCert(certHandle, signCrl, certNickName);
--- a/security/nss/cmd/dbck/Makefile
+++ b/security/nss/cmd/dbck/Makefile
@@ -63,17 +63,17 @@ include ../platlibs.mk
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
-
+INCLUDES += -I ../../lib/softoken
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
 
 include ../platrules.mk
  
--- a/security/nss/cmd/dbck/dbck.c
+++ b/security/nss/cmd/dbck/dbck.c
@@ -46,39 +46,88 @@
 #include "secutil.h"
 #include "cdbhdl.h"
 #include "certdb.h"
 #include "cert.h"
 #include "nspr.h"
 #include "prtypes.h"
 #include "prtime.h"
 #include "prlong.h"
+#include "pcert.h"
+#include "nss.h"
 
 static char *progName;
 
 /* placeholders for pointer error types */
 static void *WrongEntry;
 static void *NoNickname;
 static void *NoSMime;
 
+typedef enum {
+/* 0*/ NoSubjectForCert = 0,
+/* 1*/ SubjectHasNoKeyForCert,
+/* 2*/ NoNicknameOrSMimeForSubject,
+/* 3*/ WrongNicknameForSubject,
+/* 4*/ NoNicknameEntry,
+/* 5*/ WrongSMimeForSubject,
+/* 6*/ NoSMimeEntry,
+/* 7*/ NoSubjectForNickname,
+/* 8*/ NoSubjectForSMime,
+/* 9*/ NicknameAndSMimeEntries,
+    NUM_ERROR_TYPES
+} dbErrorType;
+
+static char *dbErrorString[NUM_ERROR_TYPES] = {
+/* 0*/ "<CERT ENTRY>\nDid not find a subject entry for this certificate.",
+/* 1*/ "<SUBJECT ENTRY>\nSubject has certKey which is not in db.",
+/* 2*/ "<SUBJECT ENTRY>\nSubject does not have a nickname or email address.",
+/* 3*/ "<SUBJECT ENTRY>\nUsing this subject's nickname, found a nickname entry for a different subject.",
+/* 4*/ "<SUBJECT ENTRY>\nDid not find a nickname entry for this subject.",
+/* 5*/ "<SUBJECT ENTRY>\nUsing this subject's email, found an S/MIME entry for a different subject.",
+/* 6*/ "<SUBJECT ENTRY>\nDid not find an S/MIME entry for this subject.",
+/* 7*/ "<NICKNAME ENTRY>\nDid not find a subject entry for this nickname.",
+/* 8*/ "<S/MIME ENTRY>\nDid not find a subject entry for this S/MIME profile.",
+};
+
+static char *errResult[NUM_ERROR_TYPES] = {
+    "Certificate entries that had no subject entry.", 
+    "Subject entries with no corresponding Certificate entries.", 
+    "Subject entries that had no nickname or S/MIME entries.",
+    "Redundant nicknames (subjects with the same nickname).",
+    "Subject entries that had no nickname entry.",
+    "Redundant email addresses (subjects with the same email address).",
+    "Subject entries that had no S/MIME entry.",
+    "Nickname entries that had no subject entry.", 
+    "S/MIME entries that had no subject entry.",
+    "Subject entries with BOTH nickname and S/MIME entries."
+};
+
+
 enum {
     GOBOTH = 0,
     GORIGHT,
     GOLEFT
 };
 
 typedef struct
 {
     PRBool verbose;
     PRBool dograph;
     PRFileDesc *out;
     PRFileDesc *graphfile;
-    int dbErrors[10];
+    int dbErrors[NUM_ERROR_TYPES];
 } dbDebugInfo;
 
+struct certDBEntryListNodeStr {
+    PRCList link;
+    certDBEntry entry;
+    void *appData;
+};
+typedef struct certDBEntryListNodeStr  certDBEntryListNode;
+
 /*
  * A list node for a cert db entry.  The index is a unique identifier
  * to use for creating generic maps of a db.  This struct handles
  * the cert, nickname, and smime db entry types, as all three have a
  * single handle to a subject entry.
  * This structure is pointed to by certDBEntryListNode->appData.
  */
 typedef struct 
@@ -108,75 +157,72 @@ typedef struct
  * A map of a certdb.
  */
 typedef struct
 {
     int numCerts;
     int numSubjects;
     int numNicknames;
     int numSMime;
+    int numRevocation;
     certDBEntryListNode certs;      /* pointer to head of cert list */
     certDBEntryListNode subjects;   /* pointer to head of subject list */
     certDBEntryListNode nicknames;  /* pointer to head of nickname list */
     certDBEntryListNode smime;      /* pointer to head of smime list */
+    certDBEntryListNode revocation; /* pointer to head of revocation list */
 } certDBArray;
 
 /* Cast list to the base element, a certDBEntryListNode. */
 #define LISTNODE_CAST(node) \
     ((certDBEntryListNode *)(node))
 
 static void 
 Usage(char *progName)
 {
 #define FPS fprintf(stderr, 
     FPS "Type %s -H for more detailed descriptions\n", progName);
-    FPS "Usage:  %s -D [-d certdir] [-i dbname] [-m] [-v  [-f dumpfile]]\n", 
+    FPS "Usage:  %s -D [-d certdir] [-m] [-v [-f dumpfile]]\n", 
 	progName);
-    FPS "        %s -R -o newdbname [-d certdir] [-i dbname] [-aprsx] [-v [-f dumpfile]]\n", 
+#ifdef DORECOVER
+    FPS "        %s -R -o newdbname [-d certdir] [-aprsx] [-v [-f dumpfile]]\n", 
 	progName);
+#endif
     exit(-1);
 }
 
 static void
 LongUsage(char *progName)
 {
     FPS "%-15s Display this help message.\n",
 	"-H");
     FPS "%-15s Dump analysis.  No changes will be made to the database.\n",
 	"-D");
     FPS "%-15s Cert database directory (default is ~/.netscape)\n",
 	"   -d certdir");
-    FPS "%-15s Input cert database name (default is cert7.db)\n",
-	"   -i dbname");
-    FPS "%-15s Mail a graph of the database to certdb@netscape.com.\n",
+    FPS "%-15s Put database graph in ./mailfile (default is stdout).\n",
 	"   -m");
-    FPS "%-15s This will produce an index graph of your cert db and send\n",
-	"");
-    FPS "%-15s it to Netscape for analysis.  Personal info will be removed.\n",
-	"");
-    FPS "%-15s Verbose mode.  Dumps the entire contents of your cert7.db.\n",
+    FPS "%-15s Verbose mode.  Dumps the entire contents of your cert8.db.\n",
 	"   -v");
-    FPS "%-15s File to dump verbose output into.\n",
+    FPS "%-15s File to dump verbose output into. (default is stdout)\n",
 	"   -f dumpfile");
+#ifdef DORECOVER
     FPS "%-15s Repair the database.  The program will look for broken\n",
 	"-R");
     FPS "%-15s dependencies between subject entries and certificates,\n",
         "");
     FPS "%-15s between nickname entries and subjects, and between SMIME\n",
         "");
     FPS "%-15s profiles and subjects.  Any duplicate entries will be\n",
         "");
     FPS "%-15s removed, any missing entries will be created.\n",
         "");
-    FPS "%-15s File to store new database in (default is new_cert7.db)\n",
+    FPS "%-15s File to store new database in (default is new_cert8.db)\n",
 	"   -o newdbname");
     FPS "%-15s Cert database directory (default is ~/.netscape)\n",
 	"   -d certdir");
-    FPS "%-15s Input cert database name (default is cert7.db)\n",
-	"   -i dbname");
     FPS "%-15s Prompt before removing any certificates.\n",
         "   -p");
     FPS "%-15s Keep all possible certificates.  Only remove certificates\n",
 	"   -a");
     FPS "%-15s which prevent creation of a consistent database.  Thus any\n",
 	"");
     FPS "%-15s expired or redundant entries will be kept.\n",
 	"");
@@ -190,64 +236,41 @@ LongUsage(char *progName)
 	"");
     FPS "%-15s Keep expired certificates.\n",
 	"   -x");
     FPS "%-15s Verbose mode - report all activity while recovering db.\n",
 	"   -v");
     FPS "%-15s File to dump verbose output into.\n",
 	"   -f dumpfile");
     FPS "\n");
+#endif
     exit(-1);
 #undef FPS
 }
 
 /*******************************************************************
  *
  *  Functions for dbck.
  *
  ******************************************************************/
 
 void
 printHexString(PRFileDesc *out, SECItem *hexval)
 {
-    int i;
+    unsigned int i;
     for (i = 0; i < hexval->len; i++) {
 	if (i != hexval->len - 1) {
 	    PR_fprintf(out, "%02x:", hexval->data[i]);
 	} else {
 	    PR_fprintf(out, "%02x", hexval->data[i]);
 	}
     }
     PR_fprintf(out, "\n");
 }
 
-typedef enum {
-/* 0*/ NoSubjectForCert = 0,
-/* 1*/ SubjectHasNoKeyForCert,
-/* 2*/ NoNicknameOrSMimeForSubject,
-/* 3*/ WrongNicknameForSubject,
-/* 4*/ NoNicknameEntry,
-/* 5*/ WrongSMimeForSubject,
-/* 6*/ NoSMimeEntry,
-/* 7*/ NoSubjectForNickname,
-/* 8*/ NoSubjectForSMime,
-/* 9*/ NicknameAndSMimeEntry
-} dbErrorType;
-
-static char *dbErrorString[] = {
-/* 0*/ "<CERT ENTRY>\nDid not find a subject entry for this certificate.",
-/* 1*/ "<SUBJECT ENTRY>\nSubject has certKey which is not in db.",
-/* 2*/ "<SUBJECT ENTRY>\nSubject does not have a nickname or email address.",
-/* 3*/ "<SUBJECT ENTRY>\nUsing this subject's nickname, found a nickname entry for a different subject.",
-/* 4*/ "<SUBJECT ENTRY>\nDid not find a nickname entry for this subject.",
-/* 5*/ "<SUBJECT ENTRY>\nUsing this subject's email, found an S/MIME entry for a different subject.",
-/* 6*/ "<SUBJECT ENTRY>\nDid not find an S/MIME entry for this subject.",
-/* 7*/ "<NICKNAME ENTRY>\nDid not find a subject entry for this nickname.",
-/* 8*/ "<S/MIME ENTRY>\nDid not find a subject entry for this S/MIME profile.",
-};
 
 SECStatus
 dumpCertificate(CERTCertificate *cert, int num, PRFileDesc *outfile)
 {
     int userCert = 0;
     CERTCertTrust *trust = cert->trust;
     userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
                (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
@@ -280,41 +303,55 @@ dumpCertificate(CERTCertificate *cert, i
     }
     PR_fprintf(outfile, "\n");
     return SECSuccess;
 }
 
 SECStatus
 dumpCertEntry(certDBEntryCert *entry, int num, PRFileDesc *outfile)
 {
+#if 0
+    NSSLOWCERTCertificate *cert;
+    /* should we check for existing duplicates? */
+    cert = nsslowcert_DecodeDERCertificate(&entry->cert.derCert, 
+					    entry->cert.nickname);
+#else
     CERTCertificate *cert;
     cert = CERT_DecodeDERCertificate(&entry->derCert, PR_FALSE, NULL);
+#endif
     if (!cert) {
 	fprintf(stderr, "Failed to decode certificate.\n");
 	return SECFailure;
     }
-    cert->trust = &entry->trust;
+    cert->trust = (CERTCertTrust *)&entry->trust;
     dumpCertificate(cert, num, outfile);
     CERT_DestroyCertificate(cert);
     return SECSuccess;
 }
 
 SECStatus
 dumpSubjectEntry(certDBEntrySubject *entry, int num, PRFileDesc *outfile)
 {
-    char *subjectName;
-    subjectName = CERT_DerNameToAscii(&entry->derSubject);
+    char *subjectName = CERT_DerNameToAscii(&entry->derSubject);
+
     PR_fprintf(outfile, "Subject: %3d\n", num);
     PR_fprintf(outfile, "------------\n");
     PR_fprintf(outfile, "## %s\n", subjectName);
     if (entry->nickname)
 	PR_fprintf(outfile, "## Subject nickname:  %s\n", entry->nickname);
-    if (entry->emailAddr && entry->emailAddr[0])
-	PR_fprintf(outfile, "## Subject email address:  %s\n", 
-	           entry->emailAddr);
+    if (entry->emailAddrs) {
+	unsigned int n;
+	for (n = 0; n < entry->nemailAddrs && entry->emailAddrs[n]; ++n) {
+	    char * emailAddr = entry->emailAddrs[n];
+	    if (emailAddr[0]) {
+		PR_fprintf(outfile, "## Subject email address:  %s\n", 
+	           emailAddr);
+	    }
+	}
+    }
     PR_fprintf(outfile, "## This subject has %d cert(s).\n", entry->ncerts);
     PR_fprintf(outfile, "\n");
     PORT_Free(subjectName);
     return SECSuccess;
 }
 
 SECStatus
 dumpNicknameEntry(certDBEntryNickname *entry, int num, PRFileDesc *outfile)
@@ -326,37 +363,44 @@ dumpNicknameEntry(certDBEntryNickname *e
 }
 
 SECStatus
 dumpSMimeEntry(certDBEntrySMime *entry, int num, PRFileDesc *outfile)
 {
     PR_fprintf(outfile, "S/MIME Profile: %3d\n", num);
     PR_fprintf(outfile, "-------------------\n");
     PR_fprintf(outfile, "##  \"%s\"\n", entry->emailAddr);
+#ifdef OLDWAY
     PR_fprintf(outfile, "##  OPTIONS:  ");
     printHexString(outfile, &entry->smimeOptions);
     PR_fprintf(outfile, "##  TIMESTAMP:  ");
     printHexString(outfile, &entry->optionsDate);
+#else
+    SECU_PrintAny(stdout, &entry->smimeOptions, "##  OPTIONS  ", 0);
+    fflush(stdout);
+    if (entry->optionsDate.len && entry->optionsDate.data)
+	PR_fprintf(outfile, "##  TIMESTAMP: %.*s\n", 
+	           entry->optionsDate.len, entry->optionsDate.data);
+#endif
     PR_fprintf(outfile, "\n");
     return SECSuccess;
 }
 
 SECStatus
 mapCertEntries(certDBArray *dbArray)
 {
     certDBEntryCert *certEntry;
     certDBEntrySubject *subjectEntry;
     certDBEntryListNode *certNode, *subjNode;
     certDBSubjectEntryMap *smap;
     certDBEntryMap *map;
     PRArenaPool *tmparena;
     SECItem derSubject;
     SECItem certKey;
     PRCList *cElem, *sElem;
-    int i;
 
     /* Arena for decoded entries */
     tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (tmparena == NULL) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	return SECFailure;
     }
 
@@ -372,16 +416,17 @@ mapCertEntries(certDBArray *dbArray)
 	CERT_NameFromDERCert(&certEntry->derCert, &derSubject);
 	CERT_KeyFromDERCert(tmparena, &certEntry->derCert, &certKey);
 	/*  Loop over found subjects for cert's DN.  */
 	for (sElem = PR_LIST_HEAD(&dbArray->subjects.link);
 	     sElem != &dbArray->subjects.link; sElem = PR_NEXT_LINK(sElem)) {
 	    subjNode = LISTNODE_CAST(sElem);
 	    subjectEntry = (certDBEntrySubject *)&subjNode->entry;
 	    if (SECITEM_ItemsAreEqual(&derSubject, &subjectEntry->derSubject)) {
+		unsigned int i;
 		/*  Found matching subject name, create link.  */
 		map->pSubject = subjNode;
 		/*  Make sure subject entry has cert's key.  */
 		for (i=0; i<subjectEntry->ncerts; i++) {
 		    if (SECITEM_ItemsAreEqual(&certKey,
 		                              &subjectEntry->certKeys[i])) {
 			/*  Found matching cert key.  */
 			smap = (certDBSubjectEntryMap *)subjNode->appData;
@@ -395,87 +440,100 @@ mapCertEntries(certDBArray *dbArray)
     PORT_FreeArena(tmparena, PR_FALSE);
     return SECSuccess;
 }
 
 SECStatus
 mapSubjectEntries(certDBArray *dbArray)
 {
     certDBEntrySubject *subjectEntry;
-    certDBEntryNickname *nicknameEntry;
-    certDBEntrySMime *smimeEntry;
-    certDBEntryListNode *subjNode, *nickNode, *smimeNode;
+    certDBEntryListNode *subjNode;
     certDBSubjectEntryMap *subjMap;
-    certDBEntryMap *nickMap, *smimeMap;
-    PRCList *sElem, *nElem, *mElem;
+    PRCList *sElem;
 
     for (sElem = PR_LIST_HEAD(&dbArray->subjects.link);
          sElem != &dbArray->subjects.link; sElem = PR_NEXT_LINK(sElem)) {
 	/* Iterate over subject entries and map subjects to nickname
 	 * and smime entries.  The cert<->subject map will be handled
 	 * by a subsequent call to mapCertEntries.
 	 */
 	subjNode = LISTNODE_CAST(sElem);
 	subjectEntry = (certDBEntrySubject *)&subjNode->entry;
 	subjMap = (certDBSubjectEntryMap *)subjNode->appData;
 	/* need to alloc memory here for array of matching certs. */
 	subjMap->pCerts = PORT_ArenaAlloc(subjMap->arena, 
 	                                  subjectEntry->ncerts*sizeof(int));
 	subjMap->numCerts = subjectEntry->ncerts;
+	subjMap->pNickname = NoNickname;
+	subjMap->pSMime = NoSMime;
+
 	if (subjectEntry->nickname) {
 	    /* Subject should have a nickname entry, so create a link. */
+	    PRCList *nElem;
 	    for (nElem = PR_LIST_HEAD(&dbArray->nicknames.link);
 	         nElem != &dbArray->nicknames.link; 
 	         nElem = PR_NEXT_LINK(nElem)) {
+		certDBEntryListNode *nickNode;
+		certDBEntryNickname *nicknameEntry;
 		/*  Look for subject's nickname in nickname entries.  */
 		nickNode = LISTNODE_CAST(nElem);
 		nicknameEntry = (certDBEntryNickname *)&nickNode->entry;
-		nickMap = (certDBEntryMap *)nickNode->appData;
 		if (PL_strcmp(subjectEntry->nickname, 
 		              nicknameEntry->nickname) == 0) {
 		    /*  Found a nickname entry for subject's nickname.  */
 		    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
 		                              &nicknameEntry->subjectName)) {
+			certDBEntryMap *nickMap;
+			nickMap = (certDBEntryMap *)nickNode->appData;
 			/*  Nickname and subject match.  */
 			subjMap->pNickname = nickNode;
 			nickMap->pSubject = subjNode;
-		    } else {
+		    } else if (subjMap->pNickname == NoNickname) {
 			/*  Nickname entry found is for diff. subject.  */
 			subjMap->pNickname = WrongEntry;
 		    }
 		}
 	    }
-	} else {
-	    subjMap->pNickname = NoNickname;
 	}
-	if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
-	    /* Subject should have an smime entry, so create a link. */
-	    for (mElem = PR_LIST_HEAD(&dbArray->smime.link);
-	         mElem != &dbArray->smime.link; mElem = PR_NEXT_LINK(mElem)) {
-		/*  Look for subject's email in S/MIME entries.  */
-		smimeNode = LISTNODE_CAST(mElem);
-		smimeEntry = (certDBEntrySMime *)&smimeNode->entry;
-		smimeMap = (certDBEntryMap *)smimeNode->appData;
-		if (PL_strcmp(subjectEntry->emailAddr, 
-		              smimeEntry->emailAddr) == 0) {
-		    /*  Found a S/MIME entry for subject's email.  */
-		    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-		                              &smimeEntry->subjectName)) {
-			/*  S/MIME entry and subject match.  */
-			subjMap->pSMime = smimeNode;
-			smimeMap->pSubject = subjNode;
-		    } else {
-			/*  S/MIME entry found is for diff. subject.  */
-			subjMap->pSMime = WrongEntry;
-		    }
-		}
-	    }
-	} else {
-	    subjMap->pSMime = NoSMime;
-	}
+	if (subjectEntry->emailAddrs) {
+	    unsigned int n;
+	    for (n = 0; n < subjectEntry->nemailAddrs && 
+	                subjectEntry->emailAddrs[n]; ++n) {
+		char * emailAddr = subjectEntry->emailAddrs[n];
+		if (emailAddr[0]) {
+		    PRCList *mElem;
+		    /* Subject should have an smime entry, so create a link. */
+		    for (mElem = PR_LIST_HEAD(&dbArray->smime.link);
+			 mElem != &dbArray->smime.link; 
+			 mElem = PR_NEXT_LINK(mElem)) {
+			certDBEntryListNode *smimeNode;
+			certDBEntrySMime *smimeEntry;
+			/*  Look for subject's email in S/MIME entries.  */
+			smimeNode = LISTNODE_CAST(mElem);
+			smimeEntry = (certDBEntrySMime *)&smimeNode->entry;
+			if (PL_strcmp(emailAddr, 
+				      smimeEntry->emailAddr) == 0) {
+			    /*  Found a S/MIME entry for subject's email.  */
+			    if (SECITEM_ItemsAreEqual(
+			    		&subjectEntry->derSubject,
+				        &smimeEntry->subjectName)) {
+				certDBEntryMap *smimeMap;
+				/*  S/MIME entry and subject match.  */
+				subjMap->pSMime = smimeNode;
+				smimeMap = (certDBEntryMap *)smimeNode->appData;
+				smimeMap->pSubject = subjNode;
+			    } else if (subjMap->pSMime == NoSMime) {
+				/*  S/MIME entry found is for diff. subject.  */
+				subjMap->pSMime = WrongEntry;
+			    }
+			}
+		    }   /* end for */
+		}   /* endif (emailAddr[0]) */
+	    }   /* end for */
+	}   /* endif (subjectEntry->emailAddrs) */
     }
     return SECSuccess;
 }
 
 void
 printnode(dbDebugInfo *info, const char *str, int num)
 {
     if (!info->dograph)
@@ -530,16 +588,17 @@ print_smime_graph(dbDebugInfo *info, cer
 	/* Need to output subject and cert first, see print_subject_graph */
 	subjNode = smimeMap->pSubject;
 	if (map_handle_is_ok(info, (void *)subjNode, 1)) {
 	    subjMap = (certDBSubjectEntryMap *)subjNode->appData; 
 	    print_subject_graph(info, subjMap, GOLEFT,
 	                        smimeMap->index, certDBEntryTypeSMimeProfile);
 	} else {
 	    printnode(info, "<---- S/MIME   %5d   ", smimeMap->index);
+	    info->dbErrors[NoSubjectForSMime]++;
 	}
     } else {
 	printnode(info, "S/MIME   %5d   ", smimeMap->index);
     }
 }
 
 /* Given a nickname entry, print its unique identifier.  If GOLEFT is 
  * specified, print the cert<-subject<-nickname map, else just print
@@ -554,16 +613,17 @@ print_nickname_graph(dbDebugInfo *info, 
 	/* Need to output subject and cert first, see print_subject_graph */
 	subjNode = nickMap->pSubject;
 	if (map_handle_is_ok(info, (void *)subjNode, 1)) {
 	    subjMap = (certDBSubjectEntryMap *)subjNode->appData;
 	    print_subject_graph(info, subjMap, GOLEFT,
 	                        nickMap->index, certDBEntryTypeNickname);
 	} else {
 	    printnode(info, "<---- Nickname %5d   ", nickMap->index);
+	    info->dbErrors[NoSubjectForNickname]++;
 	}
     } else {
 	printnode(info, "Nickname %5d   ", nickMap->index);
     }
 }
 
 /* Given a subject entry, if going right print the graph of the nickname|smime
  * that it maps to (by its unique identifier); and if going left
@@ -598,16 +658,18 @@ print_subject_graph(dbDebugInfo *info, c
 	    /* XXX uh-oh */
 	    return;
 	/* get the first cert and dump it. */
 	node = subjMap->pCerts[0];
 	if (map_handle_is_ok(info, (void *)node, 0)) {
 	    map = (certDBEntryMap *)node->appData;
 	    /* going left here stops. */
 	    print_cert_graph(info, map, GOLEFT); 
+	} else {
+	    info->dbErrors[SubjectHasNoKeyForCert]++;
 	}
 	/* Now it is safe to output the subject id. */
 	if (direction == GOLEFT)
 	    printnode(info, "Subject  %5d <---- ", subjMap->index);
 	else /* direction == GOBOTH */
 	    printnode(info, "Subject  %5d ----> ", subjMap->index);
     }
     if (direction == GORIGHT || direction == GOBOTH) { 
@@ -627,16 +689,20 @@ print_subject_graph(dbDebugInfo *info, c
 	    if (map_handle_is_ok(info, (void *)node, 0)) {
 		map = (certDBEntryMap *)node->appData;
 		/* going right here stops. */
 		print_smime_graph(info, map, GORIGHT); 
 	    }
 	}
 	if (!subjMap->pNickname && !subjMap->pSMime) {
 	    printnode(info, "******************* ", -1);
+	    info->dbErrors[NoNicknameOrSMimeForSubject]++;
+	}
+	if (subjMap->pNickname && subjMap->pSMime) {
+	    info->dbErrors[NicknameAndSMimeEntries]++;
 	}
     }
     if (direction != GORIGHT) { /* going right has only one cert */
 	if (opttype == certDBEntryTypeNickname)
 	    printnode(info, "Nickname %5d   ", optindex);
 	else if (opttype == certDBEntryTypeSMimeProfile)
 	    printnode(info, "S/MIME   %5d   ", optindex);
 	for (i=1 /* 1st one already done */; i<subjMap->numCerts; i++) {
@@ -667,16 +733,18 @@ print_cert_graph(dbDebugInfo *info, cert
 	return;
     }
     /* Keep going right then. */
     printnode(info, "Cert     %5d ----> ", certMap->index);
     subjNode = certMap->pSubject;
     if (map_handle_is_ok(info, (void *)subjNode, 0)) {
 	subjMap = (certDBSubjectEntryMap *)subjNode->appData;
 	print_subject_graph(info, subjMap, GORIGHT, -1, -1);
+    } else {
+	info->dbErrors[NoSubjectForCert]++;
     }
 }
 
 SECStatus
 computeDBGraph(certDBArray *dbArray, dbDebugInfo *info)
 {
     PRCList *cElem, *sElem, *nElem, *mElem;
     certDBEntryListNode *node;
@@ -769,48 +837,57 @@ verboseOutput(certDBArray *dbArray, dbDe
 	    PR_fprintf(info->out, "-->(subject %d)\n\n\n", ref);
 	} else {
 	    PR_fprintf(info->out, "-->(MISSING SUBJECT ENTRY)\n\n\n");
 	}
     }
     /* List subjects */
     for (elem = PR_LIST_HEAD(&dbArray->subjects.link);
          elem != &dbArray->subjects.link; elem = PR_NEXT_LINK(elem)) {
+	int refs = 0;
 	node = LISTNODE_CAST(elem);
 	subjectEntry = (certDBEntrySubject *)&node->entry;
 	smap = (certDBSubjectEntryMap *)node->appData;
 	dumpSubjectEntry(subjectEntry, smap->index, info->out);
 	/* iterate over subject's certs */
 	for (i=0; i<smap->numCerts; i++) {
 	    /* walk each subject handle to it's cert entries */
 	    if (map_handle_is_ok(info, smap->pCerts[i], -1)) {
 		ref = ((certDBEntryMap *)smap->pCerts[i]->appData)->index;
 		PR_fprintf(info->out, "-->(%d. certificate %d)\n", i, ref);
 	    } else {
 		PR_fprintf(info->out, "-->(%d. MISSING CERT ENTRY)\n", i);
 	    }
 	}
 	if (subjectEntry->nickname) {
+	    ++refs;
 	    /* walk each subject handle to it's nickname entry */
 	    if (map_handle_is_ok(info, smap->pNickname, -1)) {
 		ref = ((certDBEntryMap *)smap->pNickname->appData)->index;
 		PR_fprintf(info->out, "-->(nickname %d)\n", ref);
 	    } else {
 		PR_fprintf(info->out, "-->(MISSING NICKNAME ENTRY)\n");
 	    }
 	}
-	if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
+	if (subjectEntry->nemailAddrs && 
+	    subjectEntry->emailAddrs &&
+	    subjectEntry->emailAddrs[0] &&
+	    subjectEntry->emailAddrs[0][0]) {
+	    ++refs;
 	    /* walk each subject handle to it's smime entry */
 	    if (map_handle_is_ok(info, smap->pSMime, -1)) {
 		ref = ((certDBEntryMap *)smap->pSMime->appData)->index;
 		PR_fprintf(info->out, "-->(s/mime %d)\n", ref);
 	    } else {
 		PR_fprintf(info->out, "-->(MISSING S/MIME ENTRY)\n");
 	    }
 	}
+	if (!refs) {
+	    PR_fprintf(info->out, "-->(NO NICKNAME+S/MIME ENTRY)\n");
+	}
 	PR_fprintf(info->out, "\n\n");
     }
     for (elem = PR_LIST_HEAD(&dbArray->nicknames.link);
          elem != &dbArray->nicknames.link; elem = PR_NEXT_LINK(elem)) {
 	node = LISTNODE_CAST(elem);
 	map = (certDBEntryMap *)node->appData;
 	dumpNicknameEntry((certDBEntryNickname*)&node->entry, map->index, 
 	                  info->out);
@@ -831,62 +908,85 @@ verboseOutput(certDBArray *dbArray, dbDe
 	    PR_fprintf(info->out, "-->(subject %d)\n\n\n", ref);
 	} else {
 	    PR_fprintf(info->out, "-->(MISSING SUBJECT ENTRY)\n\n\n");
 	}
     }
     PR_fprintf(info->out, "\n\n");
 }
 
-char *errResult[] = {
-    "Certificate entries that had no subject entry.", 
-    "Certificate entries that had no key in their subject entry.", 
-    "Subject entries that had no nickname or email address.",
-    "Redundant nicknames (subjects with the same nickname).",
-    "Subject entries that had no nickname entry.",
-    "Redundant email addresses (subjects with the same email address).",
-    "Subject entries that had no S/MIME entry.",
-    "Nickname entries that had no subject entry.", 
-    "S/MIME entries that had no subject entry.",
-};
+
+/* A callback function, intended to be called from nsslowcert_TraverseDBEntries
+ * Builds a PRCList of DB entries of the specified type.
+ */
+SECStatus 
+SEC_GetCertDBEntryList(SECItem *dbdata, SECItem *dbkey, 
+                       certDBEntryType entryType, void *pdata)
+{
+    certDBEntry         * entry;
+    certDBEntryListNode * node;
+    PRCList             * list = (PRCList *)pdata;
+
+    if (!dbdata || !dbkey || !pdata || !dbdata->data || !dbkey->data) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    entry = nsslowcert_DecodeAnyDBEntry(dbdata, dbkey, entryType, NULL);
+    if (!entry) {
+    	return SECSuccess; /* skip it */
+    }
+    node = PORT_ArenaZNew(entry->common.arena, certDBEntryListNode);
+    if (!node) {
+    	/* DestroyDBEntry(entry); */
+	PLArenaPool *arena = entry->common.arena;
+	PORT_Memset(&entry->common, 0, sizeof entry->common);
+	PORT_FreeArena(arena, PR_FALSE);
+	return SECFailure;
+    }
+    node->entry = *entry;  		/* crude but effective. */
+    PR_INIT_CLIST(&node->link);
+    PR_INSERT_BEFORE(&node->link, list);
+    return SECSuccess;
+}
+
 
 int
-fillDBEntryArray(CERTCertDBHandle *handle, certDBEntryType type, 
+fillDBEntryArray(NSSLOWCERTCertDBHandle *handle, certDBEntryType type, 
                  certDBEntryListNode *list)
 {
     PRCList *elem;
     certDBEntryListNode *node;
     certDBEntryMap *mnode;
     certDBSubjectEntryMap *smnode;
     PRArenaPool *arena;
     int count = 0;
+
     /* Initialize a dummy entry in the list.  The list head will be the
      * next element, so this element is skipped by for loops.
      */
     PR_INIT_CLIST((PRCList *)list);
     /* Collect all of the cert db entries for this type into a list. */
-    SEC_TraverseDBEntries(handle, type, SEC_GetCertDBEntryList, 
-                          (PRCList *)list);
+    nsslowcert_TraverseDBEntries(handle, type, SEC_GetCertDBEntryList, list);
+
     for (elem = PR_LIST_HEAD(&list->link); 
          elem != &list->link; elem = PR_NEXT_LINK(elem)) {
 	/* Iterate over the entries and ... */
 	node = (certDBEntryListNode *)elem;
 	if (type != certDBEntryTypeSubject) {
 	    arena = PORT_NewArena(sizeof(*mnode));
-	    mnode = (certDBEntryMap *)PORT_ArenaZAlloc(arena, sizeof(*mnode));
+	    mnode = PORT_ArenaZNew(arena, certDBEntryMap);
 	    mnode->arena = arena;
 	    /* ... assign a unique index number to each node, and ... */
 	    mnode->index = count;
 	    /* ... set the map pointer for the node. */
 	    node->appData = (void *)mnode;
 	} else {
 	    /* allocate some room for the cert pointers also */
 	    arena = PORT_NewArena(sizeof(*smnode) + 20*sizeof(void *));
-	    smnode = (certDBSubjectEntryMap *)
-	              PORT_ArenaZAlloc(arena, sizeof(*smnode));
+	    smnode = PORT_ArenaZNew(arena, certDBSubjectEntryMap);
 	    smnode->arena = arena;
 	    smnode->index = count;
 	    node->appData = (void *)smnode;
 	}
 	count++;
     }
     return count;
 }
@@ -905,52 +1005,56 @@ freeDBEntryList(PRCList *list)
 	PR_REMOVE_LINK(&node->link);
 	PORT_FreeArena(map->arena, PR_TRUE);
 	PORT_FreeArena(node->entry.common.arena, PR_TRUE);
 	elem = next;
     }
 }
 
 void
-DBCK_DebugDB(CERTCertDBHandle *handle, PRFileDesc *out, PRFileDesc *mailfile)
+DBCK_DebugDB(NSSLOWCERTCertDBHandle *handle, PRFileDesc *out, 
+	     PRFileDesc *mailfile)
 {
     int i, nCertsFound, nSubjFound, nErr;
-    int nCerts, nSubjects, nSubjCerts, nNicknames, nSMime;
+    int nCerts, nSubjects, nSubjCerts, nNicknames, nSMime, nRevocation;
     PRCList *elem;
     char c;
     dbDebugInfo info;
     certDBArray dbArray;
 
     PORT_Memset(&dbArray, 0, sizeof(dbArray));
     PORT_Memset(&info, 0, sizeof(info));
-    info.verbose = (out == NULL) ? PR_FALSE : PR_TRUE ;
-    info.dograph = (mailfile == NULL) ? PR_FALSE : PR_TRUE ;
-    info.out = (out) ? out : PR_STDOUT;
-    info.graphfile = mailfile;
+    info.verbose = (PRBool)(out != NULL);
+    info.dograph = info.verbose;
+    info.out       = (out)    ? out      : PR_STDOUT;
+    info.graphfile = mailfile ? mailfile : PR_STDOUT;
 
     /*  Fill the array structure with cert/subject/nickname/smime entries.  */
-    dbArray.numCerts = fillDBEntryArray(handle, certDBEntryTypeCert, 
-                                        &dbArray.certs);
-    dbArray.numSubjects = fillDBEntryArray(handle, certDBEntryTypeSubject, 
-                                           &dbArray.subjects);
+    dbArray.numCerts     = fillDBEntryArray(handle, certDBEntryTypeCert, 
+                                            &dbArray.certs);
+    dbArray.numSubjects  = fillDBEntryArray(handle, certDBEntryTypeSubject, 
+                                            &dbArray.subjects);
     dbArray.numNicknames = fillDBEntryArray(handle, certDBEntryTypeNickname, 
                                             &dbArray.nicknames);
-    dbArray.numSMime = fillDBEntryArray(handle, certDBEntryTypeSMimeProfile, 
-                                        &dbArray.smime);
+    dbArray.numSMime     = fillDBEntryArray(handle, certDBEntryTypeSMimeProfile, 
+                                            &dbArray.smime);
+    dbArray.numRevocation= fillDBEntryArray(handle, certDBEntryTypeRevocation, 
+                                            &dbArray.revocation);
 
     /*  Compute the map between the database entries.  */
     mapSubjectEntries(&dbArray);
     mapCertEntries(&dbArray);
     computeDBGraph(&dbArray, &info);
 
     /*  Store the totals for later reference.  */
-    nCerts = dbArray.numCerts;
-    nSubjects = dbArray.numSubjects;
+    nCerts     = dbArray.numCerts;
+    nSubjects  = dbArray.numSubjects;
     nNicknames = dbArray.numNicknames;
-    nSMime = dbArray.numSMime;
+    nSMime     = dbArray.numSMime;
+    nRevocation= dbArray.numRevocation;
     nSubjCerts = 0;
     for (elem = PR_LIST_HEAD(&dbArray.subjects.link);
          elem != &dbArray.subjects.link; elem = PR_NEXT_LINK(elem)) {
 	certDBSubjectEntryMap *smap;
 	smap = (certDBSubjectEntryMap *)LISTNODE_CAST(elem)->appData;
 	nSubjCerts += smap->numCerts;
     }
 
@@ -958,33 +1062,36 @@ DBCK_DebugDB(CERTCertDBHandle *handle, P
 	/*  Dump the database contents.  */
 	verboseOutput(&dbArray, &info);
     }
 
     freeDBEntryList(&dbArray.certs.link);
     freeDBEntryList(&dbArray.subjects.link);
     freeDBEntryList(&dbArray.nicknames.link);
     freeDBEntryList(&dbArray.smime.link);
+    freeDBEntryList(&dbArray.revocation.link);
 
     PR_fprintf(info.out, "\n");
     PR_fprintf(info.out, "Database statistics:\n");
     PR_fprintf(info.out, "N0: Found %4d Certificate entries.\n", 
                           nCerts);
     PR_fprintf(info.out, "N1: Found %4d Subject entries (unique DN's).\n", 
                           nSubjects);
     PR_fprintf(info.out, "N2: Found %4d Cert keys within Subject entries.\n", 
                           nSubjCerts);
     PR_fprintf(info.out, "N3: Found %4d Nickname entries.\n", 
                           nNicknames);
     PR_fprintf(info.out, "N4: Found %4d S/MIME entries.\n", 
                           nSMime);
+    PR_fprintf(info.out, "N5: Found %4d CRL entries.\n", 
+                          nRevocation);
     PR_fprintf(info.out, "\n");
 
     nErr = 0;
-    for (i=0; i<sizeof(errResult)/sizeof(char*); i++) {
+    for (i=0; i < NUM_ERROR_TYPES; i++) {
 	PR_fprintf(info.out, "E%d: Found %4d %s\n", 
 	           i, info.dbErrors[i], errResult[i]);
 	nErr += info.dbErrors[i];
     }
     PR_fprintf(info.out, "--------------\n    Found %4d errors in database.\n", 
                nErr);
 
     PR_fprintf(info.out, "\nCertificates:\n");
@@ -993,710 +1100,52 @@ DBCK_DebugDB(CERTCertDBHandle *handle, P
     nCertsFound = nSubjCerts +
                   info.dbErrors[NoSubjectForCert] +
                   info.dbErrors[SubjectHasNoKeyForCert];
     c = (nCertsFound == nCerts) ? '=' : '!';
     PR_fprintf(info.out, "%d %c= %d + %d + %d\n", nCerts, c, nSubjCerts, 
                   info.dbErrors[NoSubjectForCert],
                   info.dbErrors[SubjectHasNoKeyForCert]);
     PR_fprintf(info.out, "\nSubjects:\n");
-    PR_fprintf(info.out, "N1 == N3 + N4 + E%d + E%d + E%d + E%d + E%d - E%d - E%d\n",
-                  NoNicknameOrSMimeForSubject, WrongNicknameForSubject,
-		  NoNicknameEntry, WrongSMimeForSubject, NoSMimeEntry,
-		  NoSubjectForNickname, NoSubjectForSMime);
-    PR_fprintf(info.out, "      - #(subjects with both nickname and S/MIME entries)\n");
+    PR_fprintf(info.out, 
+    "N1 == N3 + N4 + E%d + E%d + E%d + E%d + E%d - E%d - E%d - E%d\n",
+                  NoNicknameOrSMimeForSubject, 
+		  WrongNicknameForSubject,
+		  NoNicknameEntry, 
+		  WrongSMimeForSubject, 
+		  NoSMimeEntry,
+		  NoSubjectForNickname, 
+		  NoSubjectForSMime,
+		  NicknameAndSMimeEntries);
     nSubjFound = nNicknames + nSMime + 
                  info.dbErrors[NoNicknameOrSMimeForSubject] +
 		 info.dbErrors[WrongNicknameForSubject] +
 		 info.dbErrors[NoNicknameEntry] +
 		 info.dbErrors[WrongSMimeForSubject] +
                  info.dbErrors[NoSMimeEntry] -
 		 info.dbErrors[NoSubjectForNickname] -
 		 info.dbErrors[NoSubjectForSMime] -
-		 info.dbErrors[NicknameAndSMimeEntry];
+		 info.dbErrors[NicknameAndSMimeEntries];
     c = (nSubjFound == nSubjects) ? '=' : '!';
-    PR_fprintf(info.out, "%d %c= %d + %d + %d + %d + %d + %d + %d - %d - %d - %d\n",
+    PR_fprintf(info.out, 
+    "%2d %c= %2d + %2d + %2d + %2d + %2d + %2d + %2d - %2d - %2d - %2d\n",
                   nSubjects, c, nNicknames, nSMime,
                   info.dbErrors[NoNicknameOrSMimeForSubject],
 		  info.dbErrors[WrongNicknameForSubject],
 		  info.dbErrors[NoNicknameEntry],
 		  info.dbErrors[WrongSMimeForSubject],
                   info.dbErrors[NoSMimeEntry],
 		  info.dbErrors[NoSubjectForNickname],
 		  info.dbErrors[NoSubjectForSMime],
-		  info.dbErrors[NicknameAndSMimeEntry]);
+		  info.dbErrors[NicknameAndSMimeEntries]);
     PR_fprintf(info.out, "\n");
 }
 
 #ifdef DORECOVER
-enum {
-    dbInvalidCert = 0,
-    dbNoSMimeProfile,
-    dbOlderCert,
-    dbBadCertificate,
-    dbCertNotWrittenToDB
-};
-
-typedef struct dbRestoreInfoStr
-{
-    CERTCertDBHandle *handle;
-    PRBool verbose;
-    PRFileDesc *out;
-    int nCerts;
-    int nOldCerts;
-    int dbErrors[5];
-    PRBool removeType[3];
-    PRBool promptUser[3];
-} dbRestoreInfo;
-
-char *
-IsEmailCert(CERTCertificate *cert)
-{
-    char *email, *tmp1, *tmp2;
-    PRBool isCA;
-    int len;
-
-    if (!cert->subjectName) {
-	return NULL;
-    }
-
-    tmp1 = PORT_Strstr(cert->subjectName, "E=");
-    tmp2 = PORT_Strstr(cert->subjectName, "MAIL=");
-    /* XXX Nelson has cert for KTrilli which does not have either
-     * of above but is email cert (has cert->emailAddr). 
-     */
-    if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) {
-	return NULL;
-    }
-
-    /*  Server or CA cert, not personal email.  */
-    isCA = CERT_IsCACert(cert, NULL);
-    if (isCA)
-	return NULL;
-
-    /*  XXX CERT_IsCACert advertises checking the key usage ext.,
-	but doesn't appear to. */
-    /*  Check the key usage extension.  */
-    if (cert->keyUsagePresent) {
-	/*  Must at least be able to sign or encrypt (not neccesarily
-	 *  both if it is one of a dual cert).  
-	 */
-	if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || 
-              (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT)))
-	    return NULL;
-
-	/*  CA cert, not personal email.  */
-	if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN))
-	    return NULL;
-    }
-
-    if (cert->emailAddr && cert->emailAddr[0]) {
-	email = PORT_Strdup(cert->emailAddr);
-    } else {
-	if (tmp1)
-	    tmp1 += 2; /* "E="  */
-	else
-	    tmp1 = tmp2 + 5; /* "MAIL=" */
-	len = strcspn(tmp1, ", ");
-	email = (char*)PORT_Alloc(len+1);
-	PORT_Strncpy(email, tmp1, len);
-	email[len] = '\0';
-    }
-
-    return email;
-}
-
-SECStatus
-deleteit(CERTCertificate *cert, void *arg)
-{
-    return SEC_DeletePermCertificate(cert);
-}
-
-/*  Different than DeleteCertificate - has the added bonus of removing
- *  all certs with the same DN.  
- */
-SECStatus
-deleteAllEntriesForCert(CERTCertDBHandle *handle, CERTCertificate *cert,
-                        PRFileDesc *outfile)
-{
-#if 0
-    certDBEntrySubject *subjectEntry;
-    certDBEntryNickname *nicknameEntry;
-    certDBEntrySMime *smimeEntry;
-    int i;
-#endif
-
-    if (outfile) {
-	PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n");
-	PR_fprintf(outfile, "Deleting redundant certificate:\n");
-	dumpCertificate(cert, -1, outfile);
-    }
-
-    CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL);
-#if 0
-    CERT_LockDB(handle);
-    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
-    /*  It had better be there, or created a bad db.  */
-    PORT_Assert(subjectEntry);
-    for (i=0; i<subjectEntry->ncerts; i++) {
-	DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]);
-    }
-    DeleteDBSubjectEntry(handle, &cert->derSubject);
-    if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
-	smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr);
-	if (smimeEntry) {
-	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-	                              &smimeEntry->subjectName))
-		/*  Only delete it if it's for this subject!  */
-		DeleteDBSMimeEntry(handle, subjectEntry->emailAddr);
-	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-	}
-    }
-    if (subjectEntry->nickname) {
-	nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname);
-	if (nicknameEntry) {
-	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-	                              &nicknameEntry->subjectName))
-		/*  Only delete it if it's for this subject!  */
-		DeleteDBNicknameEntry(handle, subjectEntry->nickname);
-	    SEC_DestroyDBEntry((certDBEntry*)nicknameEntry);
-	}
-    }
-    SEC_DestroyDBEntry((certDBEntry*)subjectEntry);
-    CERT_UnlockDB(handle);
-#endif
-    return SECSuccess;
-}
-
-void
-getCertsToDelete(char *numlist, int len, int *certNums, int nCerts)
-{
-    int j, num;
-    char *numstr, *numend, *end;
-
-    numstr = numlist;
-    end = numstr + len - 1;
-    while (numstr != end) {
-	numend = strpbrk(numstr, ", \n");
-	*numend = '\0';
-	if (PORT_Strlen(numstr) == 0)
-	    return;
-	num = PORT_Atoi(numstr);
-	if (numstr == numlist)
-	    certNums[0] = num;
-	for (j=1; j<nCerts+1; j++) {
-	    if (num == certNums[j]) {
-		certNums[j] = -1;
-		break;
-	    }
-	}
-	if (numend == end)
-	    break;
-	numstr = strpbrk(numend+1, "0123456789");
-    }
-}
-
-PRBool
-userSaysDeleteCert(CERTCertificate **certs, int nCerts,
-                   int errtype, dbRestoreInfo *info, int *certNums)
-{
-    char response[32];
-    int32 nb;
-    int i;
-    /*  User wants to remove cert without prompting.  */
-    if (info->promptUser[errtype] == PR_FALSE)
-	return (info->removeType[errtype]);
-    switch (errtype) {
-    case dbInvalidCert:
-	PR_fprintf(PR_STDOUT, "********  Expired ********\n");
-	PR_fprintf(PR_STDOUT, "Cert has expired.\n\n");
-	dumpCertificate(certs[0], -1, PR_STDOUT);
-	PR_fprintf(PR_STDOUT,
-	           "Keep it? (y/n - this one, Y/N - all expired certs) [n] ");
-	break;
-    case dbNoSMimeProfile:
-	PR_fprintf(PR_STDOUT, "********  No Profile ********\n");
-	PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n");
-	dumpCertificate(certs[0], -1, PR_STDOUT);
-	PR_fprintf(PR_STDOUT,
-	      "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] ");
-	break;
-    case dbOlderCert:
-	PR_fprintf(PR_STDOUT, "*******  Redundant nickname/email *******\n\n");
-	PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n");
-	for (i=0; i<nCerts; i++)
-	    dumpCertificate(certs[i], i, PR_STDOUT);
-	PR_fprintf(PR_STDOUT, 
-	"Enter the certs you would like to keep from those listed above.\n");
-	PR_fprintf(PR_STDOUT, 
-	"Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n");
-	PR_fprintf(PR_STDOUT, 
-	"The first cert in the list will be the primary cert\n");
-	PR_fprintf(PR_STDOUT, 
-	" accessed by the nickname/email handle.\n");
-	PR_fprintf(PR_STDOUT, 
-	"List cert numbers to keep here, or hit enter\n");
-	PR_fprintf(PR_STDOUT, 
-	" to always keep only the newest cert:  ");
-	break;
-    default:
-    }
-    nb = PR_Read(PR_STDIN, response, sizeof(response));
-    PR_fprintf(PR_STDOUT, "\n\n");
-    if (errtype == dbOlderCert) {
-	if (!isdigit(response[0])) {
-	    info->promptUser[errtype] = PR_FALSE;
-	    info->removeType[errtype] = PR_TRUE;
-	    return PR_TRUE;
-	}
-	getCertsToDelete(response, nb, certNums, nCerts);
-	return PR_TRUE;
-    }
-    /*  User doesn't want to be prompted for this type anymore.  */
-    if (response[0] == 'Y') {
-	info->promptUser[errtype] = PR_FALSE;
-	info->removeType[errtype] = PR_FALSE;
-	return PR_FALSE;
-    } else if (response[0] == 'N') {
-	info->promptUser[errtype] = PR_FALSE;
-	info->removeType[errtype] = PR_TRUE;
-	return PR_TRUE;
-    }
-    return (response[0] != 'y') ? PR_TRUE : PR_FALSE;
-}
-
-SECStatus
-addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, 
-            CERTCertDBHandle *oldhandle)
-{
-    SECStatus rv = SECSuccess;
-    PRBool allowOverride;
-    PRBool userCert;
-    SECCertTimeValidity validity;
-    CERTCertificate *oldCert = NULL;
-    CERTCertificate *dbCert = NULL;
-    CERTCertificate *newCert = NULL;
-    CERTCertTrust *trust;
-    certDBEntrySMime *smimeEntry = NULL;
-    char *email = NULL;
-    char *nickname = NULL;
-    int nCertsForSubject = 1;
-
-    oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE,
-                                        certEntry->nickname);
-    if (!oldCert) {
-	info->dbErrors[dbBadCertificate]++;
-	SEC_DestroyDBEntry((certDBEntry*)certEntry);
-	return SECSuccess;
-    }
-
-    oldCert->dbEntry = certEntry;
-    oldCert->trust = &certEntry->trust;
-    oldCert->dbhandle = oldhandle;
-
-    trust = oldCert->trust;
-
-    info->nOldCerts++;
-
-    if (info->verbose)
-	PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n");
-
-    if (oldCert->nickname)
-	nickname = PORT_Strdup(oldCert->nickname);
-
-    /*  Always keep user certs.  Skip ahead.  */
-    /*  XXX if someone sends themselves a signed message, it is possible
-	for their cert to be imported as an "other" cert, not a user cert.
-	this mucks with smime entries...  */
-    userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
-               (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
-               (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
-    if (userCert)
-	goto createcert;
-
-    /*  If user chooses so, ignore expired certificates.  */
-    allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
-                         (oldCert->keyUsage == certUsageSSLServerWithStepUp));
-    validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
-    /*  If cert expired and user wants to delete it, ignore it. */
-    if ((validity != secCertTimeValid) && 
-	 userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) {
-	info->dbErrors[dbInvalidCert]++;
-	if (info->verbose) {
-	    PR_fprintf(info->out, "Deleting expired certificate:\n");
-	    dumpCertificate(oldCert, -1, info->out);
-	}
-	goto cleanup;
-    }
-
-    /*  New database will already have default certs, don't attempt
-	to overwrite them.  */
-    dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert);
-    if (dbCert) {
-	info->nCerts++;
-	if (info->verbose) {
-	    PR_fprintf(info->out, "Added certificate to database:\n");
-	    dumpCertificate(oldCert, -1, info->out);
-	}
-	goto cleanup;
-    }
-    
-    /*  Determine if cert is S/MIME and get its email if so.  */
-    email = IsEmailCert(oldCert);
-
-    /*
-	XXX  Just create empty profiles?
-    if (email) {
-	SECItem *profile = CERT_FindSMimeProfile(oldCert);
-	if (!profile &&
-	    userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) {
-	    info->dbErrors[dbNoSMimeProfile]++;
-	    if (info->verbose) {
-		PR_fprintf(info->out, 
-		           "Deleted cert missing S/MIME profile.\n");
-		dumpCertificate(oldCert, -1, info->out);
-	    }
-	    goto cleanup;
-	} else {
-	    SECITEM_FreeItem(profile);
-	}
-    }
-    */
-
-createcert:
-
-    /*  Sometimes happens... */
-    if (!nickname && userCert)
-	nickname = PORT_Strdup(oldCert->subjectName);
-
-    /*  Create a new certificate, copy of the old one.  */
-    newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, 
-                                      nickname, PR_FALSE, PR_TRUE);
-    if (!newCert) {
-	PR_fprintf(PR_STDERR, "Unable to create new certificate.\n");
-	dumpCertificate(oldCert, -1, PR_STDERR);
-	info->dbErrors[dbBadCertificate]++;
-	goto cleanup;
-    }
-
-    /*  Add the cert to the new database.  */
-    rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust);
-    if (rv) {
-	PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n");
-	dumpCertificate(oldCert, -1, PR_STDERR);
-	info->dbErrors[dbCertNotWrittenToDB]++;
-	goto cleanup;
-    }
-
-    if (info->verbose) {
-	PR_fprintf(info->out, "Added certificate to database:\n");
-	dumpCertificate(oldCert, -1, info->out);
-    }
-
-    /*  If the cert is an S/MIME cert, and the first with it's subject,
-     *  modify the subject entry to include the email address,
-     *  CERT_AddTempCertToPerm does not do email addresses and S/MIME entries.
-     */
-    if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */
-#if 0
-	UpdateSubjectWithEmailAddr(newCert, email);
-#endif
-	SECItem emailProfile, profileTime;
-	rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime);
-	/*  calls UpdateSubjectWithEmailAddr  */
-	if (rv == SECSuccess)
-	    rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime);
-    }
-
-    info->nCerts++;
-
-cleanup:
-
-    if (nickname)
-	PORT_Free(nickname);
-    if (email)
-	PORT_Free(email);
-    if (oldCert)
-	CERT_DestroyCertificate(oldCert);
-    if (dbCert)
-	CERT_DestroyCertificate(dbCert);
-    if (newCert)
-	CERT_DestroyCertificate(newCert);
-    if (smimeEntry)
-	SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-    return SECSuccess;
-}
-
-#if 0
-SECStatus
-copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata)
-{
-    SECStatus rv;
-    CERTCertDBHandle *newdb = (CERTCertDBHandle *)pdata;
-    certDBEntryCommon common;
-    SECItem dbkey;
-
-    common.type = type;
-    common.version = CERT_DB_FILE_VERSION;
-    common.flags = data->data[2];
-    common.arena = NULL;
-
-    dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char));
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len);
-    dbkey.data[0] = type;
-
-    rv = WriteDBEntry(newdb, &common, &dbkey, data);
-
-    PORT_Free(dbkey.data);
-    return rv;
-}
-#endif
-
-int
-certIsOlder(CERTCertificate **cert1, CERTCertificate** cert2)
-{
-    return !CERT_IsNewer(*cert1, *cert2);
-}
-
-int
-findNewestSubjectForEmail(CERTCertDBHandle *handle, int subjectNum,
-                          certDBArray *dbArray, dbRestoreInfo *info,
-                          int *subjectWithSMime, int *smimeForSubject)
-{
-    int newestSubject;
-    int subjectsForEmail[50];
-    int i, j, ns, sNum;
-    certDBEntryListNode *subjects = &dbArray->subjects;
-    certDBEntryListNode *smime = &dbArray->smime;
-    certDBEntrySubject *subjectEntry1, *subjectEntry2;
-    certDBEntrySMime *smimeEntry;
-    CERTCertificate **certs;
-    CERTCertificate *cert;
-    CERTCertTrust *trust;
-    PRBool userCert;
-    int *certNums;
-
-    ns = 0;
-    subjectEntry1 = (certDBEntrySubject*)&subjects.entries[subjectNum];
-    subjectsForEmail[ns++] = subjectNum;
-
-    *subjectWithSMime = -1;
-    *smimeForSubject = -1;
-    newestSubject = subjectNum;
-
-    cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
-    if (cert) {
-	trust = cert->trust;
-	userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
-	          (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
-	         (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
-	CERT_DestroyCertificate(cert);
-    }
-
-    /*
-     * XXX Should we make sure that subjectEntry1->emailAddr is not
-     * a null pointer or an empty string before going into the next
-     * two for loops, which pass it to PORT_Strcmp?
-     */
-
-    /*  Loop over the remaining subjects.  */
-    for (i=subjectNum+1; i<subjects.numEntries; i++) {
-	subjectEntry2 = (certDBEntrySubject*)&subjects.entries[i];
-	if (!subjectEntry2)
-	    continue;
-	if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] &&
-	     PORT_Strcmp(subjectEntry1->emailAddr, 
-	                 subjectEntry2->emailAddr) == 0) {
-	    /*  Found a subject using the same email address.  */
-	    subjectsForEmail[ns++] = i;
-	}
-    }
-
-    /*  Find the S/MIME entry for this email address.  */
-    for (i=0; i<smime.numEntries; i++) {
-	smimeEntry = (certDBEntrySMime*)&smime.entries[i];
-	if (smimeEntry->common.arena == NULL)
-	    continue;
-	if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && 
-	    PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) {
-	    /*  Find which of the subjects uses this S/MIME entry.  */
-	    for (j=0; j<ns && *subjectWithSMime < 0; j++) {
-		sNum = subjectsForEmail[j];
-		subjectEntry2 = (certDBEntrySubject*)&subjects.entries[sNum];
-		if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName,
-		                          &subjectEntry2->derSubject)) {
-		    /*  Found the subject corresponding to the S/MIME entry. */
-		    *subjectWithSMime = sNum;
-		    *smimeForSubject = i;
-		}
-	    }
-	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-	    PORT_Memset(smimeEntry, 0, sizeof(certDBEntry));
-	    break;
-	}
-    }
-
-    if (ns <= 1)
-	return subjectNum;
-
-    if (userCert)
-	return *subjectWithSMime;
-
-    /*  Now find which of the subjects has the newest cert.  */
-    certs = (CERTCertificate**)PORT_Alloc(ns*sizeof(CERTCertificate*));
-    certNums = (int*)PORT_Alloc((ns+1)*sizeof(int));
-    certNums[0] = 0;
-    for (i=0; i<ns; i++) {
-	sNum = subjectsForEmail[i];
-	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
-	certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
-	certNums[i+1] = i;
-    }
-    /*  Sort the array by validity.  */
-    qsort(certs, ns, sizeof(CERTCertificate*), 
-          (int (*)(const void *, const void *))certIsOlder);
-    newestSubject = -1;
-    for (i=0; i<ns; i++) {
-	sNum = subjectsForEmail[i];
-	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
-	if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject,
-	                          &certs[0]->derSubject))
-	    newestSubject = sNum;
-	else
-	    SEC_DestroyDBEntry((certDBEntry*)subjectEntry1);
-    }
-    if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) {
-	for (i=1; i<ns+1; i++) {
-	    if (certNums[i] >= 0 && certNums[i] != certNums[0]) {
-		deleteAllEntriesForCert(handle, certs[certNums[i]], info->out);
-		info->dbErrors[dbOlderCert]++;
-	    }
-	}
-    }
-    CERT_DestroyCertArray(certs, ns);
-    return newestSubject;
-}
-
-CERTCertDBHandle *
-DBCK_ReconstructDBFromCerts(CERTCertDBHandle *oldhandle, char *newdbname,
-                            PRFileDesc *outfile, PRBool removeExpired,
-                            PRBool requireProfile, PRBool singleEntry,
-                            PRBool promptUser)
-{
-    SECStatus rv;
-    dbRestoreInfo info;
-    certDBEntryContentVersion *oldContentVersion;
-    certDBArray dbArray;
-    int i;
-
-    PORT_Memset(&dbArray, 0, sizeof(dbArray));
-    PORT_Memset(&info, 0, sizeof(info));
-    info.verbose = (outfile) ? PR_TRUE : PR_FALSE;
-    info.out = (outfile) ? outfile : PR_STDOUT;
-    info.removeType[dbInvalidCert] = removeExpired;
-    info.removeType[dbNoSMimeProfile] = requireProfile;
-    info.removeType[dbOlderCert] = singleEntry;
-    info.promptUser[dbInvalidCert]  = promptUser;
-    info.promptUser[dbNoSMimeProfile]  = promptUser;
-    info.promptUser[dbOlderCert]  = promptUser;
-
-    /*  Allocate a handle to fill with CERT_OpenCertDB below.  */
-    info.handle = (CERTCertDBHandle *)PORT_ZAlloc(sizeof(CERTCertDBHandle));
-    if (!info.handle) {
-	fprintf(stderr, "unable to get database handle");
-	return NULL;
-    }
-
-    /*  Create a certdb with the most recent set of roots.  */
-    rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE);
-
-    if (rv) {
-	fprintf(stderr, "could not open certificate database");
-	goto loser;
-    }
-
-    /*  Create certificate, subject, nickname, and email records.
-     *  mcom_db seems to have a sequential access bug.  Though reads and writes
-     *  should be allowed during traversal, they seem to screw up the sequence.
-     *  So, stuff all the cert entries into an array, and loop over the array
-     *  doing read/writes in the db.
-     */
-    fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs);
-    for (elem = PR_LIST_HEAD(&dbArray->certs.link);
-         elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) {
-	node = LISTNODE_CAST(elem);
-	addCertToDB((certDBEntryCert*)&node->entry, &info, oldhandle);
-	/* entries get destroyed in addCertToDB */
-    }
-#if 0
-    rv = SEC_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, 
-                               copyDBEntry, info.handle);
-#endif
-
-    /*  Fix up the pointers between (nickname|S/MIME) --> (subject).
-     *  Create S/MIME entries for S/MIME certs.
-     *  Have the S/MIME entry point to the last-expiring cert using
-     *  an email address.
-     */
-#if 0
-    CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info);
-#endif
-
-    freeDBEntryList(&dbArray.certs.link);
-
-    /*  Copy over the version record.  */
-    /*  XXX Already exists - and _must_ be correct... */
-    /*
-    versionEntry = ReadDBVersionEntry(oldhandle);
-    rv = WriteDBVersionEntry(info.handle, versionEntry);
-    */
-
-    /*  Copy over the content version record.  */
-    /*  XXX Can probably get useful info from old content version?
-     *      Was this db created before/after this tool?  etc.
-     */
-#if 0
-    oldContentVersion = ReadDBContentVersionEntry(oldhandle);
-    CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); 
-#endif
-
-#if 0
-    /*  Copy over the CRL & KRL records.  */
-    rv = SEC_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, 
-                               copyDBEntry, info.handle);
-    /*  XXX Only one KRL, just do db->get? */
-    rv = SEC_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, 
-                               copyDBEntry, info.handle);
-#endif
-
-    PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts);
-
-    PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts);
-    PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", 
-                       info.dbErrors[dbInvalidCert]);
-    PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", 
-                       info.dbErrors[dbNoSMimeProfile]);
-    PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", 
-                       info.dbErrors[dbOlderCert]);
-    PR_fprintf(info.out, "     Rejected %d corrupt certificates.\n", 
-                       info.dbErrors[dbBadCertificate]);
-    PR_fprintf(info.out, "     Rejected %d certificates which did not write to the DB.\n", 
-                       info.dbErrors[dbCertNotWrittenToDB]);
-
-    if (rv)
-	goto loser;
-
-    return info.handle;
-
-loser:
-    if (info.handle) 
-	PORT_Free(info.handle);
-    return NULL;
-}
+#include "dbrecover.c"
 #endif /* DORECOVER */
 
 enum {
     cmd_Debug = 0,
     cmd_LongUsage,
     cmd_Recover
 };
 
@@ -1731,34 +1180,72 @@ static secuCommandFlag dbck_options[] =
     { /* opt_Mailfile,          */  'm', PR_FALSE, 0, PR_FALSE },
     { /* opt_Prompt,            */  'p', PR_FALSE, 0, PR_FALSE },
     { /* opt_KeepRedundant,     */  'r', PR_FALSE, 0, PR_FALSE },
     { /* opt_KeepNoSMimeProfile,*/  's', PR_FALSE, 0, PR_FALSE },
     { /* opt_Verbose,           */  'v', PR_FALSE, 0, PR_FALSE },
     { /* opt_KeepExpired,       */  'x', PR_FALSE, 0, PR_FALSE }
 };
 
+#define CERT_DB_FMT "%s/cert%s.db"
+
+static char *
+dbck_certdb_name_cb(void *arg, int dbVersion)
+{
+    const char *configdir = (const char *)arg;
+    const char *dbver;
+    char *smpname = NULL;
+    char *dbname = NULL;
+
+    switch (dbVersion) {
+      case 8:
+	dbver = "8";
+	break;
+      case 7:
+	dbver = "7";
+	break;
+      case 6:
+	dbver = "6";
+	break;
+      case 5:
+	dbver = "5";
+	break;
+      case 4:
+      default:
+	dbver = "";
+	break;
+    }
+
+    /* make sure we return something allocated with PORT_ so we have properly
+     * matched frees at the end */
+    smpname = PR_smprintf(CERT_DB_FMT, configdir, dbver);
+    if (smpname) {
+	dbname = PORT_Strdup(smpname);
+	PR_smprintf_free(smpname);
+    }
+    return dbname;
+}
+    
+
 int 
 main(int argc, char **argv)
 {
-    CERTCertDBHandle *certHandle;
+    NSSLOWCERTCertDBHandle *certHandle;
 
-    PRFileInfo fileInfo;
     PRFileDesc *mailfile = NULL;
     PRFileDesc *dumpfile = NULL;
 
     char * pathname     = 0;
     char * fullname     = 0;
     char * newdbname    = 0;
 
     PRBool removeExpired, requireProfile, singleEntry;
-    
-    SECStatus rv;
+    SECStatus   rv;
+    secuCommand dbck;
 
-    secuCommand dbck;
     dbck.numCommands = sizeof(dbck_commands) / sizeof(secuCommandFlag);
     dbck.numOptions = sizeof(dbck_options) / sizeof(secuCommandFlag);
     dbck.commands = dbck_commands;
     dbck.options = dbck_options;
 
     progName = strrchr(argv[0], '/');
     progName = progName ? progName+1 : argv[0];
 
@@ -1767,89 +1254,108 @@ main(int argc, char **argv)
     if (rv != SECSuccess)
 	Usage(progName);
 
     if (dbck.commands[cmd_LongUsage].activated)
 	LongUsage(progName);
 
     if (!dbck.commands[cmd_Debug].activated &&
         !dbck.commands[cmd_Recover].activated) {
-	PR_fprintf(PR_STDERR, "Please specify -D or -R.\n");
+	PR_fprintf(PR_STDERR, "Please specify -H, -D or -R.\n");
 	Usage(progName);
     }
 
     removeExpired = !(dbck.options[opt_KeepAll].activated ||
                       dbck.options[opt_KeepExpired].activated);
 
     requireProfile = !(dbck.options[opt_KeepAll].activated ||
                     dbck.options[opt_KeepNoSMimeProfile].activated);
 
     singleEntry = !(dbck.options[opt_KeepAll].activated ||
                     dbck.options[opt_KeepRedundant].activated);
 
     if (dbck.options[opt_OutputDB].activated) {
 	newdbname = PL_strdup(dbck.options[opt_OutputDB].arg);
     } else {
-	newdbname = PL_strdup("new_cert7.db");
+	newdbname = PL_strdup("new_cert8.db");
     }
 
     /*  Create a generic graph of the database.  */
     if (dbck.options[opt_Mailfile].activated) {
 	mailfile = PR_Open("./mailfile", PR_RDWR | PR_CREATE_FILE, 00660);
 	if (!mailfile) {
 	    fprintf(stderr, "Unable to create mailfile.\n");
 	    return -1;
 	}
     }
 
     /*  Dump all debugging info while running.  */
     if (dbck.options[opt_Verbose].activated) {
 	if (dbck.options[opt_Dumpfile].activated) {
 	    dumpfile = PR_Open(dbck.options[opt_Dumpfile].arg,
 	                       PR_RDWR | PR_CREATE_FILE, 00660);
-	}
-	if (!dumpfile) {
-	    fprintf(stderr, "Unable to create dumpfile.\n");
-	    return -1;
+	    if (!dumpfile) {
+		fprintf(stderr, "Unable to create dumpfile.\n");
+		return -1;
+	    }
+	} else {
+	    dumpfile = PR_STDOUT;
 	}
     }
 
     /*  Set the cert database directory.  */
     if (dbck.options[opt_CertDir].activated) {
 	SECU_ConfigDirectory(dbck.options[opt_CertDir].arg);
     }
 
+    pathname = SECU_ConfigDirectory(NULL);
+
     PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    SEC_Init();
+    rv = NSS_NoDB_Init(pathname);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "NSS_NoDB_Init failed\n");
+	return -1;
+    }
 
-    certHandle = (CERTCertDBHandle *)PORT_ZAlloc(sizeof(CERTCertDBHandle));
+    certHandle = PORT_ZNew(NSSLOWCERTCertDBHandle);
     if (!certHandle) {
 	SECU_PrintError(progName, "unable to get database handle");
 	return -1;
     }
+    certHandle->ref = 1;
 
+#ifdef NOTYET
     /*  Open the possibly corrupt database.  */
     if (dbck.options[opt_InputDB].activated) {
-	pathname = SECU_ConfigDirectory(NULL);
+	PRFileInfo fileInfo;
 	fullname = PR_smprintf("%s/%s", pathname, 
 	                                dbck.options[opt_InputDB].arg);
 	if (PR_GetFileInfo(fullname, &fileInfo) != PR_SUCCESS) {
 	    fprintf(stderr, "Unable to read file \"%s\".\n", fullname);
 	    return -1;
 	}
 	rv = CERT_OpenCertDBFilename(certHandle, fullname, PR_TRUE);
-    } else {
+    } else 
+#endif
+    {
 	/*  Use the default.  */
+#ifdef NOTYET
 	fullname = SECU_CertDBNameCallback(NULL, CERT_DB_FILE_VERSION);
 	if (PR_GetFileInfo(fullname, &fileInfo) != PR_SUCCESS) {
 	    fprintf(stderr, "Unable to read file \"%s\".\n", fullname);
 	    return -1;
 	}
-	rv = CERT_OpenCertDB(certHandle, PR_TRUE, 
-	                     SECU_CertDBNameCallback, NULL);
+#endif
+	rv = nsslowcert_OpenCertDB(certHandle, 
+	                           PR_TRUE, 		    /* readOnly */
+				   NULL,                    /* rdb appName */
+				   "",                      /* rdb prefix */
+	                           dbck_certdb_name_cb,     /* namecb */
+				   pathname, 		    /* configDir */
+				   PR_FALSE);		    /* volatile */
     }
 
     if (rv) {
 	SECU_PrintError(progName, "unable to open cert database");
 	return -1;
     }
 
     if (dbck.commands[cmd_Debug].activated) {
@@ -1867,13 +1373,13 @@ main(int argc, char **argv)
     }
 #endif
 
     if (mailfile)
 	PR_Close(mailfile);
     if (dumpfile)
 	PR_Close(dumpfile);
     if (certHandle) {
-	CERT_ClosePermCertDB(certHandle);
+	nsslowcert_ClosePermCertDB(certHandle);
 	PORT_Free(certHandle);
     }
     return -1;
 }
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/dbck/dbrecover.c
@@ -0,0 +1,702 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+enum {
+    dbInvalidCert = 0,
+    dbNoSMimeProfile,
+    dbOlderCert,
+    dbBadCertificate,
+    dbCertNotWrittenToDB
+};
+
+typedef struct dbRestoreInfoStr
+{
+    NSSLOWCERTCertDBHandle *handle;
+    PRBool verbose;
+    PRFileDesc *out;
+    int nCerts;
+    int nOldCerts;
+    int dbErrors[5];
+    PRBool removeType[3];
+    PRBool promptUser[3];
+} dbRestoreInfo;
+
+char *
+IsEmailCert(CERTCertificate *cert)
+{
+    char *email, *tmp1, *tmp2;
+    PRBool isCA;
+    int len;
+
+    if (!cert->subjectName) {
+	return NULL;
+    }
+
+    tmp1 = PORT_Strstr(cert->subjectName, "E=");
+    tmp2 = PORT_Strstr(cert->subjectName, "MAIL=");
+    /* XXX Nelson has cert for KTrilli which does not have either
+     * of above but is email cert (has cert->emailAddr). 
+     */
+    if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) {
+	return NULL;
+    }
+
+    /*  Server or CA cert, not personal email.  */
+    isCA = CERT_IsCACert(cert, NULL);
+    if (isCA)
+	return NULL;
+
+    /*  XXX CERT_IsCACert advertises checking the key usage ext.,
+	but doesn't appear to. */
+    /*  Check the key usage extension.  */
+    if (cert->keyUsagePresent) {
+	/*  Must at least be able to sign or encrypt (not neccesarily
+	 *  both if it is one of a dual cert).  
+	 */
+	if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || 
+              (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT)))
+	    return NULL;
+
+	/*  CA cert, not personal email.  */
+	if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN))
+	    return NULL;
+    }
+
+    if (cert->emailAddr && cert->emailAddr[0]) {
+	email = PORT_Strdup(cert->emailAddr);
+    } else {
+	if (tmp1)
+	    tmp1 += 2; /* "E="  */
+	else
+	    tmp1 = tmp2 + 5; /* "MAIL=" */
+	len = strcspn(tmp1, ", ");
+	email = (char*)PORT_Alloc(len+1);
+	PORT_Strncpy(email, tmp1, len);
+	email[len] = '\0';
+    }
+
+    return email;
+}
+
+SECStatus
+deleteit(CERTCertificate *cert, void *arg)
+{
+    return SEC_DeletePermCertificate(cert);
+}
+
+/*  Different than DeleteCertificate - has the added bonus of removing
+ *  all certs with the same DN.  
+ */
+SECStatus
+deleteAllEntriesForCert(NSSLOWCERTCertDBHandle *handle, CERTCertificate *cert,
+                        PRFileDesc *outfile)
+{
+#if 0
+    certDBEntrySubject *subjectEntry;
+    certDBEntryNickname *nicknameEntry;
+    certDBEntrySMime *smimeEntry;
+    int i;
+#endif
+
+    if (outfile) {
+	PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n");
+	PR_fprintf(outfile, "Deleting redundant certificate:\n");
+	dumpCertificate(cert, -1, outfile);
+    }
+
+    CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL);
+#if 0
+    CERT_LockDB(handle);
+    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
+    /*  It had better be there, or created a bad db.  */
+    PORT_Assert(subjectEntry);
+    for (i=0; i<subjectEntry->ncerts; i++) {
+	DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]);
+    }
+    DeleteDBSubjectEntry(handle, &cert->derSubject);
+    if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
+	smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr);
+	if (smimeEntry) {
+	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
+	                              &smimeEntry->subjectName))
+		/*  Only delete it if it's for this subject!  */
+		DeleteDBSMimeEntry(handle, subjectEntry->emailAddr);
+	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+	}
+    }
+    if (subjectEntry->nickname) {
+	nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname);
+	if (nicknameEntry) {
+	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
+	                              &nicknameEntry->subjectName))
+		/*  Only delete it if it's for this subject!  */
+		DeleteDBNicknameEntry(handle, subjectEntry->nickname);
+	    SEC_DestroyDBEntry((certDBEntry*)nicknameEntry);
+	}
+    }
+    SEC_DestroyDBEntry((certDBEntry*)subjectEntry);
+    CERT_UnlockDB(handle);
+#endif
+    return SECSuccess;
+}
+
+void
+getCertsToDelete(char *numlist, int len, int *certNums, int nCerts)
+{
+    int j, num;
+    char *numstr, *numend, *end;
+
+    numstr = numlist;
+    end = numstr + len - 1;
+    while (numstr != end) {
+	numend = strpbrk(numstr, ", \n");
+	*numend = '\0';
+	if (PORT_Strlen(numstr) == 0)
+	    return;
+	num = PORT_Atoi(numstr);
+	if (numstr == numlist)
+	    certNums[0] = num;
+	for (j=1; j<nCerts+1; j++) {
+	    if (num == certNums[j]) {
+		certNums[j] = -1;
+		break;
+	    }
+	}
+	if (numend == end)
+	    break;
+	numstr = strpbrk(numend+1, "0123456789");
+    }
+}
+
+PRBool
+userSaysDeleteCert(CERTCertificate **certs, int nCerts,
+                   int errtype, dbRestoreInfo *info, int *certNums)
+{
+    char response[32];
+    int32 nb;
+    int i;
+    /*  User wants to remove cert without prompting.  */
+    if (info->promptUser[errtype] == PR_FALSE)
+	return (info->removeType[errtype]);
+    switch (errtype) {
+    case dbInvalidCert:
+	PR_fprintf(PR_STDOUT, "********  Expired ********\n");
+	PR_fprintf(PR_STDOUT, "Cert has expired.\n\n");
+	dumpCertificate(certs[0], -1, PR_STDOUT);
+	PR_fprintf(PR_STDOUT,
+	           "Keep it? (y/n - this one, Y/N - all expired certs) [n] ");
+	break;
+    case dbNoSMimeProfile:
+	PR_fprintf(PR_STDOUT, "********  No Profile ********\n");
+	PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n");
+	dumpCertificate(certs[0], -1, PR_STDOUT);
+	PR_fprintf(PR_STDOUT,
+	      "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] ");
+	break;
+    case dbOlderCert:
+	PR_fprintf(PR_STDOUT, "*******  Redundant nickname/email *******\n\n");
+	PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n");
+	for (i=0; i<nCerts; i++)
+	    dumpCertificate(certs[i], i, PR_STDOUT);
+	PR_fprintf(PR_STDOUT, 
+	"Enter the certs you would like to keep from those listed above.\n");
+	PR_fprintf(PR_STDOUT, 
+	"Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n");
+	PR_fprintf(PR_STDOUT, 
+	"The first cert in the list will be the primary cert\n");
+	PR_fprintf(PR_STDOUT, 
+	" accessed by the nickname/email handle.\n");
+	PR_fprintf(PR_STDOUT, 
+	"List cert numbers to keep here, or hit enter\n");
+	PR_fprintf(PR_STDOUT, 
+	" to always keep only the newest cert:  ");
+	break;
+    default:
+    }
+    nb = PR_Read(PR_STDIN, response, sizeof(response));
+    PR_fprintf(PR_STDOUT, "\n\n");
+    if (errtype == dbOlderCert) {
+	if (!isdigit(response[0])) {
+	    info->promptUser[errtype] = PR_FALSE;
+	    info->removeType[errtype] = PR_TRUE;
+	    return PR_TRUE;
+	}
+	getCertsToDelete(response, nb, certNums, nCerts);
+	return PR_TRUE;
+    }
+    /*  User doesn't want to be prompted for this type anymore.  */
+    if (response[0] == 'Y') {
+	info->promptUser[errtype] = PR_FALSE;
+	info->removeType[errtype] = PR_FALSE;
+	return PR_FALSE;
+    } else if (response[0] == 'N') {
+	info->promptUser[errtype] = PR_FALSE;
+	info->removeType[errtype] = PR_TRUE;
+	return PR_TRUE;
+    }
+    return (response[0] != 'y') ? PR_TRUE : PR_FALSE;
+}
+
+SECStatus
+addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, 
+            NSSLOWCERTCertDBHandle *oldhandle)
+{
+    SECStatus rv = SECSuccess;
+    PRBool allowOverride;
+    PRBool userCert;
+    SECCertTimeValidity validity;
+    CERTCertificate *oldCert = NULL;
+    CERTCertificate *dbCert = NULL;
+    CERTCertificate *newCert = NULL;
+    CERTCertTrust *trust;
+    certDBEntrySMime *smimeEntry = NULL;
+    char *email = NULL;
+    char *nickname = NULL;
+    int nCertsForSubject = 1;
+
+    oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE,
+                                        certEntry->nickname);
+    if (!oldCert) {
+	info->dbErrors[dbBadCertificate]++;
+	SEC_DestroyDBEntry((certDBEntry*)certEntry);
+	return SECSuccess;
+    }
+
+    oldCert->dbEntry = certEntry;
+    oldCert->trust = &certEntry->trust;
+    oldCert->dbhandle = oldhandle;
+
+    trust = oldCert->trust;
+
+    info->nOldCerts++;
+
+    if (info->verbose)
+	PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n");
+
+    if (oldCert->nickname)
+	nickname = PORT_Strdup(oldCert->nickname);
+
+    /*  Always keep user certs.  Skip ahead.  */
+    /*  XXX if someone sends themselves a signed message, it is possible
+	for their cert to be imported as an "other" cert, not a user cert.
+	this mucks with smime entries...  */
+    userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
+               (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
+               (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
+    if (userCert)
+	goto createcert;
+
+    /*  If user chooses so, ignore expired certificates.  */
+    allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
+                         (oldCert->keyUsage == certUsageSSLServerWithStepUp));
+    validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
+    /*  If cert expired and user wants to delete it, ignore it. */
+    if ((validity != secCertTimeValid) && 
+	 userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) {
+	info->dbErrors[dbInvalidCert]++;
+	if (info->verbose) {
+	    PR_fprintf(info->out, "Deleting expired certificate:\n");
+	    dumpCertificate(oldCert, -1, info->out);
+	}
+	goto cleanup;
+    }
+
+    /*  New database will already have default certs, don't attempt
+	to overwrite them.  */
+    dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert);
+    if (dbCert) {
+	info->nCerts++;
+	if (info->verbose) {
+	    PR_fprintf(info->out, "Added certificate to database:\n");
+	    dumpCertificate(oldCert, -1, info->out);
+	}
+	goto cleanup;
+    }
+    
+    /*  Determine if cert is S/MIME and get its email if so.  */
+    email = IsEmailCert(oldCert);
+
+    /*
+	XXX  Just create empty profiles?
+    if (email) {
+	SECItem *profile = CERT_FindSMimeProfile(oldCert);
+	if (!profile &&
+	    userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) {
+	    info->dbErrors[dbNoSMimeProfile]++;
+	    if (info->verbose) {
+		PR_fprintf(info->out, 
+		           "Deleted cert missing S/MIME profile.\n");
+		dumpCertificate(oldCert, -1, info->out);
+	    }
+	    goto cleanup;
+	} else {
+	    SECITEM_FreeItem(profile);
+	}
+    }
+    */
+
+createcert:
+
+    /*  Sometimes happens... */
+    if (!nickname && userCert)
+	nickname = PORT_Strdup(oldCert->subjectName);
+
+    /*  Create a new certificate, copy of the old one.  */
+    newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, 
+                                      nickname, PR_FALSE, PR_TRUE);
+    if (!newCert) {
+	PR_fprintf(PR_STDERR, "Unable to create new certificate.\n");
+	dumpCertificate(oldCert, -1, PR_STDERR);
+	info->dbErrors[dbBadCertificate]++;
+	goto cleanup;
+    }
+
+    /*  Add the cert to the new database.  */
+    rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust);
+    if (rv) {
+	PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n");
+	dumpCertificate(oldCert, -1, PR_STDERR);
+	info->dbErrors[dbCertNotWrittenToDB]++;
+	goto cleanup;
+    }
+
+    if (info->verbose) {
+	PR_fprintf(info->out, "Added certificate to database:\n");
+	dumpCertificate(oldCert, -1, info->out);
+    }
+
+    /*  If the cert is an S/MIME cert, and the first with it's subject,
+     *  modify the subject entry to include the email address,
+     *  CERT_AddTempCertToPerm does not do email addresses and S/MIME entries.
+     */
+    if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */
+#if 0
+	UpdateSubjectWithEmailAddr(newCert, email);
+#endif
+	SECItem emailProfile, profileTime;
+	rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime);
+	/*  calls UpdateSubjectWithEmailAddr  */
+	if (rv == SECSuccess)
+	    rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime);
+    }
+
+    info->nCerts++;
+
+cleanup:
+
+    if (nickname)
+	PORT_Free(nickname);
+    if (email)
+	PORT_Free(email);
+    if (oldCert)
+	CERT_DestroyCertificate(oldCert);
+    if (dbCert)
+	CERT_DestroyCertificate(dbCert);
+    if (newCert)
+	CERT_DestroyCertificate(newCert);
+    if (smimeEntry)
+	SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+    return SECSuccess;
+}
+
+#if 0
+SECStatus
+copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata)
+{
+    SECStatus rv;
+    NSSLOWCERTCertDBHandle *newdb = (NSSLOWCERTCertDBHandle *)pdata;
+    certDBEntryCommon common;
+    SECItem dbkey;
+
+    common.type = type;
+    common.version = CERT_DB_FILE_VERSION;
+    common.flags = data->data[2];
+    common.arena = NULL;
+
+    dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN;
+    dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char));
+    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len);
+    dbkey.data[0] = type;
+
+    rv = WriteDBEntry(newdb, &common, &dbkey, data);
+
+    PORT_Free(dbkey.data);
+    return rv;
+}
+#endif
+
+int
+certIsOlder(CERTCertificate **cert1, CERTCertificate** cert2)
+{
+    return !CERT_IsNewer(*cert1, *cert2);
+}
+
+int
+findNewestSubjectForEmail(NSSLOWCERTCertDBHandle *handle, int subjectNum,
+                          certDBArray *dbArray, dbRestoreInfo *info,
+                          int *subjectWithSMime, int *smimeForSubject)
+{
+    int newestSubject;
+    int subjectsForEmail[50];
+    int i, j, ns, sNum;
+    certDBEntryListNode *subjects = &dbArray->subjects;
+    certDBEntryListNode *smime = &dbArray->smime;
+    certDBEntrySubject *subjectEntry1, *subjectEntry2;
+    certDBEntrySMime *smimeEntry;
+    CERTCertificate **certs;
+    CERTCertificate *cert;
+    CERTCertTrust *trust;
+    PRBool userCert;
+    int *certNums;
+
+    ns = 0;
+    subjectEntry1 = (certDBEntrySubject*)&subjects.entries[subjectNum];
+    subjectsForEmail[ns++] = subjectNum;
+
+    *subjectWithSMime = -1;
+    *smimeForSubject = -1;
+    newestSubject = subjectNum;
+
+    cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
+    if (cert) {
+	trust = cert->trust;
+	userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
+	          (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
+	         (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
+	CERT_DestroyCertificate(cert);
+    }
+
+    /*
+     * XXX Should we make sure that subjectEntry1->emailAddr is not
+     * a null pointer or an empty string before going into the next
+     * two for loops, which pass it to PORT_Strcmp?
+     */
+
+    /*  Loop over the remaining subjects.  */
+    for (i=subjectNum+1; i<subjects.numEntries; i++) {
+	subjectEntry2 = (certDBEntrySubject*)&subjects.entries[i];
+	if (!subjectEntry2)
+	    continue;
+	if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] &&
+	     PORT_Strcmp(subjectEntry1->emailAddr, 
+	                 subjectEntry2->emailAddr) == 0) {
+	    /*  Found a subject using the same email address.  */
+	    subjectsForEmail[ns++] = i;
+	}
+    }
+
+    /*  Find the S/MIME entry for this email address.  */
+    for (i=0; i<smime.numEntries; i++) {
+	smimeEntry = (certDBEntrySMime*)&smime.entries[i];
+	if (smimeEntry->common.arena == NULL)
+	    continue;
+	if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && 
+	    PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) {
+	    /*  Find which of the subjects uses this S/MIME entry.  */
+	    for (j=0; j<ns && *subjectWithSMime < 0; j++) {
+		sNum = subjectsForEmail[j];
+		subjectEntry2 = (certDBEntrySubject*)&subjects.entries[sNum];
+		if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName,
+		                          &subjectEntry2->derSubject)) {
+		    /*  Found the subject corresponding to the S/MIME entry. */
+		    *subjectWithSMime = sNum;
+		    *smimeForSubject = i;
+		}
+	    }
+	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+	    PORT_Memset(smimeEntry, 0, sizeof(certDBEntry));
+	    break;
+	}
+    }
+
+    if (ns <= 1)
+	return subjectNum;
+
+    if (userCert)
+	return *subjectWithSMime;
+
+    /*  Now find which of the subjects has the newest cert.  */
+    certs = (CERTCertificate**)PORT_Alloc(ns*sizeof(CERTCertificate*));
+    certNums = (int*)PORT_Alloc((ns+1)*sizeof(int));
+    certNums[0] = 0;
+    for (i=0; i<ns; i++) {
+	sNum = subjectsForEmail[i];
+	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
+	certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
+	certNums[i+1] = i;
+    }
+    /*  Sort the array by validity.  */
+    qsort(certs, ns, sizeof(CERTCertificate*), 
+          (int (*)(const void *, const void *))certIsOlder);
+    newestSubject = -1;
+    for (i=0; i<ns; i++) {
+	sNum = subjectsForEmail[i];
+	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
+	if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject,
+	                          &certs[0]->derSubject))
+	    newestSubject = sNum;
+	else
+	    SEC_DestroyDBEntry((certDBEntry*)subjectEntry1);
+    }
+    if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) {
+	for (i=1; i<ns+1; i++) {
+	    if (certNums[i] >= 0 && certNums[i] != certNums[0]) {
+		deleteAllEntriesForCert(handle, certs[certNums[i]], info->out);
+		info->dbErrors[dbOlderCert]++;
+	    }
+	}
+    }
+    CERT_DestroyCertArray(certs, ns);
+    return newestSubject;
+}
+
+NSSLOWCERTCertDBHandle *
+DBCK_ReconstructDBFromCerts(NSSLOWCERTCertDBHandle *oldhandle, char *newdbname,
+                            PRFileDesc *outfile, PRBool removeExpired,
+                            PRBool requireProfile, PRBool singleEntry,
+                            PRBool promptUser)
+{
+    SECStatus rv;
+    dbRestoreInfo info;
+    certDBEntryContentVersion *oldContentVersion;
+    certDBArray dbArray;
+    int i;
+
+    PORT_Memset(&dbArray, 0, sizeof(dbArray));
+    PORT_Memset(&info, 0, sizeof(info));
+    info.verbose = (outfile) ? PR_TRUE : PR_FALSE;
+    info.out = (outfile) ? outfile : PR_STDOUT;
+    info.removeType[dbInvalidCert] = removeExpired;
+    info.removeType[dbNoSMimeProfile] = requireProfile;
+    info.removeType[dbOlderCert] = singleEntry;
+    info.promptUser[dbInvalidCert]  = promptUser;
+    info.promptUser[dbNoSMimeProfile]  = promptUser;
+    info.promptUser[dbOlderCert]  = promptUser;
+
+    /*  Allocate a handle to fill with CERT_OpenCertDB below.  */
+    info.handle = PORT_ZNew(NSSLOWCERTCertDBHandle);
+    if (!info.handle) {
+	fprintf(stderr, "unable to get database handle");
+	return NULL;
+    }
+
+    /*  Create a certdb with the most recent set of roots.  */
+    rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE);
+
+    if (rv) {
+	fprintf(stderr, "could not open certificate database");
+	goto loser;
+    }
+
+    /*  Create certificate, subject, nickname, and email records.
+     *  mcom_db seems to have a sequential access bug.  Though reads and writes
+     *  should be allowed during traversal, they seem to screw up the sequence.
+     *  So, stuff all the cert entries into an array, and loop over the array
+     *  doing read/writes in the db.
+     */
+    fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs);
+    for (elem = PR_LIST_HEAD(&dbArray->certs.link);
+         elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) {
+	node = LISTNODE_CAST(elem);
+	addCertToDB((certDBEntryCert*)&node->entry, &info, oldhandle);
+	/* entries get destroyed in addCertToDB */
+    }
+#if 0
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, 
+                               copyDBEntry, info.handle);
+#endif
+
+    /*  Fix up the pointers between (nickname|S/MIME) --> (subject).
+     *  Create S/MIME entries for S/MIME certs.
+     *  Have the S/MIME entry point to the last-expiring cert using
+     *  an email address.
+     */
+#if 0
+    CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info);
+#endif
+
+    freeDBEntryList(&dbArray.certs.link);
+
+    /*  Copy over the version record.  */
+    /*  XXX Already exists - and _must_ be correct... */
+    /*
+    versionEntry = ReadDBVersionEntry(oldhandle);
+    rv = WriteDBVersionEntry(info.handle, versionEntry);
+    */
+
+    /*  Copy over the content version record.  */
+    /*  XXX Can probably get useful info from old content version?
+     *      Was this db created before/after this tool?  etc.
+     */
+#if 0
+    oldContentVersion = ReadDBContentVersionEntry(oldhandle);
+    CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); 
+#endif
+
+#if 0
+    /*  Copy over the CRL & KRL records.  */
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, 
+                               copyDBEntry, info.handle);
+    /*  XXX Only one KRL, just do db->get? */
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, 
+                               copyDBEntry, info.handle);
+#endif
+
+    PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts);
+
+    PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts);
+    PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", 
+                       info.dbErrors[dbInvalidCert]);
+    PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", 
+                       info.dbErrors[dbNoSMimeProfile]);
+    PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", 
+                       info.dbErrors[dbOlderCert]);
+    PR_fprintf(info.out, "     Rejected %d corrupt certificates.\n", 
+                       info.dbErrors[dbBadCertificate]);
+    PR_fprintf(info.out, "     Rejected %d certificates which did not write to the DB.\n", 
+                       info.dbErrors[dbCertNotWrittenToDB]);
+
+    if (rv)
+	goto loser;
+
+    return info.handle;
+
+loser:
+    if (info.handle) 
+	PORT_Free(info.handle);
+    return NULL;
+}
+
--- a/security/nss/cmd/dbck/manifest.mn
+++ b/security/nss/cmd/dbck/manifest.mn
@@ -46,8 +46,9 @@ CSRCS = \
 	dbck.c \
 	$(NULL)
 
 # The MODULE is always implicitly required.
 # Listing it here in REQUIRES makes it appear twice in the cc command line.
 REQUIRES = dbm seccmd
 
 PROGRAM = dbck
+USE_STATIC_LIBS = 1
--- a/security/nss/cmd/dbtest/Makefile
+++ b/security/nss/cmd/dbtest/Makefile
@@ -57,26 +57,16 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 
 include ../platlibs.mk
 
 ifdef XP_OS2_VACPP
 CFLAGS += -I../modutil
 endif
 
-ifeq (,$(filter-out WINNT WIN95 WIN16,$(OS_TARGET)))  # omits WINCE
-ifndef BUILD_OPT
-ifndef NS_USE_GCC
-LDFLAGS   +=  /subsystem:console /profile /debug /machine:I386 /incremental:no
-endif
-OS_CFLAGS += -D_CONSOLE
-endif
-endif
-
-
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
--- a/security/nss/cmd/fipstest/Makefile
+++ b/security/nss/cmd/fipstest/Makefile
@@ -57,20 +57,19 @@ include $(CORE_DEPTH)/coreconf/config.mk
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
 include ../platlibs.mk
 
-#EXTRA_SHARED_LIBS += \
-#	-L/usr/lib \
-#	-lposix4 \
-#	$(NULL)
+ifdef NSS_ENABLE_ECC
+DEFINES += -DNSS_ENABLE_ECC
+endif
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
new file mode 100755
--- /dev/null
+++ b/security/nss/cmd/fipstest/dsa.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST DSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+request=KeyPair.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa keypair $request > $response
+
+request=PQGGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa pqggen $request > $response
+
+request=PQGVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa pqgver $request > $response
+
+request=SigGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa siggen $request > $response
+
+request=SigVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa sigver $request > $response
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/fipstest/ecdsa.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST ECDSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+request=KeyPair.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa keypair $request > $response
+
+request=PKV.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa pkv $request > $response
+
+request=SigGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa siggen $request > $response
+
+request=SigVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa sigver $request > $response
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -36,308 +36,49 @@
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <ctype.h>
 
 #include "secitem.h"
 #include "blapi.h"
 #include "nss.h"
+#include "secerr.h"
+#include "secder.h"
+#include "secdig.h"
+#include "keythi.h"
+#include "ec.h"
+#include "hasht.h"
+#include "lowkeyi.h"
+#include "softoken.h"
+#include "pqgutil.h"
+
 #if 0
 #include "../../lib/freebl/mpi/mpi.h"
 #endif
 
-static const unsigned char
-table3[32][8] = {
-  { 0x10, 0x46, 0x91, 0x34, 0x89, 0x98, 0x01, 0x31 },
-  { 0x10, 0x07, 0x10, 0x34, 0x89, 0x98, 0x80, 0x20 },
-  { 0x10, 0x07, 0x10, 0x34, 0xc8, 0x98, 0x01, 0x20 },
-  { 0x10, 0x46, 0x10, 0x34, 0x89, 0x98, 0x80, 0x20 },
-  { 0x10, 0x86, 0x91, 0x15, 0x19, 0x19, 0x01, 0x01 },
-  { 0x10, 0x86, 0x91, 0x15, 0x19, 0x58, 0x01, 0x01 },
-  { 0x51, 0x07, 0xb0, 0x15, 0x19, 0x58, 0x01, 0x01 },
-  { 0x10, 0x07, 0xb0, 0x15, 0x19, 0x19, 0x01, 0x01 },
-  { 0x31, 0x07, 0x91, 0x54, 0x98, 0x08, 0x01, 0x01 },
-  { 0x31, 0x07, 0x91, 0x94, 0x98, 0x08, 0x01, 0x01 },
-  { 0x10, 0x07, 0x91, 0x15, 0xb9, 0x08, 0x01, 0x40 },
-  { 0x31, 0x07, 0x91, 0x15, 0x98, 0x08, 0x01, 0x40 },
-  { 0x10, 0x07, 0xd0, 0x15, 0x89, 0x98, 0x01, 0x01 },
-  { 0x91, 0x07, 0x91, 0x15, 0x89, 0x98, 0x01, 0x01 },
-  { 0x91, 0x07, 0xd0, 0x15, 0x89, 0x19, 0x01, 0x01 },
-  { 0x10, 0x07, 0xd0, 0x15