fixup commit for branch 'MOZILLA_1_4_BRANCH' MOZILLA_1_4_BRANCH
authorcvs2hg
Wed, 21 May 2003 22:08:38 +0000
branchMOZILLA_1_4_BRANCH
changeset 4447 413719d5bc7738aa5d052ef6374005b2ebfea5cf
parent 4330 c983f5e13f9df4c8ebeb973f05d536bd64e031d0
child 4448 06364cae56a45153badb43ef40ea556246ca3a1f
child 4449 41b0bc73dfe72a7e40eebb30ddbc3b2b4b1e5c53
child 4464 bd945d8d7985a0e9ecfbd3f0a9f41be24685d5e0
child 4513 23538d2dbcc417040f9c2da70b0d1518747a525b
child 4603 11b66f2cd625853ecb48f823fdee22336b503e45
push idunknown
push userunknown
push dateunknown
fixup commit for branch 'MOZILLA_1_4_BRANCH'
dbm/src/Makefile.in
dbm/src/hash.c
dbm/tests/Makefile.in
security/coreconf/HP-UXB.11.22.mk
security/coreconf/Linux.mk
security/coreconf/OS2.mk
security/coreconf/WIN32.mk
security/coreconf/WIN954.0.mk
security/coreconf/rules.mk
security/dbm/Makefile
security/dbm/config/config.mk
security/dbm/include/Makefile
security/dbm/include/manifest.mn
security/dbm/manifest.mn
security/dbm/src/Makefile
security/dbm/src/config.mk
security/dbm/src/dirent.c
security/dbm/src/dirent.h
security/dbm/src/manifest.mn
security/dbm/tests/Makefile
security/nss/cmd/dbtest/Makefile
security/nss/cmd/platlibs.mk
security/nss/cmd/rsaperf/Makefile
security/nss/cmd/shlibsign/Makefile
security/nss/cmd/shlibsign/sign.cmd
security/nss/cmd/tstclnt/Makefile
security/nss/cmd/vfyserv/Makefile
security/nss/lib/certdb/cert.h
security/nss/lib/certdb/certdb.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/ckfw/builtins/Makefile
security/nss/lib/ckfw/builtins/config.mk
security/nss/lib/ckfw/builtins/manifest.mn
security/nss/lib/ckfw/builtins/nssckbi.def
security/nss/lib/ckfw/ckapi.perl
security/nss/lib/ckfw/nsprstub.c
security/nss/lib/ckfw/nssck.api
security/nss/lib/dev/dev.h
security/nss/lib/dev/devslot.c
security/nss/lib/dev/devt.h
security/nss/lib/fortcrypt/Makefile
security/nss/lib/fortcrypt/maci.h
security/nss/lib/fortcrypt/swfort/pkcs11/Makefile
security/nss/lib/fortcrypt/swfort/pkcs11/stub.c
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/shvfy.c
security/nss/lib/nss/config.mk
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/dev3hack.c
security/nss/lib/pk11wrap/pk11func.h
security/nss/lib/pk11wrap/pk11load.c
security/nss/lib/pk11wrap/pk11slot.c
security/nss/lib/smime/cmsdecode.c
security/nss/lib/smime/config.mk
security/nss/lib/softoken/config.mk
security/nss/lib/softoken/pkcs11p.h
security/nss/lib/softoken/pkcs11u.h
security/nss/lib/ssl/config.mk
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/sslcon.c
security/nss/lib/util/secasn1d.c
--- a/dbm/src/Makefile.in
+++ b/dbm/src/Makefile.in
@@ -63,16 +63,13 @@ endif # WINNT
 LOCAL_INCLUDES	= -I$(srcdir)/../include
 
 FORCE_STATIC_LIB = 1
 FORCE_USE_PIC = 1
 
 include $(topsrcdir)/config/rules.mk
 
 DEFINES		+= -DMEMMOVE -D__DBINTERFACE_PRIVATE $(SECURITY_FLAG)
-ifeq ($(OS_ARCH), Linux)
-DEFINES         += -D_BSD_SOURCE
-endif
 
 ifeq ($(OS_ARCH),AIX)
 OS_LIBS		+= -lc_r
 endif
 
--- a/dbm/src/hash.c
+++ b/dbm/src/hash.c
@@ -180,17 +180,17 @@ extern DB *
 	 	 * if it exists
 	 	 */
 		new_table = 1;
 	}
 	hashp->file_size = statbuf.st_size;
 
 	if (file) {				 
 
-#if defined(_WIN32) || defined(_WINDOWS) || defined (macintosh)  || defined(XP_OS2_VACPP)
+#if defined(_WIN32) || defined(_WINDOWS) || defined (macintosh)  || defined(XP_OS2)
 		if ((hashp->fp = DBFILE_OPEN(file, flags | O_BINARY, mode)) == -1)
 			RETURN_ERROR(errno, error0);
 #else
  	if ((hashp->fp = open(file, flags, mode)) == -1)
 		RETURN_ERROR(errno, error0);
 	(void)fcntl(hashp->fp, F_SETFD, 1);
 /* We can't use fcntl because of NFS bugs. SIGH */
 #if 0
--- a/dbm/tests/Makefile.in
+++ b/dbm/tests/Makefile.in
@@ -36,11 +36,8 @@ EXTRA_DSO_LIBS	= dbm$(MOZ_BITS)
 else
 EXTRA_DSO_LIBS	= mozdbm_s
 endif
 
 LIBS		= $(EXTRA_DSO_LIBS)
 
 include $(topsrcdir)/config/rules.mk
 
-ifeq ($(OS_ARCH), Linux)
-DEFINES         += -D_BSD_SOURCE
-endif
new file mode 100644
--- /dev/null
+++ b/security/coreconf/HP-UXB.11.22.mk
@@ -0,0 +1,55 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 2002 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+# On HP-UX 10.30 and 11.x, the default implementation strategy is
+# pthreads.  Classic nspr and pthreads-user are also available.
+#
+
+ifeq ($(OS_RELEASE),B.11.22)
+OS_CFLAGS		+= -DHPUX10
+DEFAULT_IMPL_STRATEGY = _PTH
+endif
+
+#
+# To use the true pthread (kernel thread) library on 10.30 and
+# 11.x, we should define _POSIX_C_SOURCE to be 199506L.
+# The _REENTRANT macro is deprecated.
+#
+
+ifdef USE_PTHREADS
+	OS_CFLAGS	+= -D_POSIX_C_SOURCE=199506L
+endif
+
+#
+# Config stuff for HP-UXB.11.x.
+#
+include $(CORE_DEPTH)/coreconf/HP-UXB.11.mk
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -85,28 +85,33 @@ else
 ifeq ($(OS_TEST),s390)
 	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
 	CPU_ARCH        = s390
 else
 ifeq ($(OS_TEST),s390x)
 	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
 	CPU_ARCH        = s390x
 else
+ifeq ($(OS_TEST),mips)
+	OS_REL_CFLAGS   = -DLINUX1_2 -D_XOPEN_SOURCE
+	CPU_ARCH        = mips
+else
 	OS_REL_CFLAGS	= -DLINUX1_2 -Di386 -D_XOPEN_SOURCE
 	CPU_ARCH	= x86
 endif
 endif
 endif
 endif
 endif
 endif
 endif
 endif
 endif
 endif
+endif
 
 
 LIBC_TAG		= _glibc
 
 ifeq ($(OS_RELEASE),2.0)
 	OS_REL_CFLAGS	+= -DLINUX2_0
 	MKSHLIB		= $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
 	ifdef BUILD_OPT
--- a/security/coreconf/OS2.mk
+++ b/security/coreconf/OS2.mk
@@ -106,17 +106,17 @@ OS_CFLAGS          = -Wall -W -Wno-unuse
 
 # Where the libraries are
 MOZ_COMPONENT_NSPR_LIBS=-L$(DIST)/lib $(NSPR_LIBS)
 NSPR_LIBS	= -lplds4 -lplc4 -lnspr4 
 NSPR_INCLUDE_DIR =   
 
 
 ifdef BUILD_OPT
-OPTIMIZER		= -O6 
+OPTIMIZER		= -O2 -s
 DEFINES 		+= -UDEBUG -U_DEBUG -DNDEBUG
 DLLFLAGS		= -DLL -OUT:$@ -MAP:$(@:.dll=.map)
 EXEFLAGS    		= -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE
 OBJDIR_TAG 		= _OPT
 else
 #OPTIMIZER		= -O+ -Oi
 DEFINES 		+= -DDEBUG -D_DEBUG -DDEBUGPRINTS     #HCT Need += to avoid overidding manifest.mn 
 DLLFLAGS		= -DEBUG -DLL -OUT:$@ -MAP:$(@:.dll=.map)
--- a/security/coreconf/WIN32.mk
+++ b/security/coreconf/WIN32.mk
@@ -33,23 +33,36 @@
 
 #
 # Configuration common to all versions of Windows NT
 # and Windows 95
 #
 
 DEFAULT_COMPILER = cl
 
-CC           = cl
-CCC          = cl
-LINK         = link
-AR           = lib
-AR          += -NOLOGO -OUT:"$@"
-RANLIB       = echo
-BSDECHO      = echo
+ifdef NS_USE_GCC
+	CC           = gcc
+	CCC          = g++
+	LINK         = ld
+	AR           = ar
+	AR          += cr $@
+	RANLIB       = ranlib
+	BSDECHO      = echo
+	RC           = windres.exe -O coff
+	LINK_DLL      = $(CC) $(OS_DLLFLAGS) $(DLLFLAGS)
+else
+	CC           = cl
+	CCC          = cl
+	LINK         = link
+	AR           = lib
+	AR          += -NOLOGO -OUT:"$@"
+	RANLIB       = echo
+	BSDECHO      = echo
+	RC           = rc.exe
+endif
 
 ifdef BUILD_TREE
 NSINSTALL_DIR  = $(BUILD_TREE)/nss
 else
 NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
 endif
 NSINSTALL      = nsinstall
 
@@ -57,35 +70,60 @@ MKDEPEND_DIR    = $(CORE_DEPTH)/coreconf
 MKDEPEND        = $(MKDEPEND_DIR)/$(OBJDIR_NAME)/mkdepend.exe
 # Note: MKDEPENDENCIES __MUST__ be a relative pathname, not absolute.
 # If it is absolute, gmake will crash unless the named file exists.
 MKDEPENDENCIES  = $(OBJDIR_NAME)/depend.mk
 
 INSTALL      = $(NSINSTALL)
 MAKE_OBJDIR  = mkdir
 MAKE_OBJDIR += $(OBJDIR)
-RC           = rc.exe
 GARBAGE     += $(OBJDIR)/vc20.pdb $(OBJDIR)/vc40.pdb
 XP_DEFINE   += -DXP_PC
+ifdef NS_USE_GCC
+LIB_SUFFIX   = a
+else
 LIB_SUFFIX   = lib
+endif
 DLL_SUFFIX   = dll
 
-ifdef BUILD_OPT
+ifdef NS_USE_GCC
+    OS_CFLAGS += -mno-cygwin -mms-bitfields
+    _GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
+    DLLFLAGS  += -mno-cygwin -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
+    ifdef BUILD_OPT
+	OPTIMIZER  += -O2
+	DEFINES    += -UDEBUG -U_DEBUG -DNDEBUG
+	#
+	# Add symbolic information for a profiler
+	#
+	ifdef MOZ_PROFILE
+		OPTIMIZER += -g
+	endif
+    else
+	OPTIMIZER  += -g
+	NULLSTRING :=
+	SPACE      := $(NULLSTRING) # end of the line
+	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
+	USERNAME   := $(subst -,_,$(USERNAME))
+	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
+    endif
+else # !NS_USE_GCC
+    ifdef BUILD_OPT
 	OS_CFLAGS  += -MD
 	OPTIMIZER  += -O2
 	DEFINES    += -UDEBUG -U_DEBUG -DNDEBUG
 	DLLFLAGS   += -OUT:"$@"
 	#
 	# Add symbolic information for a profiler
 	#
 	ifdef MOZ_PROFILE
 		OPTIMIZER += -Z7
 		DLLFLAGS += -DEBUG -DEBUGTYPE:CV
 	endif
-else
+    else
 	#
 	# Define USE_DEBUG_RTL if you want to use the debug runtime library
 	# (RTL) in the debug build
 	#
 	ifdef USE_DEBUG_RTL
 		OS_CFLAGS += -MDd
 	else
 		OS_CFLAGS += -MD
@@ -94,35 +132,43 @@ else
 	#OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
 	NULLSTRING :=
 	SPACE      := $(NULLSTRING) # end of the line
 	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
 	USERNAME   := $(subst -,_,$(USERNAME))
 	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
 	DLLFLAGS   += -DEBUG -DEBUGTYPE:CV -OUT:"$@"
 	LDFLAGS    += -DEBUG -DEBUGTYPE:CV -PDB:NONE
-endif
+    endif
+endif # NS_USE_GCC
 
 DEFINES += -DWIN32
 ifdef MAPFILE
+ifndef NS_USE_GCC
 DLLFLAGS += -DEF:$(MAPFILE)
 endif
+endif
 # Change PROCESS to put the mapfile in the correct format for this platform
 PROCESS_MAP_FILE = cp $(LIBRARY_NAME).def $@
 
 
 #
 #  The following is NOT needed for the NSPR 2.0 library.
 #
 
 DEFINES += -D_WINDOWS
 
 # override default, which is ASFLAGS = CFLAGS
-AS	= ml.exe
-ASFLAGS = -Cp -Sn -Zi -coff $(INCLUDES)
+ifdef NS_USE_GCC
+	AS	= $(CC)
+	ASFLAGS = $(INCLUDES)
+else
+	AS	= ml.exe
+	ASFLAGS = -Cp -Sn -Zi -coff $(INCLUDES)
+endif
 
 #
 # override the definitions of RELEASE_TREE found in tree.mk
 #
 ifndef RELEASE_TREE
     ifdef BUILD_SHIP
 	ifdef USE_SHIPS
 	    RELEASE_TREE = $(NTBUILD_SHIP)
@@ -130,43 +176,64 @@ ifndef RELEASE_TREE
 	    RELEASE_TREE = //redbuild/components
 	endif
     else
 	RELEASE_TREE = //redbuild/components
     endif
 endif
 
 #
-# override the definitions of LIB_PREFIX and DLL_PREFIX in prefix.mk
+# override the definitions of IMPORT_LIB_PREFIX, LIB_PREFIX, and
+# DLL_PREFIX in prefix.mk
 #
 
+ifndef IMPORT_LIB_PREFIX
+    ifdef NS_USE_GCC
+	IMPORT_LIB_PREFIX = lib
+    else
+	IMPORT_LIB_PREFIX = $(NULL)
+    endif
+endif
+
 ifndef LIB_PREFIX
-    LIB_PREFIX =  $(NULL)
+    ifdef NS_USE_GCC
+	LIB_PREFIX = lib
+    else
+	LIB_PREFIX = $(NULL)
+    endif
 endif
 
 ifndef DLL_PREFIX
     DLL_PREFIX =  $(NULL)
 endif
 
 #
 # override the definitions of various _SUFFIX symbols in suffix.mk
 #
 
 #
 # Object suffixes
 #
 ifndef OBJ_SUFFIX
-    OBJ_SUFFIX = .obj
+    ifdef NS_USE_GCC
+	OBJ_SUFFIX = .o
+    else
+	OBJ_SUFFIX = .obj
+    endif
 endif
 
 #
 # Assembler source suffixes
 #
 ifndef ASM_SUFFIX
-    ASM_SUFFIX = .asm
+    ifdef NS_USE_GCC
+	ASM_SUFFIX = .s
+    else
+	ASM_SUFFIX = .asm
+    endif
 endif
 
 #
 # Library suffixes
 #
 
 ifndef IMPORT_LIB_SUFFIX
     IMPORT_LIB_SUFFIX = .$(LIB_SUFFIX)
--- a/security/coreconf/WIN954.0.mk
+++ b/security/coreconf/WIN954.0.mk
@@ -35,25 +35,29 @@
 # Config stuff for WIN95
 #
 # This makefile defines the following variables:
 # OS_CFLAGS and OS_DLLFLAGS.
 
 include $(CORE_DEPTH)/coreconf/WIN32.mk
 
 ifeq ($(CPU_ARCH), x386)
+ifndef NS_USE_GCC
 	OS_CFLAGS += -W3 -nologo
+endif
 	DEFINES += -D_X86_
 else 
 	ifeq ($(CPU_ARCH), MIPS)
 		#OS_CFLAGS += -W3 -nologo
 		#DEFINES += -D_MIPS_
 		OS_CFLAGS  += -W3 -nologo
 	else 
 		ifeq ($(CPU_ARCH), ALPHA)
 			OS_CFLAGS += -W3 -nologo
 			DEFINES += -D_ALPHA_=1
 		endif
 	endif
 endif
 
+ifndef NS_USE_GCC
 OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS -PDB:NONE
+endif
 DEFINES += -DWIN95
--- a/security/coreconf/rules.mk
+++ b/security/coreconf/rules.mk
@@ -47,17 +47,17 @@ ifeq ($(AUTOCLEAN),1)
 autobuild:: clean export private_export libs program install
 else
 autobuild:: export private_export libs program install
 endif
 
 platform::
 	@echo $(OBJDIR_NAME)
 
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 USE_NT_C_SYNTAX=1
 endif
 
 ifdef XP_OS2_VACPP
 USE_NT_C_SYNTAX=1
 endif
 
 #
@@ -280,17 +280,17 @@ ifdef XP_OS2_VACPP
 # list of libs (such as -lnspr4) do not work for our compiler
 # change it to be $(DIST)/lib/nspr4.lib
 EXTRA_SHARED_LIBS := $(filter-out -L%,$(EXTRA_SHARED_LIBS))
 EXTRA_SHARED_LIBS := $(patsubst -l%,$(DIST)/lib/%.$(LIB_SUFFIX),$(EXTRA_SHARED_LIBS))
 endif
 
 $(PROGRAM): $(OBJS) $(EXTRA_LIBS)
 	@$(MAKE_OBJDIR)
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
 else
 ifdef XP_OS2_VACPP
 	$(MKPROG) -Fe$@ $(CFLAGS) $(OBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 else
 	$(MKPROG) -o $@ $(CFLAGS) $(OBJS) $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 endif
 endif
@@ -332,17 +332,21 @@ ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
 	nm -B -C -g $(OBJS) \
 	| awk '/ [T,D] / {print $$3}' \
 	| sed -e 's/^\.//' \
 	| sort -u >> $(OBJDIR)/lib$(LIBRARY_NAME)_syms
 	$(LD) $(XCFLAGS) -o $@ $(OBJS) -bE:$(OBJDIR)/lib$(LIBRARY_NAME)_syms \
 	-bM:SRE -bnoentry $(OS_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS)
 else
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+ifdef NS_USE_GCC
+	$(LINK_DLL) $(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES)
+else
 	$(LINK_DLL) -MAP $(DLLBASE) $(subst /,\\,$(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES))
+endif
 else
 ifdef XP_OS2_VACPP
 	$(MKSHLIB) $(DLLFLAGS) $(LDFLAGS) $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS)
 else
 	$(MKSHLIB) -o $@ $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS)
 endif
 	chmod +x $@
 ifeq ($(OS_TARGET),Darwin)
@@ -352,56 +356,91 @@ endif
 endif
 endif
 endif
 
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 $(RES): $(RESNAME)
 	@$(MAKE_OBJDIR)
 # The resource compiler does not understand the -U option.
+ifdef NS_USE_GCC
+	$(RC) $(filter-out -U%,$(DEFINES)) $(INCLUDES:-I%=--include-dir %) -o $@ $<
+else
 	$(RC) $(filter-out -U%,$(DEFINES)) $(INCLUDES) -Fo$@ $<
+endif
 	@echo $(RES) finished
 endif
 
 $(MAPFILE): $(LIBRARY_NAME).def
 	@$(MAKE_OBJDIR)
 	$(PROCESS_MAP_FILE)
 
 
 $(OBJDIR)/$(PROG_PREFIX)%$(PROG_SUFFIX): $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX)
 	@$(MAKE_OBJDIR)
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $(OBJDIR)/$(PROG_PREFIX)$*$(OBJ_SUFFIX) -Fe$@ -link \
 	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 else
 	$(MKPROG) -o $@ $(OBJDIR)/$(PROG_PREFIX)$*$(OBJ_SUFFIX) \
 	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 endif
 
 WCCFLAGS1 := $(subst /,\\,$(CFLAGS))
 WCCFLAGS2 := $(subst -I,-i=,$(WCCFLAGS1))
 WCCFLAGS3 := $(subst -D,-d,$(WCCFLAGS2))
 
+# Translate source filenames to absolute paths. This is required for
+# debuggers under Windows & OS/2 to find source files automatically
+
+ifeq (,$(filter-out OS2%,$(OS_TARGET)))
+NEED_ABSOLUTE_PATH := 1
+PWD := $(shell pwd)
+endif
+
+ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
+NEED_ABSOLUTE_PATH := 1
+ifeq (,$(findstring ;,$(PATH)))
+PWD :=  $(subst \,/,$(shell cygpath -w `pwd`))
+else
+PWD := $(shell pwd)
+endif
+endif
+
+ifdef NEED_ABSOLUTE_PATH
+abspath = $(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD)/$(1)))
+else
+abspath = $(1)
+endif
+
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
 	@$(MAKE_OBJDIR)
 ifdef USE_NT_C_SYNTAX
-	$(CC) -Fo$@ -c $(CFLAGS) $<
+	$(CC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+else
+ifdef NEED_ABSOLUTE_PATH
+	$(CC) -o $@ -c $(CFLAGS) $(call abspath,$<)
 else
 	$(CC) -o $@ -c $(CFLAGS) $<
 endif
+endif
 
 $(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
 ifdef USE_NT_C_SYNTAX
-	$(CC) -Fo$@ -c $(CFLAGS) $<
+	$(CC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+else
+ifdef NEED_ABSOLUTE_PATH
+	$(CC) -o $@ -c $(CFLAGS) $(call abspath,$<)
 else
 	$(CC) -o $@ -c $(CFLAGS) $<
 endif
+endif
 
 ifndef XP_OS2_VACPP
-ifneq (,$(filter-out WIN%,$(OS_TARGET)))
+ifneq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.s
 	@$(MAKE_OBJDIR)
 	$(AS) -o $@ $(ASFLAGS) -c $<
 endif
 endif
 
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.asm
 	@$(MAKE_OBJDIR)
@@ -413,40 +452,48 @@ endif
 
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.S
 	@$(MAKE_OBJDIR)
 	$(AS) -o $@ $(ASFLAGS) -c $<
 
 $(OBJDIR)/$(PROG_PREFIX)%: %.cpp
 	@$(MAKE_OBJDIR)
 ifdef USE_NT_C_SYNTAX
-	$(CCC) -Fo$@ -c $(CFLAGS) $<
+	$(CCC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+else
+ifdef NEED_ABSOLUTE_PATH
+	$(CCC) -o $@ -c $(CFLAGS) $(call abspath,$<)
 else
 	$(CCC) -o $@ -c $(CFLAGS) $<
 endif
+endif
 
 #
 # Please keep the next two rules in sync.
 #
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cc
 	@$(MAKE_OBJDIR)
 	$(CCC) -o $@ -c $(CFLAGS) $<
 
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cpp
 	@$(MAKE_OBJDIR)
 ifdef STRICT_CPLUSPLUS_SUFFIX
 	echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc
 	$(CCC) -o $@ -c $(CFLAGS) $(OBJDIR)/t_$*.cc
 	rm -f $(OBJDIR)/t_$*.cc
 else
 ifdef USE_NT_C_SYNTAX
-	$(CCC) -Fo$@ -c $(CFLAGS) $<
+	$(CCC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+else
+ifdef NEED_ABSOLUTE_PATH
+	$(CCC) -o $@ -c $(CFLAGS) $(call abspath,$<)
 else
 	$(CCC) -o $@ -c $(CFLAGS) $<
 endif
+endif
 endif #STRICT_CPLUSPLUS_SUFFIX
 
 %.i: %.cpp
 	$(CCC) -C -E $(CFLAGS) $< > $*.i
 
 %.i: %.c
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 	$(CC) -C /P $(CFLAGS) $< 
deleted file mode 100644
--- a/security/dbm/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-coreconf_hack:
-	cd ../coreconf; gmake
-	gmake import
-
-RelEng_bld: coreconf_hack
-	gmake
deleted file mode 100644
--- a/security/dbm/config/config.mk
+++ /dev/null
@@ -1,67 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# These macros are defined by mozilla's configure script.
-# We define them manually here.
-#
-
-DEFINES += -DSTDC_HEADERS -DHAVE_STRERROR
-
-#
-# Most platforms have snprintf, so it's simpler to list the exceptions.
-#
-HAVE_SNPRINTF = 1
-#
-# OSF1 V4.0D doesn't have snprintf but V5.0A does.
-#
-ifeq ($(OS_TARGET)$(OS_RELEASE),OSF1V4.0D)
-HAVE_SNPRINTF =
-endif
-ifdef HAVE_SNPRINTF
-DEFINES += -DHAVE_SNPRINTF
-endif
-
-ifeq (,$(filter-out IRIX Linux,$(OS_TARGET)))
-DEFINES += -DHAVE_SYS_CDEFS_H
-endif
-
-ifeq (,$(filter-out DGUX NCR ReliantUNIX SCO_SV SCOOS UNIXWARE,$(OS_TARGET)))
-DEFINES += -DHAVE_SYS_BYTEORDER_H
-endif
-
-#
-# None of the platforms that we are interested in need to
-# define HAVE_MEMORY_H.
-#
deleted file mode 100644
--- a/security/dbm/include/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/dbm/include/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../..
-
-VPATH  = $(CORE_DEPTH)/../dbm/include
-
-MODULE = dbm
-
-EXPORTS =	nsres.h   \
-		cdefs.h   \
-		mcom_db.h \
-		ncompat.h \
-		winfile.h \
-		$(NULL)
-
-PRIVATE_EXPORTS =	hsearch.h \
-			page.h    \
-			extern.h  \
-			ndbm.h    \
-			queue.h   \
-			hash.h    \
-			mpool.h   \
-			search.h  \
-			$(NULL)
-
deleted file mode 100644
--- a/security/dbm/manifest.mn
+++ /dev/null
@@ -1,45 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ..
-
-MODULE = dbm
-
-IMPORTS = nspr20/v4.1.2
-
-RELEASE = dbm
-
-DIRS =  include \
-        src     \
-	$(NULL)
deleted file mode 100644
--- a/security/dbm/src/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(CORE_DEPTH)/dbm/config/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/dbm/src/config.mk
+++ /dev/null
@@ -1,63 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-DEFINES += -DMEMMOVE -D__DBINTERFACE_PRIVATE $(SECURITY_FLAG)
-
-INCLUDES += -I$(CORE_DEPTH)/../dbm/include
-
-#
-#  Currently, override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
-ifdef SHARED_LIBRARY
-	ifeq (,$(filter-out WINNT WIN95 WINCE,$(OS_TARGET))) # list omits WIN16
-		DLLBASE=/BASE:0x30000000
-		RES=$(OBJDIR)/dbm.res
-		RESNAME=../include/dbm.rc
-	endif
-	ifeq ($(DLL_SUFFIX),dll)
-		DEFINES += -D_DLL
-	endif
-endif
-
-ifeq ($(OS_TARGET),AIX)
-	OS_LIBS += -lc_r
-endif
deleted file mode 100644
--- a/security/dbm/src/dirent.c
+++ /dev/null
@@ -1,348 +0,0 @@
-#ifdef OS2
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-#include <dirent.h>
-#include <errno.h>
-
-/*#ifndef __EMX__ 
-#include <libx.h>
-#endif */
-
-#define INCL_DOSFILEMGR
-#define INCL_DOSERRORS
-#include <os2.h>
-
-#if OS2 >= 2
-# define FFBUF	FILEFINDBUF3
-# define Word	ULONG
-  /*
-   * LS20 recommends a request count of 100, but according to the
-   * APAR text it does not lead to missing files, just to funny
-   * numbers of returned entries.
-   *
-   * LS30 HPFS386 requires a count greater than 2, or some files
-   * are missing (those starting with a character less that '.').
-   *
-   * Novell looses entries which overflow the buffer. In previous
-   * versions of dirent2, this could have lead to missing files
-   * when the average length of 100 directory entries was 40 bytes
-   * or more (quite unlikely for files on a Novell server).
-   *
-   * Conclusion: Make sure that the entries all fit into the buffer
-   * and that the buffer is large enough for more than 2 entries
-   * (each entry is at most 300 bytes long). And ignore the LS20
-   * effect.
-   */
-# define Count	25
-# define BufSz	(25 * (sizeof(FILEFINDBUF3)+1))
-#else
-# define FFBUF	FILEFINDBUF
-# define Word	USHORT
-# define BufSz	1024
-# define Count	3
-#endif
-
-#if defined(__IBMC__) || defined(__IBMCPP__)
-  #define error(rc) _doserrno = rc, errno = EOS2ERR
-#elif defined(MICROSOFT)
-  #define error(rc) _doserrno = rc, errno = 255
-#else
-  #define error(rc) errno = 255
-#endif
-
-struct _dirdescr {
-	HDIR		handle;		/* DosFindFirst handle */
-	char		fstype;		/* filesystem type */
-	Word		count;		/* valid entries in <ffbuf> */
-	long		number;		/* absolute number of next entry */
-	int		index;		/* relative number of next entry */
-	FFBUF *		next;		/* pointer to next entry */
-	char		name[MAXPATHLEN+3]; /* directory name */
-	unsigned	attrmask;	/* attribute mask for seekdir */
-	struct dirent	entry;		/* buffer for directory entry */
-	BYTE		ffbuf[BufSz];
-};
-
-/*
- * Return first char of filesystem type, or 0 if unknown.
- */
-static char
-getFSType(const char *path)
-{
-	static char cache[1+26];
-	char drive[3], info[512];
-	Word unit, infolen;
-	char r;
-
-	if (isalpha(path[0]) && path[1] == ':') {
-		unit = toupper(path[0]) - '@';
-		path += 2;
-	} else {
-		ULONG driveMap;
-#if OS2 >= 2
-		if (DosQueryCurrentDisk(&unit, &driveMap))
-#else
-		if (DosQCurDisk(&unit, &driveMap))
-#endif
-			return 0;
-	}
-
-	if ((path[0] == '\\' || path[0] == '/')
-	 && (path[1] == '\\' || path[1] == '/'))
-		return 0;
-
-	if (cache [unit])
-		return cache [unit];
-
-	drive[0] = '@' + unit;
-	drive[1] = ':';
-	drive[2] = '\0';
-	infolen = sizeof info;
-#if OS2 >= 2
-	if (DosQueryFSAttach(drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen))
-		return 0;
-	if (infolen >= sizeof(FSQBUFFER2)) {
-		FSQBUFFER2 *p = (FSQBUFFER2 *)info;
-		r = p->szFSDName[p->cbName];
-	} else
-#else
-	if (DosQFSAttach((PSZ)drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen, 0))
-		return 0;
-	if (infolen >= 9) {
-		char *p = info + sizeof(USHORT);
-		p += sizeof(USHORT) + *(USHORT *)p + 1 + sizeof(USHORT);
-		r = *p;
-	} else
-#endif
-		r = 0;
-	return cache [unit] = r;
-}
-
-char *
-abs_path(const char *name, char *buffer, int len)
-{
-	char buf[4];
-	if (isalpha(name[0]) && name[1] == ':' && name[2] == '\0') {
-		buf[0] = name[0];
-		buf[1] = name[1];
-		buf[2] = '.';
-		buf[3] = '\0';
-		name = buf;
-	}
-#if OS2 >= 2
-	if (DosQueryPathInfo((PSZ)name, FIL_QUERYFULLNAME, buffer, len))
-#else
-	if (DosQPathInfo((PSZ)name, FIL_QUERYFULLNAME, (PBYTE)buffer, len, 0L))
-#endif
-		return NULL;
-	return buffer;
-}
-
-DIR *
-openxdir(const char *path, unsigned att_mask)
-{
-	DIR *dir;
-	char name[MAXPATHLEN+3];
-	Word rc;
-
-	dir = malloc(sizeof(DIR));
-	if (dir == NULL) {
-		errno = ENOMEM;
-		return NULL;
-	}
-
-	strncpy(name, path, MAXPATHLEN);
-	name[MAXPATHLEN] = '\0';
-	switch (name[strlen(name)-1]) {
-	default:
-		strcat(name, "\\");
-	case '\\':
-	case '/':
-	case ':':
-		;
-	}
-	strcat(name, ".");
-	if (!abs_path(name, dir->name, MAXPATHLEN+1))
-		strcpy(dir->name, name);
-	if (dir->name[strlen(dir->name)-1] == '\\')
-		strcat(dir->name, "*");
-	else
-		strcat(dir->name, "\\*");
-
-	dir->fstype = getFSType(dir->name);
-	dir->attrmask = att_mask | A_DIR;
-
-	dir->handle = HDIR_CREATE;
-	dir->count = 100;
-#if OS2 >= 2
-	rc = DosFindFirst(dir->name, &dir->handle, dir->attrmask,
-		dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD);
-#else
-	rc = DosFindFirst((PSZ)dir->name, &dir->handle, dir->attrmask,
-		(PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0);
-#endif
-	switch (rc) {
-	default:
-		free(dir);
-		error(rc);
-		return NULL;
-	case NO_ERROR:
-	case ERROR_NO_MORE_FILES:
-		;
-	}
-
-	dir->number = 0;
-	dir->index = 0;
-	dir->next = (FFBUF *)dir->ffbuf;
-
-	return (DIR *)dir;
-}
-
-DIR *
-opendir(const char *pathname)
-{
-	return openxdir(pathname, 0);
-}
-
-struct dirent *
-readdir(DIR *dir)
-{
-	static int dummy_ino = 2;
-
-	if (dir->index == dir->count) {
-		Word rc;
-		dir->count = 100;
-#if OS2 >= 2
-		rc = DosFindNext(dir->handle, dir->ffbuf,
-			sizeof dir->ffbuf, &dir->count);
-#else
-		rc = DosFindNext(dir->handle, (PFILEFINDBUF)dir->ffbuf,
-			sizeof dir->ffbuf, &dir->count);
-#endif
-		if (rc) {
-			error(rc);
-			return NULL;
-		}
-
-		dir->index = 0;
-		dir->next = (FFBUF *)dir->ffbuf;
-	}
-
-	if (dir->index == dir->count)
-		return NULL;
-
-	memcpy(dir->entry.d_name, dir->next->achName, dir->next->cchName);
-	dir->entry.d_name[dir->next->cchName] = '\0';
-	dir->entry.d_ino = dummy_ino++;
-	dir->entry.d_reclen = dir->next->cchName;
-	dir->entry.d_namlen = dir->next->cchName;
-	dir->entry.d_size = dir->next->cbFile;
-	dir->entry.d_attribute = dir->next->attrFile;
-	dir->entry.d_time = *(USHORT *)&dir->next->ftimeLastWrite;
-	dir->entry.d_date = *(USHORT *)&dir->next->fdateLastWrite;
-
-	switch (dir->fstype) {
-	case 'F': /* FAT */
-	case 'C': /* CDFS */
-		if (dir->next->attrFile & FILE_DIRECTORY)
-			strupr(dir->entry.d_name);
-		else
-			strlwr(dir->entry.d_name);
-	}
-
-#if OS2 >= 2
-	dir->next = (FFBUF *)((BYTE *)dir->next + dir->next->oNextEntryOffset);
-#else
-	dir->next = (FFBUF *)((BYTE *)dir->next->achName + dir->next->cchName + 1);
-#endif
-	++dir->number;
-	++dir->index;
-
-	return &dir->entry;
-}
-
-long
-telldir(DIR *dir)
-{
-	return dir->number;
-}
-
-void
-seekdir(DIR *dir, long off)
-{
-	if (dir->number > off) {
-		char name[MAXPATHLEN+2];
-		Word rc;
-
-		DosFindClose(dir->handle);
-
-		strcpy(name, dir->name);
-		strcat(name, "*");
-
-		dir->handle = HDIR_CREATE;
-		dir->count = 32767;
-#if OS2 >= 2
-		rc = DosFindFirst(name, &dir->handle, dir->attrmask,
-			dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD);
-#else
-		rc = DosFindFirst((PSZ)name, &dir->handle, dir->attrmask,
-			(PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0);
-#endif
-		switch (rc) {
-		default:
-			error(rc);
-			return;
-		case NO_ERROR:
-		case ERROR_NO_MORE_FILES:
-			;
-		}
-
-		dir->number = 0;
-		dir->index = 0;
-		dir->next = (FFBUF *)dir->ffbuf;
-	}
-
-	while (dir->number < off && readdir(dir))
-		;
-}
-
-void
-closedir(DIR *dir)
-{
-	DosFindClose(dir->handle);
-	free(dir);
-}
-
-/*****************************************************************************/
-
-#ifdef TEST
-
-main(int argc, char **argv)
-{
-	int i;
-	DIR *dir;
-	struct dirent *ep;
-
-	for (i = 1; i < argc; ++i) {
-		dir = opendir(argv[i]);
-		if (!dir)
-			continue;
-		while (ep = readdir(dir))
-			if (strchr("\\/:", argv[i] [strlen(argv[i]) - 1]))
-				printf("%s%s\n", argv[i], ep->d_name);
-			else
-				printf("%s/%s\n", argv[i], ep->d_name);
-		closedir(dir);
-	}
-
-	return 0;
-}
-
-#endif
-
-#endif /* OS2 */
-
deleted file mode 100644
--- a/security/dbm/src/dirent.h
+++ /dev/null
@@ -1,97 +0,0 @@
-#ifndef __DIRENT_H__
-#define __DIRENT_H__
-/*
- * @(#)msd_dir.h 1.4 87/11/06   Public Domain.
- *
- *  A public domain implementation of BSD directory routines for
- *  MS-DOS.  Written by Michael Rendell ({uunet,utai}michael@garfield),
- *  August 1897
- *
- *  Extended by Peter Lim (lim@mullian.oz) to overcome some MS DOS quirks
- *  and returns 2 more pieces of information - file size & attribute.
- *  Plus a little reshuffling of some #define's positions    December 1987
- *
- *  Some modifications by Martin Junius                      02-14-89
- *
- *	AK900712
- *	AK910410	abs_path - make absolute path
- *
- */
-
-#ifdef __EMX__
-#include <sys/param.h>
-#else
-#if defined(__IBMC__) || defined(__IBMCPP__) || defined(XP_W32_MSVC)
-#include <stdio.h>
-#ifdef MAXPATHLEN
-	#undef MAXPATHLEN
-#endif
-#define MAXPATHLEN (FILENAME_MAX*4)
-#define MAXNAMLEN FILENAME_MAX
-
-#else
-#include <param.h>
-#endif
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* attribute stuff */
-#ifndef A_RONLY
-# define A_RONLY   0x01
-# define A_HIDDEN  0x02
-# define A_SYSTEM  0x04
-# define A_LABEL   0x08
-# define A_DIR     0x10
-# define A_ARCHIVE 0x20
-#endif
-
-struct dirent {
-#if defined(OS2) || defined(WIN32)        /* use the layout of EMX to avoid trouble */
-    int            d_ino;                 /* Dummy */
-    int            d_reclen;		  /* Dummy, same as d_namlen */
-    int            d_namlen;              /* length of name */
-    char           d_name[MAXNAMLEN + 1];
-    unsigned long  d_size;
-    unsigned short d_attribute;           /* attributes (see above) */
-    unsigned short d_time;                /* modification time */
-    unsigned short d_date;                /* modification date */
-#else
-    char	   d_name[MAXNAMLEN + 1]; /* garentee null termination */
-    char	   d_attribute;		  /* .. extension .. */
-    unsigned long  d_size;		  /* .. extension .. */
-#endif
-};
-
-typedef struct _dirdescr DIR;
-/* the structs do not have to be defined here */
-
-extern DIR		*opendir(const char *);
-extern DIR		*openxdir(const char *, unsigned);
-extern struct dirent	*readdir(DIR *);
-extern void		seekdir(DIR *, long);
-extern long		telldir(DIR *);
-extern void 		closedir(DIR *);
-#define			rewinddir(dirp) seekdir(dirp, 0L)
-
-extern char *		abs_path(const char *name, char *buffer, int len);
-
-#ifndef S_IFMT
-#define S_IFMT ( S_IFDIR | S_IFREG )
-#endif
-
-#ifndef S_ISDIR
-#define S_ISDIR( m )                    (((m) & S_IFMT) == S_IFDIR)
-#endif
-
-#ifndef S_ISREG
-#define S_ISREG( m )                    (((m) & S_IFMT) == S_IFREG)
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
deleted file mode 100644
--- a/security/dbm/src/manifest.mn
+++ /dev/null
@@ -1,61 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../..
-
-VPATH  = $(CORE_DEPTH)/../dbm/src
-
-MODULE = dbm
-
-#
-# memmove.c, snprintf.c, and strerror.c are not in CSRCS because
-# the Standard C Library has memmove and strerror and DBM is not
-# using snprintf.
-#
-
-CSRCS = db.c	   \
-	h_bigkey.c \
-	h_func.c   \
-	h_log2.c   \
-	h_page.c   \
-	hash.c	   \
-	hash_buf.c \
-	hsearch.c  \
-	mktemp.c   \
-	ndbm.c	   \
-	nsres.c	   \
-	dirent.c	   \
-	$(NULL)
-
-LIBRARY_NAME = dbm
deleted file mode 100644
--- a/security/dbm/tests/Makefile
+++ /dev/null
@@ -1,69 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-DEPTH		= ../..
-CORE_DEPTH	= ../..
-
-VPATH		= $(CORE_DEPTH)/../dbm/tests
-
-MODULE		= dbm
-
-CSRCS		= lots.c
-
-PROGRAM		= lots
-
-include $(DEPTH)/coreconf/config.mk
-
-include $(DEPTH)/dbm/config/config.mk
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET))) 
-LIBDBM		= ../src/$(PLATFORM)/dbm$(STATIC_LIB_SUFFIX)
-else
-LIBDBM		= ../src/$(PLATFORM)/libdbm$(STATIC_LIB_SUFFIX)
-endif
-
-INCLUDES	+= -I$(CORE_DEPTH)/../dbm/include
-
-LDFLAGS		= $(LDOPTS) $(LIBDBM)
-
-include $(DEPTH)/coreconf/rules.mk
-
-lots.pure: lots
-	purify $(CC) -o lots.pure $(CFLAGS) $(OBJS) $(MYLIBS)
-
-crash: crash.o $(MYLIBS)
-	$(CC) -o crash $(CFLAGS) $^
-
-crash.pure: crash.o $(MYLIBS)
-	purify $(CC) -o crash.pure $(CFLAGS) $^
-
--- a/security/nss/cmd/dbtest/Makefile
+++ b/security/nss/cmd/dbtest/Makefile
@@ -55,17 +55,19 @@ include $(CORE_DEPTH)/coreconf/config.mk
 include ../platlibs.mk
 
 ifdef XP_OS2_VACPP
 CFLAGS += -I../modutil
 endif
 
 ifeq (,$(filter-out WINNT WIN95 WIN16,$(OS_TARGET)))  # omits WINCE
 ifndef BUILD_OPT
+ifndef NS_USE_GCC
 LDFLAGS   +=  /subsystem:console /profile /debug /machine:I386 /incremental:no
+endif
 OS_CFLAGS += -D_CONSOLE
 endif
 endif
 
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -34,58 +34,58 @@
 
 ifdef USE_STATIC_LIBS
 
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 ifeq ($(OS_ARCH), WINNT)
 
 DEFINES += -DNSS_USE_STATIC_LIBS
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-CRYPTOLIB=$(DIST)/lib/freebl.lib
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 ifdef MOZILLA_SECURITY_BUILD
 	CRYPTOLIB=$(DIST)/lib/crypto.lib
 endif
 ifdef MOZILLA_BSAFE_BUILD
 	CRYPTOLIB+=$(DIST)/lib/bsafe$(BSAFEVER).lib
 	CRYPTOLIB+=$(DIST)/lib/freebl.lib
 endif
 
 EXTRA_LIBS += \
-	$(DIST)/lib/smime.lib \
-	$(DIST)/lib/ssl.lib \
-	$(DIST)/lib/nss.lib \
-	$(DIST)/lib/ssl.lib \
-	$(DIST)/lib/sectool.lib \
-	$(DIST)/lib/pkcs12.lib \
-	$(DIST)/lib/pkcs7.lib \
-	$(DIST)/lib/certhi.lib \
-	$(DIST)/lib/cryptohi.lib \
-	$(DIST)/lib/pk11wrap.lib \
-	$(DIST)/lib/certdb.lib \
-	$(DIST)/lib/softokn.lib \
+	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \
 	$(CRYPTOLIB) \
-	$(DIST)/lib/swfci.lib \
-	$(DIST)/lib/secutil.lib \
-	$(DIST)/lib/nsspki.lib \
-	$(DIST)/lib/nssdev.lib \
-	$(DIST)/lib/nssb.lib \
-	$(DIST)/lib/dbm.lib \
-	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
-	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
-	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(DIST)/lib/$(LIB_PREFIX)swfci.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
 	$(NULL)
 
 # $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
 #OS_LIBS += \
 	wsock32.lib \
 	winmm.lib \
 	$(NULL)
 
-JAR_LIBS = $(DIST)/lib/jar.lib \
-	$(DIST)/lib/zlib.lib \
+JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX) \
 	$(NULL)
 else
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 ifdef MOZILLA_SECURITY_BUILD
 	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
 endif
@@ -145,71 +145,64 @@ JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.
 	$(NULL)
 
 else # USE_STATIC_LIBS
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 ifeq ($(OS_ARCH), WINNT)
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 EXTRA_LIBS += \
-	$(DIST)/lib/sectool.lib \
-	$(DIST)/lib/smime3.lib \
-	$(DIST)/lib/ssl3.lib \
-	$(DIST)/lib/nss3.lib \
-	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
-	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
-	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
+	$(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
+	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
 	$(NULL)
 
 # $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
 #OS_LIBS += \
 	wsock32.lib \
 	winmm.lib \
 	$(NULL)
 
-JAR_LIBS = $(DIST)/lib/jar.lib \
-	$(DIST)/lib/zlib.lib \
+JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX) \
 	$(NULL)
 else
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
 	$(NULL)
 
 ifeq ($(OS_ARCH), AIX) 
 EXTRA_SHARED_LIBS += -brtl 
 endif
 
-# On Linux we must use the -rpath-link option to tell the linker
-# where to find libsoftokn3.so, an implicit dependency of libnss3.so.
-ifeq ($(OS_ARCH), Linux) 
-EXTRA_SHARED_LIBS += -Wl,-rpath-link,$(DIST)/lib
-endif
-
-ifeq ($(OS_ARCH), BSD_OS) 
+# If GNU ld is used, we must use the -rpath-link option to tell
+# the linker where to find libsoftokn3.so, an implicit dependency
+# of libnss3.so.
+ifeq (,$(filter-out BSD_OS FreeBSD Linux NetBSD, $(OS_ARCH)))
 EXTRA_SHARED_LIBS += -Wl,-rpath-link,$(DIST)/lib
 endif
 
-ifeq ($(OS_ARCH), FreeBSD)
-EXTRA_SHARED_LIBS += -Wl,-rpath-link,$(DIST)/lib
-endif
-
-ifeq ($(OS_ARCH), Darwin)
-EXTRA_SHARED_LIBS += -dylib_file @executable_path/libsoftokn3.dylib:$(DIST)/lib/libsoftokn3.dylib
-endif
-
 ifeq ($(OS_ARCH), SunOS)
 ifdef NS_USE_GCC
 ifdef GCC_USE_GNU_LD
 EXTRA_SHARED_LIBS += -Wl,-rpath-link,$(DIST)/lib
 endif
 endif
 endif
 
+ifeq ($(OS_ARCH), Darwin)
+EXTRA_SHARED_LIBS += -dylib_file @executable_path/libsoftokn3.dylib:$(DIST)/lib/libsoftokn3.dylib
+endif
+
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lssl3 \
 	-lsmime3 \
 	-lnss3 \
--- a/security/nss/cmd/rsaperf/Makefile
+++ b/security/nss/cmd/rsaperf/Makefile
@@ -50,17 +50,19 @@ include $(CORE_DEPTH)/coreconf/config.mk
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 include ../platlibs.mk
 
 ifeq (,$(filter-out WINNT WIN95 WIN16,$(OS_TARGET)))  #omits WINCE
 ifndef BUILD_OPT
+ifndef NS_USE_GCC
 LDFLAGS   +=  /subsystem:console /profile /debug /machine:I386 /incremental:no
+endif
 OS_CFLAGS += -D_CONSOLE
 endif
 endif
 
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
--- a/security/nss/cmd/shlibsign/Makefile
+++ b/security/nss/cmd/shlibsign/Makefile
@@ -70,17 +70,17 @@ ifeq ($(OS_TARGET), SunOS)
    endif
 endif
 endif
 
 ifdef LOADABLE_FREEBL
     CHECKFILES += freebl_pure32_3.chk freebl_hybrid_3.chk
 endif
 
-CHECKLOC=$(addprefix $(DIST)/lib/$(LIB_PREFIX), $(CHECKFILES))
+CHECKLOC=$(addprefix $(DIST)/lib/$(DLL_PREFIX), $(CHECKFILES))
 
 MD_LIB_RELEASE_FILES = $(CHECKLOC)
 ALL_TRASH += $(CHECKLOC)
 
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
@@ -96,15 +96,15 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
 
 include ../platrules.mk
 
 %.chk: %.$(DLL_SUFFIX) 
 ifeq ($(OS_TARGET), OS2)
-	-exec sign.cmd $(DIST) $(OBJDIR) $(OS_TARGET) $<
+	@cmd.exe /c sign.cmd $(DIST) $(OBJDIR) $(OS_TARGET) $<
 else
 	@sh ./sign.sh $(DIST) $(OBJDIR) $(OS_TARGET) $<
 endif
 
 libs install :: $(CHECKLOC)
 
--- a/security/nss/cmd/shlibsign/sign.cmd
+++ b/security/nss/cmd/shlibsign/sign.cmd
@@ -1,15 +1,16 @@
 /* Equivalent to sign.sh for OS/2 */
 PARSE ARG dist objdir os_target therest
 dist=forwardtoback(dist);
 objdir=forwardtoback(objdir);
 'echo 'dist
 'echo 'objdir
 'set BEGINLIBPATH='dist'\lib;%BEGINLIBPATH%'
+'set LIBPATHSTRICT=T'
 objdir'\shlibsign -v -i 'therest
 exit
 
 forwardtoback: procedure
   arg pathname
   parse var pathname pathname'/'rest
   do while (rest <> "")
     pathname = pathname'\'rest
--- a/security/nss/cmd/tstclnt/Makefile
+++ b/security/nss/cmd/tstclnt/Makefile
@@ -51,17 +51,19 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
 include ../platlibs.mk
 
 ifeq (,$(filter-out WINNT WIN95 WIN16,$(OS_TARGET)))  # omits WINCE
 ifndef BUILD_OPT
+ifndef NS_USE_GCC
 LDFLAGS   +=  /subsystem:console /profile /debug /machine:I386 /incremental:no
+endif
 OS_CFLAGS += -D_CONSOLE
 endif
 endif
 
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
--- a/security/nss/cmd/vfyserv/Makefile
+++ b/security/nss/cmd/vfyserv/Makefile
@@ -51,17 +51,19 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
 include ../platlibs.mk
 
 ifeq (,$(filter-out WINNT WIN95 WIN16,$(OS_TARGET)))  # omits WINCE
 ifndef BUILD_OPT
+ifndef NS_USE_GCC
 LDFLAGS   +=  /subsystem:console /profile /debug /machine:I386 /incremental:no
+endif
 OS_CFLAGS += -D_CONSOLE
 endif
 endif
 
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -1476,17 +1476,17 @@ CERT_UnlockCertTrust(CERTCertificate *ce
  */ 
 extern SECItem *
 CERT_SPKDigestValueForCert(PRArenaPool *arena, CERTCertificate *cert,
 			   SECOidTag digestAlg, SECItem *fill);
 
 /*
  * fill in nsCertType field of the cert based on the cert extension
  */
-extern SECStatus CERT_GetCertType(CERTCertificate *cert);
+extern SECStatus cert_GetCertType(CERTCertificate *cert);
 
 
 SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
                         SECItem* dp, int64 t, void* wincx);
 
 
 SEC_END_PROTOS
 
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -518,146 +518,153 @@ findOIDinOIDSeqByTagNum(CERTOidSequence 
     }
     return rv;
 }
 
 /*
  * fill in nsCertType field of the cert based on the cert extension
  */
 SECStatus
-CERT_GetCertType(CERTCertificate *cert)
+cert_GetCertType(CERTCertificate *cert)
 {
     SECStatus rv;
     SECItem tmpitem;
     SECItem encodedExtKeyUsage;
     CERTOidSequence *extKeyUsage = NULL;
     PRBool basicConstraintPresent = PR_FALSE;
     CERTBasicConstraints basicConstraint;
+    unsigned int nsCertType = 0;
+
+    if (cert->nsCertType) {
+        /* once set, no need to recalculate */
+        return SECSuccess;
+    }
 
     tmpitem.data = NULL;
     CERT_FindNSCertTypeExtension(cert, &tmpitem);
     rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, 
 				&encodedExtKeyUsage);
     if (rv == SECSuccess) {
 	extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
     }
     rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
     if (rv == SECSuccess) {
 	basicConstraintPresent = PR_TRUE;
     }
     if (tmpitem.data != NULL || extKeyUsage != NULL) {
 	if (tmpitem.data == NULL) {
-	    cert->nsCertType = 0;
+	    nsCertType = 0;
 	} else {
-	    cert->nsCertType = tmpitem.data[0];
+	    nsCertType = tmpitem.data[0];
 	}
 
 	/* free tmpitem data pointer to avoid memory leak */
 	PORT_Free(tmpitem.data);
 	tmpitem.data = NULL;
 	
 	/*
 	 * for this release, we will allow SSL certs with an email address
 	 * to be used for email
 	 */
-	if ( ( cert->nsCertType & NS_CERT_TYPE_SSL_CLIENT ) &&
+	if ( ( nsCertType & NS_CERT_TYPE_SSL_CLIENT ) &&
 	    cert->emailAddr ) {
-	    cert->nsCertType |= NS_CERT_TYPE_EMAIL;
+	    nsCertType |= NS_CERT_TYPE_EMAIL;
 	}
 	/*
 	 * for this release, we will allow SSL intermediate CAs to be
 	 * email intermediate CAs too.
 	 */
-	if ( cert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
-	    cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+	if ( nsCertType & NS_CERT_TYPE_SSL_CA ) {
+	    nsCertType |= NS_CERT_TYPE_EMAIL_CA;
 	}
 	/*
 	 * allow a cert with the extended key usage of EMail Protect
 	 * to be used for email or as an email CA, if basic constraints
 	 * indicates that it is a CA.
 	 */
 	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
 				    SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
 	    SECSuccess) {
 	    if (basicConstraintPresent == PR_TRUE &&
 		(basicConstraint.isCA)) {
-		cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
 	    } else {
-		cert->nsCertType |= NS_CERT_TYPE_EMAIL;
+		nsCertType |= NS_CERT_TYPE_EMAIL;
 	    }
 	}
 	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
 				    SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) ==
 	    SECSuccess){
 	    if (basicConstraintPresent == PR_TRUE &&
 		(basicConstraint.isCA)) {
-		cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
+		nsCertType |= NS_CERT_TYPE_SSL_CA;
 	    } else {
-		cert->nsCertType |= NS_CERT_TYPE_SSL_SERVER;
+		nsCertType |= NS_CERT_TYPE_SSL_SERVER;
 	    }
 	}
 	if (findOIDinOIDSeqByTagNum(extKeyUsage,
 				    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) ==
 	    SECSuccess){
 	    if (basicConstraintPresent == PR_TRUE &&
 		(basicConstraint.isCA)) {
-		cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
+		nsCertType |= NS_CERT_TYPE_SSL_CA;
 	    } else {
-		cert->nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
+		nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
 	    }
 	}
 	if (findOIDinOIDSeqByTagNum(extKeyUsage,
 				    SEC_OID_EXT_KEY_USAGE_CODE_SIGN) ==
 	    SECSuccess) {
 	    if (basicConstraintPresent == PR_TRUE &&
 		(basicConstraint.isCA)) {
-		cert->nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
+		nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
 	    } else {
-		cert->nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
+		nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
 	    }
 	}
 	if (findOIDinOIDSeqByTagNum(extKeyUsage,
 				    SEC_OID_EXT_KEY_USAGE_TIME_STAMP) ==
 	    SECSuccess) {
-	    cert->nsCertType |= EXT_KEY_USAGE_TIME_STAMP;
+	    nsCertType |= EXT_KEY_USAGE_TIME_STAMP;
 	}
 	if (findOIDinOIDSeqByTagNum(extKeyUsage,
 				    SEC_OID_OCSP_RESPONDER) == 
 	    SECSuccess) {
-	    cert->nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
+	    nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
 	}
     } else {
 	/* if no extension, then allow any ssl or email (no ca or object
 	 * signing)
 	 */
-	cert->nsCertType = NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
+	nsCertType = NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
 	    NS_CERT_TYPE_EMAIL;
 
 	/* if the basic constraint extension says the cert is a CA, then
 	   allow SSL CA and EMAIL CA and Status Responder */
 	if ((basicConstraintPresent == PR_TRUE)
 	    && (basicConstraint.isCA)) {
-		cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
-		cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-		cert->nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
+		nsCertType |= NS_CERT_TYPE_SSL_CA;
+		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+		nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
 	} else if (CERT_IsCACert(cert, NULL) == PR_TRUE) {
-		cert->nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
+		nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
 	}
 
 	/* if the cert is a fortezza CA cert, then allow SSL CA and EMAIL CA */
 	if (fortezzaIsCA(cert)) {
-		cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
-		cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+		nsCertType |= NS_CERT_TYPE_SSL_CA;
+		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
 	}
     }
 
     if (extKeyUsage != NULL) {
 	PORT_Free(encodedExtKeyUsage.data);
 	CERT_DestroyOidSequence(extKeyUsage);
     }
+    PR_AtomicSet(&cert->nsCertType, nsCertType);
     return(SECSuccess);
 }
 
 /*
  * cert_GetKeyID() - extract or generate the subjectKeyID from a certificate
  */
 SECStatus
 cert_GetKeyID(CERTCertificate *cert)
@@ -872,17 +879,17 @@ CERT_DecodeDERCertificate(SECItem *derSi
 
     /* initialize keyUsage */
     rv = GetKeyUsage(cert);
     if ( rv != SECSuccess ) {
 	goto loser;
     }
 
     /* initialize the certType */
-    rv = CERT_GetCertType(cert);
+    rv = cert_GetCertType(cert);
     if ( rv != SECSuccess ) {
 	goto loser;
     }
 
     /* determine if this is a root cert */
     cert->isRoot = cert_IsRootCert(cert);
 
     tmpname = CERT_NameToAscii(&cert->subject);
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -1260,17 +1260,17 @@ CERT_VerifyCertificate(CERTCertDBHandle 
                              (requiredUsages & certificateUsageSSLServerWithStepUp));
     validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
     if ( validity != secCertTimeValid ) {
         LOG_ERROR(log,cert,0,validity);
 	return SECFailure;
     }
 
     /* check key usage and netscape cert type */
-    CERT_GetCertType(cert);
+    cert_GetCertType(cert);
     certType = cert->nsCertType;
 
     for (i=1;i<=certificateUsageHighest && !(SECFailure == valid && !returnedUsages) ;) {
         PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE;
         if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) {
             NEXT_ITERATION();
         }
         if (returnedUsages) {
@@ -1482,17 +1482,17 @@ CERT_VerifyCert(CERTCertDBHandle *handle
     allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||
                              (certUsage == certUsageSSLServerWithStepUp));
     validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
     if ( validity != secCertTimeValid ) {
 	LOG_ERROR_OR_EXIT(log,cert,0,validity);
     }
 
     /* check key usage and netscape cert type */
-    CERT_GetCertType(cert);
+    cert_GetCertType(cert);
     certType = cert->nsCertType;
     switch ( certUsage ) {
       case certUsageSSLClient:
       case certUsageSSLServer:
       case certUsageSSLServerWithStepUp:
       case certUsageSSLCA:
       case certUsageEmailSigner:
       case certUsageEmailRecipient:
--- a/security/nss/lib/ckfw/builtins/Makefile
+++ b/security/nss/lib/ckfw/builtins/Makefile
@@ -39,20 +39,32 @@ include config.mk
 EXTRA_LIBS = \
 	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
 	$(NULL)
 
 # can't do this in manifest.mn because OS_TARGET isn't defined there.
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
+# Link with the real NSPR DLLs for MinGW because the NSPR stubs in
+# nsprstub.c can't resolve the references to the _imp__PR_XXX symbols.
+# This is merely an expedient hack and not the right solution.
+ifdef NS_USE_GCC
+EXTRA_LIBS += \
+	-L$(DIST)/lib \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else
 EXTRA_LIBS += \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4_s.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4_s.lib \
 	$(NULL)
+endif
 
 else
 
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)plc4.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)plds4.$(LIB_SUFFIX) \
 	$(NULL)
 
--- a/security/nss/lib/ckfw/builtins/config.mk
+++ b/security/nss/lib/ckfw/builtins/config.mk
@@ -38,17 +38,17 @@ CONFIG_CVS_ID = "@(#) $RCSfile$ $Revisio
 #
 
 TARGETS        = $(SHARED_LIBRARY)
 LIBRARY        =
 IMPORT_LIBRARY =
 PROGRAM        =
 
 ifeq (,$(filter-out OS2 WIN%,$(OS_TARGET)))
-    SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
+    SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
 endif
 
 ifdef BUILD_IDG
     DEFINES += -DNSSDEBUG
 endif
 
 #
 # To create a loadable module on Darwin, we must use -bundle.
--- a/security/nss/lib/ckfw/builtins/manifest.mn
+++ b/security/nss/lib/ckfw/builtins/manifest.mn
@@ -30,16 +30,17 @@
 # may use your version of this file under either the MPL or the
 # GPL.
 #
 MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
 
 CORE_DEPTH = ../../../..
 
 MODULE = nss
+MAPFILE = $(OBJDIR)/nssckbi.def
 
 EXPORTS =		\
 	nssckbi.h	\
 	$(NULL)
 
 CSRCS =			\
 	anchor.c	\
 	constants.c	\
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/nssckbi.def
@@ -0,0 +1,53 @@
+;+#
+;+# The contents of this file are subject to the Mozilla Public
+;+# License Version 1.1 (the "License"); you may not use this file
+;+# except in compliance with the License. You may obtain a copy of
+;+# the License at http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS
+;+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+;+# implied. See the License for the specific language governing
+;+# rights and limitations under the License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is Netscape
+;+# Communications Corporation.  Portions created by Netscape are
+;+# Copyright (C) 2003 Netscape Communications Corporation.  All
+;+# Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#
+;+# Alternatively, the contents of this file may be used under the
+;+# terms of the GNU General Public License Version 2 or later (the
+;+# "GPL"), in which case the provisions of the GPL are applicable
+;+# instead of those above.  If you wish to allow use of your
+;+# version of this file only under the terms of the GPL and not to
+;+# allow others to use your version of this file under the MPL,
+;+# indicate your decision by deleting the provisions above and
+;+# replace them with the notice and other provisions required by
+;+# the GPL.  If you do not delete the provisions above, a recipient
+;+# may use your version of this file under either the MPL or the
+;+# GPL.
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#     line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+
+;+NSS_3.1 {       # NSS 3.1 release
+;+    global:
+LIBRARY nssckbi ;-
+EXPORTS ;-
+C_GetFunctionList;
+;+    local:
+;+*;
+;+};
--- a/security/nss/lib/ckfw/ckapi.perl
+++ b/security/nss/lib/ckfw/ckapi.perl
@@ -484,21 +484,17 @@ static CK_RV CK_ENTRY
   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
 )
 {
   *ppFunctionList = &FunctionList;
   return CKR_OK;
 }
 
 /* This one is always present */
-#ifdef WIN32
-CK_RV _declspec(dllexport)
-#else
 CK_RV CK_ENTRY
-#endif
 C_GetFunctionList
 (
   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
 )
 {
   return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
 }
 
--- a/security/nss/lib/ckfw/nsprstub.c
+++ b/security/nss/lib/ckfw/nsprstub.c
@@ -278,16 +278,22 @@ nssPointerTracker_remove(nssPointerTrack
 
 PR_IMPLEMENT(PRStatus)
 nssPointerTracker_verify(nssPointerTracker *tracker, const void *pointer)
 {
      return PR_SUCCESS;
 }
 #endif
 
+/*
+ * Do not use NSPR stubs for MinGW because they can't resolve references
+ * to the _imp__PR_XXX symbols.  This is merely an expedient hack and not
+ * the right solution.
+ */
+#if !(defined(WIN32) && defined(__GNUC__))
 PR_IMPLEMENT(PRThread *)
 PR_GetCurrentThread(void)
 {
      return (PRThread *)1;
 }
 
 
 
@@ -332,28 +338,35 @@ PR_IMPLEMENT(PRStatus) PR_Sleep(PRInterv
 PR_IMPLEMENT(PRInt32) PR_AtomicDecrement(PRInt32 *val) { return --(*val); }
 
 PR_IMPLEMENT(PRInt32) PR_AtomicSet(PRInt32 *val) { return ++(*val); }
 
 #endif
 
 /* now make the RNG happy */ /* This is not atomic! */
 PR_IMPLEMENT(PRInt32) PR_AtomicIncrement(PRInt32 *val) { return ++(*val); }
+#endif /* ! (WIN32 && GCC) */
 
 CK_C_INITIALIZE_ARGS_PTR nssstub_initArgs = NULL;
 NSSArena *nssstub_arena = NULL;
 PR_IMPLEMENT(void)
 nssSetLockArgs(CK_C_INITIALIZE_ARGS_PTR pInitArgs)
 {
     if (nssstub_initArgs == NULL) {
 	nssstub_initArgs = pInitArgs;
 	/* nssstub_arena = NSSArena_Create(); */
     }
 }
 
+/*
+ * Do not use NSPR stubs for MinGW because they can't resolve references
+ * to the _imp__PR_XXX symbols.  This is merely an expedient hack and not
+ * the right solution.
+ */
+#if !(defined(WIN32) && defined(__GNUC__))
 #include "prlock.h"
 PR_IMPLEMENT(PRLock *)
 PR_NewLock(void) {
 	PRLock *lock = NULL;
 	NSSCKFWMutex *mlock = NULL;
 	CK_RV error;
 
 	mlock = nssCKFWMutex_Create(nssstub_initArgs,nssstub_arena,&error);
@@ -432,11 +445,12 @@ PR_IMPLEMENT(PRStatus) PR_CallOnce(
 /*
 ** Compute the log of the least power of 2 greater than or equal to n
 */
 PRIntn PR_CeilingLog2(PRUint32 i) {
 	PRIntn log2;
 	PR_CEILING_LOG2(log2,i);
 	return log2;
 }
+#endif /* ! (WIN32 && GCC) */
 
 /********************** end of arena functions ***********************/
 
--- a/security/nss/lib/ckfw/nssck.api
+++ b/security/nss/lib/ckfw/nssck.api
@@ -1869,21 +1869,17 @@ static CK_RV CK_ENTRY
   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
 )
 {
   *ppFunctionList = &FunctionList;
   return CKR_OK;
 }
 
 /* This one is always present */
-#if defined(WIN32) || defined(XP_OS2_VACPP)
-CK_RV _declspec(dllexport)
-#else
 CK_RV CK_ENTRY
-#endif
 C_GetFunctionList
 (
   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
 )
 {
   return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
 }
 
--- a/security/nss/lib/dev/dev.h
+++ b/security/nss/lib/dev/dev.h
@@ -318,16 +318,28 @@ extern const NSSError NSS_ERROR_USER_CAN
 
 NSS_EXTERN PRStatus
 nssSlot_Logout
 (
   NSSSlot *slot,
   nssSession *sessionOpt
 );
 
+NSS_EXTERN void
+nssSlot_EnterMonitor
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN void
+nssSlot_ExitMonitor
+(
+  NSSSlot *slot
+);
+
 #define NSSSLOT_ASK_PASSWORD_FIRST_TIME -1
 #define NSSSLOT_ASK_PASSWORD_EVERY_TIME  0
 NSS_EXTERN void
 nssSlot_SetPasswordDefaults
 (
   NSSSlot *slot,
   PRInt32 askPasswordTimeout
 );
--- a/security/nss/lib/dev/devslot.c
+++ b/security/nss/lib/dev/devslot.c
@@ -71,16 +71,17 @@ struct NSSSlotStr
 {
   struct nssDeviceBaseStr base;
   NSSModule *module; /* Parent */
   NSSToken *token;  /* Peer */
   CK_SLOT_ID slotID;
   CK_FLAGS ckFlags; /* from CK_SLOT_INFO.flags */
   struct nssSlotAuthInfoStr authInfo;
   PRIntervalTime lastTokenPing;
+  PZLock *lock;
 #ifdef NSS_3_4_CODE
   PK11SlotInfo *pk11slot;
 #endif
 };
 #endif /* PURE_STAN_CODE */
 
 #define NSSSLOT_IS_FRIENDLY(slot) \
   (slot->base.flags & NSSSLOT_FLAGS_FRIENDLY)
@@ -146,16 +147,19 @@ nssSlot_Create
     }
     rvSlot->base.arena = arena;
     rvSlot->base.refCount = 1;
     rvSlot->base.name = slotName;
     rvSlot->base.lock = PZ_NewLock(nssNSSILockOther); /* XXX */
     if (!rvSlot->base.lock) {
 	goto loser;
     }
+    if (!nssModule_IsThreadSafe(parent)) {
+	rvSlot->lock = nssModule_GetLock(parent);
+    }
     rvSlot->module = parent; /* refs go from module to slots */
     rvSlot->slotID = slotID;
     rvSlot->ckFlags = slotInfo.flags;
     /* Initialize the token if present. */
     if (slotInfo.flags & CKF_TOKEN_PRESENT) {
 	token = nssToken_Create(slotID, rvSlot);
 	if (!token) {
 	    goto loser;
@@ -185,16 +189,32 @@ nssSlot_Destroy
 	    nssModule_DestroyFromSlot(slot->module, slot);
 #endif
 	    return nssArena_Destroy(slot->base.arena);
 	}
     }
     return PR_SUCCESS;
 }
 
+void
+nssSlot_EnterMonitor(NSSSlot *slot)
+{
+    if (slot->lock) {
+	PZ_Lock(slot->lock);
+    }
+}
+
+void
+nssSlot_ExitMonitor(NSSSlot *slot)
+{
+    if (slot->lock) {
+	PZ_Unlock(slot->lock);
+    }
+}
+
 NSS_IMPLEMENT void
 NSSSlot_Destroy
 (
   NSSSlot *slot
 )
 {
     (void)nssSlot_Destroy(slot);
 }
@@ -269,17 +289,19 @@ nssSlot_IsTokenPresent
 #ifdef PURE_STAN_BUILD
     epv = nssModule_GetCryptokiEPV(slot->module);
 #else
     epv = slot->epv;
 #endif
     if (!epv) {
 	return PR_FALSE;
     }
+    nssSlot_EnterMonitor(slot);
     ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo);
+    nssSlot_ExitMonitor(slot);
     if (ckrv != CKR_OK) {
 	slot->token->base.name[0] = 0; /* XXX */
 	return PR_FALSE;
     }
     slot->ckFlags = slotInfo.flags;
     /* check for the presence of the token */
     if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
 	if (!slot->token) {
@@ -767,47 +789,52 @@ nssSlot_CreateSession
     if (ckrv != CKR_OK) {
 	/* set an error here, eh? */
 	return (nssSession *)NULL;
     }
     rvSession = nss_ZNEW(arenaOpt, nssSession);
     if (!rvSession) {
 	return (nssSession *)NULL;
     }
-    if (!nssModule_IsThreadSafe(slot->module)) {
-	/* If the parent module is not threadsafe, create lock to manage 
-	 * session within threads.
+    if (nssModule_IsThreadSafe(slot->module)) {
+	/* If the parent module is threadsafe, 
+         * create lock to protect just this session.
 	 */
 	rvSession->lock = PZ_NewLock(nssILockOther);
 	if (!rvSession->lock) {
 	    /* need to translate NSPR error? */
 	    if (arenaOpt) {
 	    } else {
 		nss_ZFreeIf(rvSession);
 	    }
 	    return (nssSession *)NULL;
 	}
+        rvSession->ownLock = PR_TRUE;
+    } else {
+        rvSession->lock = slot->lock;
+        rvSession->ownLock = PR_FALSE;
     }
+	
     rvSession->handle = handle;
     rvSession->slot = slot;
     rvSession->isRW = readWrite;
     return rvSession;
 }
 
 NSS_IMPLEMENT PRStatus
 nssSession_Destroy
 (
   nssSession *s
 )
 {
     CK_RV ckrv = CKR_OK;
     if (s) {
 	void *epv = s->slot->epv;
 	ckrv = CKAPI(epv)->C_CloseSession(s->handle);
-	if (s->lock) {
+	if (s->ownLock && s->lock) {
 	    PZ_DestroyLock(s->lock);
 	}
 	nss_ZFreeIf(s);
     }
     return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
 }
 #endif /* PURE_STAN_BUILD */
 
--- a/security/nss/lib/dev/devt.h
+++ b/security/nss/lib/dev/devt.h
@@ -119,28 +119,30 @@ struct NSSSlotStr
 {
   struct nssDeviceBaseStr base;
   NSSModule *module; /* Parent */
   NSSToken *token;  /* Peer */
   CK_SLOT_ID slotID;
   CK_FLAGS ckFlags; /* from CK_SLOT_INFO.flags */
   struct nssSlotAuthInfoStr authInfo;
   PRIntervalTime lastTokenPing;
+  PZLock *lock;
 #ifdef NSS_3_4_CODE
   void *epv;
   PK11SlotInfo *pk11slot;
 #endif
 };
 
 struct nssSessionStr
 {
   PZLock *lock;
   CK_SESSION_HANDLE handle;
   NSSSlot *slot;
   PRBool isRW;
+  PRBool ownLock;
 };
 
 typedef enum {
     NSSCertificateType_Unknown = 0,
     NSSCertificateType_PKIX = 1
 } NSSCertificateType;
 
 #ifdef nodef
--- a/security/nss/lib/fortcrypt/Makefile
+++ b/security/nss/lib/fortcrypt/Makefile
@@ -104,21 +104,29 @@ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 	$(MAKE) $(STUBDLL)
 else
 	$(AR) $<
 endif
 	cp $@ $(CILIB)
 
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 $(STUBDLL): $(OBJDIR)/maci.o
+ifdef NS_USE_GCC
+	$(LINK_DLL) -Wl,--out-implib,$(STUBLIB) $(OBJDIR)/maci.o $(OS_LIBS)
+else
 	$(LINK_DLL) -MAP $(DLLBASE) $(subst /,\\,$(OBJDIR)/maci.o $(OS_LIBS))
+endif
 
 $(OBJDIR)/maci.o: maci.c
+ifdef NS_USE_GCC
+	$(CC) -o $@ -c $(CFLAGS) $<
+else
 	$(CC) -Fo$@ -c $(CFLAGS) $<
 endif
+endif
 
 #
 # The following rules packages the shared library into a JAR,
 # ready to be signed
 #
 $(OBJDIR)/replace: replace.c
 	$(CC) -o $@ $<
 
--- a/security/nss/lib/fortcrypt/maci.h
+++ b/security/nss/lib/fortcrypt/maci.h
@@ -73,17 +73,17 @@ extern "C"
 #else
 #define PROTO_LIST(list)  list
 #endif /*_K_AND_R_ */
 #endif /* PROTO_LIST */
 
 
 #ifndef RETURN_TYPE
 #if defined( _WIN32 ) || defined( __WIN32__ )
-#define RETURN_TYPE  extern _declspec( dllimport ) int _cdecl
+#define RETURN_TYPE  extern __declspec( dllimport ) int _cdecl
 #elif defined( _WINDOWS ) || defined( _Windows )
 #define RETURN_TYPE  extern int _far _pascal
 #else
 #define RETURN_TYPE  extern int
 #endif /* Windows */
 #endif /* RETURN_TYPE */
 
 /* MS Visual C++ defines _MSDOS and _WINDOWS    */
--- a/security/nss/lib/fortcrypt/swfort/pkcs11/Makefile
+++ b/security/nss/lib/fortcrypt/swfort/pkcs11/Makefile
@@ -45,26 +45,44 @@ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 ifdef MOZILLA_SECURITY_BUILD
 CRYPTO_LIB = $(DIST)/lib/crypto.lib
 endif
 ifdef MOZILLA_BSAFE_BUILD
 CRYPTO_LIB += $(DIST)/lib/bsafe$(BSAFEVER).lib
 CRYPTO_LIB += $(DIST)/lib/freebl.lib 
 endif
 
+# Link with the real NSPR DLLs for MinGW because the NSPR stubs in
+# stub.c can't resolve the references to the _imp__PR_XXX symbols.
+# This is merely an expedient hack and not the right solution.
+ifdef NS_USE_GCC
+EXTRA_LIBS = \
+	$(DIST)/lib/$(LIB_PREFIX)swfci.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \
+	$(CRYPTO_LIB) \
+	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
+	-L$(DIST)/lib \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	-lws2_32 \
+	-lwinmm \
+	$(NULL)
+else # ! NS_USE_GCC
 EXTRA_LIBS = \
 	$(DIST)/lib/swfci.lib \
 	$(DIST)/lib/softokn.lib \
 	$(CRYPTO_LIB) \
 	$(DIST)/lib/secutil.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4_s.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4_s.lib \
 	wsock32.lib \
 	winmm.lib \
 	$(NULL)
+endif # NS_USE_GCC
 
 else
 
 ifdef MOZILLA_SECURITY_BUILD
 CRYPTO_LIB = $(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
 endif
 ifdef MOZILLA_BSAFE_BUILD
 CRYPTO_LIB += $(DIST)/lib/$(LIB_PREFIX)bsafe.$(LIB_SUFFIX)
--- a/security/nss/lib/fortcrypt/swfort/pkcs11/stub.c
+++ b/security/nss/lib/fortcrypt/swfort/pkcs11/stub.c
@@ -229,16 +229,22 @@ PORT_ArenaStrdup(PLArenaPool *arena,cons
 
     newstr = (char*)PORT_ArenaAlloc(arena,len);
     if (newstr) {
         PORT_Memcpy(newstr,str,len);
     }
     return newstr;
 }
 
+/*
+ * Do not use NSPR stubs for MinGW because they can't resolve references
+ * to the _imp__PR_XXX symbols.  This is merely an expedient hack and not
+ * the right solution.
+ */
+#if !(defined(WIN32) && defined(__GNUC__))
 PR_IMPLEMENT(void)
 PR_Assert(const char *expr, const char *file, int line) {
     return; 
 }
 
 PR_IMPLEMENT(void *)
 PR_Alloc(PRUint32 bytes) { return malloc(bytes); }
 
@@ -251,32 +257,39 @@ PR_Calloc(PRUint32 blocks, PRUint32 byte
 PR_IMPLEMENT(void)
 PR_Free(void *ptr) { free(ptr); }
 
 PR_IMPLEMENT(void)
 PR_SetError(PRErrorCode errorCode, PRInt32 oserr) { return; }
 
 PR_IMPLEMENT(void)
 PR_SetErrorText(PRIntn textLength, const char *text) { return; }
+#endif /* ! (WIN32 && GCC) */
 
 
 /* Old template; want to expunge it eventually. */
 #include "secasn1.h"
 #include "secoid.h"
 
 const SEC_ASN1Template SECOID_AlgorithmIDTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(SECAlgorithmID) },
     { SEC_ASN1_OBJECT_ID,
 	  offsetof(SECAlgorithmID,algorithm), },
     { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
 	  offsetof(SECAlgorithmID,parameters), },
     { 0, }
 };
 
+/*
+ * Do not use NSPR stubs for MinGW because they can't resolve references
+ * to the _imp__PR_XXX symbols.  This is merely an expedient hack and not
+ * the right solution.
+ */
+#if !(defined(WIN32) && defined(__GNUC__))
 /* now make the RNG happy */ /* This is not atomic! */
 PR_IMPLEMENT(PRInt32) PR_AtomicIncrement(PRInt32 *val) { return ++(*val); }
 /* This is not atomic! */
 PR_IMPLEMENT(PRInt32) PR_AtomicDecrement(PRInt32 *val) { return --(*val); }
 
 PR_IMPLEMENT(PRStatus) PR_Sleep(PRIntervalTime ticks) { return PR_SUCCESS; }
 
 #include "nssilock.h"
@@ -353,11 +366,12 @@ PR_IMPLEMENT(PRStatus) PR_CallOnce(
 /*
 ** Compute the log of the least power of 2 greater than or equal to n
 */
 PRIntn PR_CeilingLog2(PRUint32 i) {
 	PRIntn log2;
 	PR_CEILING_LOG2(log2,i);
 	return log2;
 }
+#endif /* ! (WIN32 && GCC) */
 
 /********************** end of arena functions ***********************/
 
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -73,22 +73,35 @@ endif
 endif
 
 ifeq ($(OS_TARGET),OSF1)
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD
     MPI_SRCS += mpvalpha.c
 endif
 
 ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))  #omits WIN16 and WINCE
+ifdef NS_USE_GCC
+# Ideally, we want to use assembler
+#     ASFILES  = mpi_x86.s
+#     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE \
+#                -DMP_ASSEMBLY_DIV_2DX1D
+# but we haven't figured out how to make it work, so we are not
+# using assembler right now.
+    ASFILES  =
+    DEFINES += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT
+else
     ASFILES  = mpi_x86.asm
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+endif
 ifdef BUILD_OPT
+ifndef NS_USE_GCC
     OPTIMIZER += -Ox  # maximum optimization for freebl
 endif
 endif
+endif
 
 ifeq ($(OS_TARGET),WINCE)
     DEFINES += -DMP_ARGCHK=0	# no assert in WinCE
     DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
 endif
 
 ifdef XP_OS2_VACPP
     ASFILES  = mpi_x86.asm
--- a/security/nss/lib/freebl/shvfy.c
+++ b/security/nss/lib/freebl/shvfy.c
@@ -37,16 +37,17 @@
  */
 
 #include "shsign.h"
 #include "prlink.h"
 #include "prio.h"
 #include "blapi.h"
 #include "seccomon.h"
 #include "stdio.h"
+#include "prmem.h"
 
 /* #define DEBUG_SHVERIFY 1 */
 
 static char *
 mkCheckFileName(const char *libName)
 {
     int ln_len = PORT_Strlen(libName);
     char *output = PORT_Alloc(ln_len+sizeof(SGN_SUFFIX));
--- a/security/nss/lib/nss/config.mk
+++ b/security/nss/lib/nss/config.mk
@@ -35,28 +35,38 @@
 #  Override TARGETS variable so that only static libraries
 #  are specifed as dependencies within rules.mk.
 #
 
 # can't do this in manifest.mn because OS_TARGET isn't defined there.
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
 # don't want the 32 in the shared library name
-SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
-IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).lib
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
 
 RES = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = $(LIBRARY_NAME).rc
 
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lsoftokn3 \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4\
+	$(NULL)
+else # ! NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	$(DIST)/lib/softokn3.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
 	$(NULL)
+endif # NS_USE_GCC
 
 else
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib/ \
 	-lsoftokn3 \
@@ -94,13 +104,15 @@ SHARED_LIBRARY_DIRS = \
 
 ifeq ($(OS_TARGET),SunOS)
 # The -R '$ORIGIN' linker option instructs libnss3.so to search for its
 # dependencies (libsoftokn3.so) in the same directory where it resides.
 MKSHLIB += -R '$$ORIGIN'
 endif
 
 ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
+ifndef NS_USE_GCC
 # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
 # but do not put it in the import library.  See bug 142575.
 DEFINES += -DWIN32_NSS3_DLL_COMPAT
 DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
 endif
+endif
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -44,21 +44,21 @@ SEC_BEGIN_PROTOS
 
 /*
  * NSS's major version, minor version, patch level, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>] [<Beta>]"
  */
-#define NSS_VERSION  "3.8"
+#define NSS_VERSION  "3.8.1 Beta"
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   8
-#define NSS_VPATCH   0
-#define NSS_BETA     PR_FALSE
+#define NSS_VPATCH   1
+#define NSS_BETA     PR_TRUE
 
 
 /*
  * Return a boolean that indicates whether the underlying library
  * will perform as the caller expects.
  *
  * The only argument is a string, which should be the verson
  * identifier of the NSS library. That string will be compared
--- a/security/nss/lib/pk11wrap/dev3hack.c
+++ b/security/nss/lib/pk11wrap/dev3hack.c
@@ -62,16 +62,17 @@ NSS_IMPLEMENT nssSession *
 nssSession_ImportNSS3Session(NSSArena *arenaOpt,
                              CK_SESSION_HANDLE session, 
                              PZLock *lock, PRBool rw)
 {
     nssSession *rvSession;
     rvSession = nss_ZNEW(arenaOpt, nssSession);
     rvSession->handle = session;
     rvSession->lock = lock;
+    rvSession->ownLock = PR_FALSE;
     rvSession->isRW = rw;
     return rvSession;
 }
 
 NSS_IMPLEMENT nssSession *
 nssSlot_CreateSession
 (
   NSSSlot *slot,
@@ -87,16 +88,33 @@ nssSlot_CreateSession
     if (readWrite) {
 	rvSession->handle = PK11_GetRWSession(slot->pk11slot);
 	if (rvSession->handle == CK_INVALID_HANDLE) {
 	    nss_ZFreeIf(rvSession);
 	    return NULL;
 	}
 	rvSession->isRW = PR_TRUE;
 	rvSession->slot = slot;
+        /*
+         * The session doesn't need its own lock.  Here's why.
+         * 1. If we are reusing the default RW session of the slot,
+         *    the slot lock is already locked to protect the session.
+         * 2. If the module is not thread safe, the slot (or rather
+         *    module) lock is already locked.
+         * 3. If the module is thread safe and we are using a new
+         *    session, no higher-level lock has been locked and we
+         *    would need a lock for the new session.  However, the
+         *    NSS_3_4_CODE usage of the session is that it is always
+         *    used and destroyed within the same function and never
+         *    shared with another thread.
+         * So the session is either already protected by another
+         * lock or only used by one thread.
+         */
+        rvSession->lock = NULL;
+        rvSession->ownLock = PR_FALSE;
 	return rvSession;
     } else {
 	return NULL;
     }
 }
 
 NSS_IMPLEMENT PRStatus
 nssSession_Destroy
@@ -131,16 +149,17 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD
     rvSlot->base.refCount = 1;
     rvSlot->base.lock = PZ_NewLock(nssILockOther);
     rvSlot->base.arena = arena;
     rvSlot->pk11slot = nss3slot;
     rvSlot->epv = nss3slot->functionList;
     rvSlot->slotID = nss3slot->slotID;
     /* Grab the slot name from the PKCS#11 fixed-length buffer */
     rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name,td->arena);
+    rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock;
     return rvSlot;
 }
 
 NSS_IMPLEMENT NSSToken *
 nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
 {
     NSSToken *rvToken;
     NSSArena *arena;
--- a/security/nss/lib/pk11wrap/pk11func.h
+++ b/security/nss/lib/pk11wrap/pk11func.h
@@ -78,17 +78,17 @@ PK11SlotInfo *PK11_GetInternalKeySlot(vo
 PK11SlotInfo *PK11_GetInternalSlot(void);
 char * PK11_MakeString(PRArenaPool *arena,char *space,char *staticSring,
 								int stringLen);
 int PK11_MapError(CK_RV error);
 CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot);
 void PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession);
 PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot,
 					 CK_SESSION_HANDLE session_handle);
-PK11SlotInfo *PK11_NewSlotInfo(void);
+PK11SlotInfo *PK11_NewSlotInfo(SECMODModule *mod);
 SECStatus PK11_Logout(PK11SlotInfo *slot);
 void PK11_LogoutAll(void);
 void PK11_EnterSlotMonitor(PK11SlotInfo *);
 void PK11_ExitSlotMonitor(PK11SlotInfo *);
 void PK11_CleanKeyList(PK11SlotInfo *slot);
 
 
 /************************************************************
--- a/security/nss/lib/pk11wrap/pk11load.c
+++ b/security/nss/lib/pk11wrap/pk11load.c
@@ -266,17 +266,17 @@ SECMOD_LoadPKCS11Module(SECMODModule *mo
 	rv = PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, slotIDs, &slotCount);
 	if (rv != CKR_OK) {
 	    PORT_Free(slotIDs);
 	    goto fail2;
 	}
 
 	/* Initialize each slot */
 	for (i=0; i < (int)slotCount; i++) {
-	    mod->slots[i] = PK11_NewSlotInfo();
+	    mod->slots[i] = PK11_NewSlotInfo(mod);
 	    PK11_InitSlot(mod,slotIDs[i],mod->slots[i]);
 	    /* look down the slot info table */
 	    PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount);
 	    SECMOD_SetRootCerts(mod->slots[i],mod);
 	}
 	mod->slotCount = slotCount;
 	mod->slotInfoCount = 0;
 	PORT_Free(slotIDs);
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -393,38 +393,41 @@ PK11_FindSlotElement(PK11SlotList *list,
 
 /************************************************************
  * Generic Slot Utilities
  ************************************************************/
 /*
  * Create a new slot structure
  */
 PK11SlotInfo *
-PK11_NewSlotInfo(void)
+PK11_NewSlotInfo(SECMODModule *mod)
 {
     PK11SlotInfo *slot;
 
     slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo));
     if (slot == NULL) return slot;
 
 #ifdef PKCS11_USE_THREADS
     slot->refLock = PZ_NewLock(nssILockSlot);
     if (slot->refLock == NULL) {
 	PORT_Free(slot);
 	return slot;
     }
-    slot->sessionLock = PZ_NewLock(nssILockSession);
+    slot->sessionLock = mod->isThreadSafe ?
+	PZ_NewLock(nssILockSession) : (PZLock *)mod->refLock;
     if (slot->sessionLock == NULL) {
 	PZ_DestroyLock(slot->refLock);
 	PORT_Free(slot);
 	return slot;
     }
     slot->freeListLock = PZ_NewLock(nssILockFreelist);
     if (slot->freeListLock == NULL) {
-	PZ_DestroyLock(slot->sessionLock);
+	if (mod->isThreadSafe) {
+	    PZ_DestroyLock(slot->sessionLock);
+	}
 	PZ_DestroyLock(slot->refLock);
 	PORT_Free(slot);
 	return slot;
     }
 #else
     slot->sessionLock = NULL;
     slot->refLock = NULL;
     slot->freeListLock = NULL;
@@ -493,36 +496,36 @@ PK11_DestroySlot(PK11SlotInfo *slot)
    }
 
    /* free up the cached keys and sessions */
    PK11_CleanKeyList(slot);
 
    if (slot->mechanismList) {
 	PORT_Free(slot->mechanismList);
    }
-
-   /* finally Tell our parent module that we've gone away so it can unload */
-   if (slot->module) {
-	SECMOD_SlotDestroyModule(slot->module,PR_TRUE);
-   }
 #ifdef PKCS11_USE_THREADS
    if (slot->refLock) {
 	PZ_DestroyLock(slot->refLock);
 	slot->refLock = NULL;
    }
-   if (slot->sessionLock) {
+   if (slot->isThreadSafe && slot->sessionLock) {
 	PZ_DestroyLock(slot->sessionLock);
-	slot->sessionLock = NULL;
    }
+   slot->sessionLock = NULL;
    if (slot->freeListLock) {
 	PZ_DestroyLock(slot->freeListLock);
 	slot->freeListLock = NULL;
    }
 #endif
 
+   /* finally Tell our parent module that we've gone away so it can unload */
+   if (slot->module) {
+	SECMOD_SlotDestroyModule(slot->module,PR_TRUE);
+   }
+
    /* ok, well not quit finally... now we free the memory */
    PORT_Free(slot);
 }
 
 
 /* We're all done with the slot, free it */
 void
 PK11_FreeSlot(PK11SlotInfo *slot)
@@ -4751,17 +4754,17 @@ PK11_WaitForTokenEvent(PK11SlotInfo *slo
 	series = PK11_GetSlotSeries(slot);
    }
    while (PK11_IsPresent(slot) == waitForRemoval ) {
 	PRIntervalTime interval;
 
 	if (waitForRemoval && series != PK11_GetSlotSeries(slot)) {
 	    return PK11TokenChanged;
 	}
-	if (timeout != PR_INTERVAL_NO_WAIT) {
+	if (timeout == PR_INTERVAL_NO_WAIT) {
 	    return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
 	}
 	if (timeout != PR_INTERVAL_NO_TIMEOUT ) {
 	    interval = PR_IntervalNow();
 	    if (!first_time_set) {
 		first_time = interval;
 		first_time_set = PR_TRUE;
 	    }
--- a/security/nss/lib/smime/cmsdecode.c
+++ b/security/nss/lib/smime/cmsdecode.c
@@ -54,26 +54,50 @@ struct NSSCMSDecoderContextStr {
     NSSCMSContent			content;	/* pointer to message */
     NSSCMSDecoderContext *		childp7dcx;	/* inner CMS decoder context */
     PRBool				saw_contents;
     int					error;
     NSSCMSContentCallback		cb;
     void *				cb_arg;
 };
 
+struct NSSCMSDecoderDataStr {
+    SECItem data; 	/* must be first */
+    unsigned int totalBufferSize;
+};
+
+typedef struct NSSCMSDecoderDataStr NSSCMSDecoderData;
+
 static void nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len,
                           int depth, SEC_ASN1EncodingPart data_kind);
 static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx);
 static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx);
 static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx);
 static void nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, 
 			     const unsigned char *data, unsigned long len, PRBool final);
+static NSSCMSDecoderData *nss_cms_create_decoder_data(PRArenaPool *poolp);
 
 extern const SEC_ASN1Template NSSCMSMessageTemplate[];
 
+static NSSCMSDecoderData *
+nss_cms_create_decoder_data(PRArenaPool *poolp)
+{
+    NSSCMSDecoderData *decoderData = NULL;
+
+    decoderData = (NSSCMSDecoderData *)
+			PORT_ArenaAlloc(poolp,sizeof(NSSCMSDecoderData));
+    if (!decoderData) {
+	return NULL;
+    }
+    decoderData->data.data = NULL;
+    decoderData->data.len = 0;
+    decoderData->totalBufferSize = 0;
+    return decoderData;
+}
+
 /* 
  * nss_cms_decoder_notify -
  *  this is the driver of the decoding process. It gets called by the ASN.1
  *  decoder before and after an object is decoded.
  *  at various points in the decoding process, we intercept to set up and do
  *  further processing.
  */
 static void
@@ -245,18 +269,18 @@ nss_cms_before_data(NSSCMSDecoderContext
 
     /* ok, now we have a pointer to cinfo */
     /* find out what kind of data is encapsulated */
     
     cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
     childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
 
     if (childtype == SEC_OID_PKCS7_DATA) {
-	cinfo->content.data = SECITEM_AllocItem(poolp, NULL, 0);
-	if (cinfo->content.data == NULL)
+	cinfo->content.pointer = (void *) nss_cms_create_decoder_data(poolp);
+	if (cinfo->content.pointer == NULL)
 	    /* set memory error */
 	    return SECFailure;
 
 	p7dcx->childp7dcx = NULL;
 	return SECSuccess;
     }
 
     /* set up inner decoder */
@@ -409,17 +433,16 @@ nss_cms_decoder_work_data(NSSCMSDecoderC
 			     const unsigned char *data, unsigned long len,
 			     PRBool final)
 {
     NSSCMSContentInfo *cinfo;
     unsigned char *buf = NULL;
     unsigned char *dest;
     unsigned int offset;
     SECStatus rv;
-    SECItem *storage;
 
     /*
      * We should really have data to process, or we should be trying
      * to finish/flush the last block.  (This is an overly paranoid
      * check since all callers are in this file and simple inspection
      * proves they do it right.  But it could find a bug in future
      * modifications/development, that is why it is here.)
      */
@@ -505,37 +528,40 @@ nss_cms_decoder_work_data(NSSCMSDecoderC
 	(*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len);
     }
 #if 1
     else
 #endif
     if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) {
 	/* store it in "inner" data item as well */
 	/* find the DATA item in the encapsulated cinfo and store it there */
-	storage = cinfo->content.data;
+	NSSCMSDecoderData *decoderData = 
+				(NSSCMSDecoderData *)cinfo->content.pointer;
+	SECItem *dataItem = &decoderData->data;
 
-	offset = storage->len;
-	if (storage->len == 0) {
-	    dest = (unsigned char *)PORT_ArenaAlloc(p7dcx->cmsg->poolp, len);
-	} else {
-	    dest = (unsigned char *)PORT_ArenaGrow(p7dcx->cmsg->poolp, 
-				  storage->data,
-				  storage->len,
-				  storage->len + len);
-	}
-	if (dest == NULL) {
-	    p7dcx->error = SEC_ERROR_NO_MEMORY;
-	    goto loser;
+	offset = dataItem->len;
+	if (dataItem->len+len > decoderData->totalBufferSize) {
+	    int needLen = (dataItem->len+len) * 2;
+	    dest = (unsigned char *)
+				PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen);
+	    if (dest == NULL) {
+		p7dcx->error = SEC_ERROR_NO_MEMORY;
+		goto loser;
+	    }
+
+	    if (dataItem->len) {
+		PORT_Memcpy(dest, dataItem->data, dataItem->len);
+	    }
+	    decoderData->totalBufferSize = needLen;
+	    dataItem->data = dest;
 	}
 
-	storage->data = dest;
-	storage->len += len;
-
 	/* copy it in */
-	PORT_Memcpy(storage->data + offset, data, len);
+	PORT_Memcpy(dataItem->data + offset, data, len);
+	dataItem->len += len;
     }
 
 done:
 loser:
     if (buf)
 	PORT_Free (buf);
 }
 
--- a/security/nss/lib/smime/config.mk
+++ b/security/nss/lib/smime/config.mk
@@ -31,28 +31,38 @@
 # GPL.
 #
 
 RELEASE_LIBS = $(TARGETS)
 
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
 # don't want the 32 in the shared library name
-SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
-IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).lib
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
 
 RES = $(OBJDIR)/smime.res
 RESNAME = smime.rc
 
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnss3 \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else # ! NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	$(DIST)/lib/nss3.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
 	$(NULL)
+endif # NS_USE_GCC
 
 else
 
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib/ \
 	-lnss3 \
 	-lplc4 \
 	-lplds4 \
--- a/security/nss/lib/softoken/config.mk
+++ b/security/nss/lib/softoken/config.mk
@@ -44,31 +44,40 @@ EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
 	$(NULL)
 
 # can't do this in manifest.mn because OS_TARGET isn't defined there.
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
 # don't want the 32 in the shared library name
-SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
-IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).lib
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
 
 RES = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = $(LIBRARY_NAME).rc
 
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else # ! NS_USE_GCC
 ifdef MOZILLA_BSAFE_BUILD
 	EXTRA_LIBS+=$(DIST)/lib/bsafe$(BSAFEVER).lib
 endif
 
 EXTRA_SHARED_LIBS += \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
 	$(NULL)
+endif # NS_USE_GCC
 
 else
 
 ifdef MOZILLA_BSAFE_BUILD
 	EXTRA_LIBS+=$(DIST)/lib/$(LIB_PREFIX)bsafe.$(LIB_SUFFIX)
 endif
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
--- a/security/nss/lib/softoken/pkcs11p.h
+++ b/security/nss/lib/softoken/pkcs11p.h
@@ -38,12 +38,14 @@
  */
 /* these data types are platform/implementation dependent. */
 /*
  * Packing was removed from the shipped RSA header files, even
  * though it's still needed. put in a central file to help merging..
  */
 
 #if defined(_WIN32)
+#ifdef _MSC_VER
 #pragma warning(disable:4103)
+#endif
 #pragma pack(push, cryptoki, 1)
 #endif
 
--- a/security/nss/lib/softoken/pkcs11u.h
+++ b/security/nss/lib/softoken/pkcs11u.h
@@ -36,12 +36,14 @@
  * Cryptography Standards (PKCS)" in all material mentioning or referencing
  * this document.
  */
 /*
  * reset any packing set by pkcs11p.h
  */
 
 #if defined (_WIN32)
+#ifdef _MSC_VER
 #pragma warning(disable:4103)
+#endif
 #pragma pack(pop, cryptoki)
 #endif
 
--- a/security/nss/lib/ssl/config.mk
+++ b/security/nss/lib/ssl/config.mk
@@ -29,28 +29,39 @@
 # the GPL.  If you do not delete the provisions above, a recipient
 # may use your version of this file under either the MPL or the
 # GPL.
 #
 
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
 # don't want the 32 in the shared library name
-SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
-IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).lib
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
 
 RES = $(OBJDIR)/ssl.res
 RESNAME = ssl.rc
 
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnss3 \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else # ! NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	$(DIST)/lib/nss3.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
 	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
 	$(NULL)
+endif # NS_USE_GCC
+
 else
 
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib/ \
 	-lnss3 \
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -5122,16 +5122,31 @@ ssl3_HandleCertificateRequest(sslSocket 
 						 &ssl3->clientPrivateKey);
     }
     switch (rv) {
     case SECWouldBlock:	/* getClientAuthData has put up a dialog box. */
 	ssl_SetAlwaysBlock(ss);
 	break;	/* not an error */
 
     case SECSuccess:
+        /* check what the callback function returned */
+        if ((!ssl3->clientCertificate) || (!ssl3->clientPrivateKey)) {
+            /* we are missing either the key or cert */
+            if (ssl3->clientCertificate) {
+                /* got a cert, but no key - free it */
+                CERT_DestroyCertificate(ssl3->clientCertificate);
+                ssl3->clientCertificate = NULL;
+            }
+            if (ssl3->clientPrivateKey) {
+                /* got a key, but no cert - free it */
+                SECKEY_DestroyPrivateKey(ssl3->clientPrivateKey);
+                ssl3->clientPrivateKey = NULL;
+            }
+            goto send_no_certificate;
+        }
 	/* Setting ssl3->clientCertChain non-NULL will cause
 	 * ssl3_HandleServerHelloDone to call SendCertificate.
 	 */
 	ssl3->clientCertChain = CERT_CertChainFromCert(ssl3->clientCertificate,
 			certUsageSSLClient, PR_FALSE);
 	if (ssl3->clientCertChain == NULL) {
 	    if (ssl3->clientCertificate != NULL) {
 		CERT_DestroyCertificate(ssl3->clientCertificate);
--- a/security/nss/lib/ssl/sslcon.c
+++ b/security/nss/lib/ssl/sslcon.c
@@ -2339,16 +2339,32 @@ ssl2_HandleRequestCertificate(sslSocket 
 	ssl_SetAlwaysBlock(ss);
 	goto done;
     }
 
     if (ret) {
 	goto no_cert_error;
     }
 
+    /* check what the callback function returned */
+    if ((!cert) || (!key)) {
+        /* we are missing either the key or cert */
+        if (cert) {
+            /* got a cert, but no key - free it */
+            CERT_DestroyCertificate(cert);
+            cert = NULL;
+        }
+        if (key) {
+            /* got a key, but no cert - free it */
+            SECKEY_DestroyPrivateKey(key);
+            key = NULL;
+        }
+        goto no_cert_error;
+    }
+
     rv = ssl2_SignResponse(ss, key, &response);
     if ( rv != SECSuccess ) {
 	ret = -1;
 	goto loser;
     }
 
     /* Send response message */
     ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
--- a/security/nss/lib/util/secasn1d.c
+++ b/security/nss/lib/util/secasn1d.c
@@ -595,16 +595,42 @@ sec_asn1d_init_state_based_on_template (
     state->explicit = explicit;
     state->optional = optional;
 
     sec_asn1d_scrub_state (state);
 
     return state;
 }
 
+static PRBool
+sec_asn1d_parent_is_indefinite(sec_asn1d_state *state)
+{
+    for (state = state->parent; state; state = state->parent) {
+	sec_asn1d_parse_place place = state->place;
+	if (place != afterImplicit      &&
+	    place != afterPointer       &&
+	    place != afterInline        &&
+	    place != afterSaveEncoding  &&
+	    place != duringSaveEncoding &&
+	    place != duringChoice) {
+
+            /* we've walked up the stack to a state that represents
+            ** the enclosing construct.  Is it one of the types that
+            ** permits an unexpected EOC?
+            */
+            int eoc_permitted = 
+		(place == duringGroup ||
+		 place == duringConstructedString ||
+		 state->child->optional);
+            return (state->indefinite && eoc_permitted) ? PR_TRUE : PR_FALSE;
+
+	}
+    }
+    return PR_FALSE;
+}
 
 static unsigned long
 sec_asn1d_parse_identifier (sec_asn1d_state *state,
 			    const char *buf, unsigned long len)
 {
     unsigned char byte;
     unsigned char tag_number;
 
@@ -623,25 +649,17 @@ sec_asn1d_parse_identifier (sec_asn1d_st
 	state->found_tag_number = 0;
 	/*
 	 * Actually, we have no idea how many bytes are pending, but we
 	 * do know that it is at least 1.  That is all we know; we have
 	 * to look at each byte to know if there is another, etc.
 	 */
 	state->pending = 1;
     } else {
-	if (byte == 0 && state->parent != NULL &&
-		    (state->parent->indefinite ||
-			(
-			    (state->parent->place == afterImplicit ||
-			     state->parent->place == afterPointer)
-			    && state->parent->parent != NULL && state->parent->parent->indefinite
-			)
-		    )
-	    ) {
+	if (byte == 0 && sec_asn1d_parent_is_indefinite(state)) {
 	    /*
 	     * Our parent has indefinite-length encoding, and the
 	     * entire tag found is 0, so it seems that we have hit the
 	     * end-of-contents octets.  To handle this, we just change
 	     * our state to that which expects to get the bytes of the
 	     * end-of-contents octets and let that code re-read this byte
 	     * so that our categorization of field types is correct.
 	     * After that, our parent will then deal with everything else.
@@ -2182,27 +2200,45 @@ sec_asn1d_during_choice
   sec_asn1d_state *child = state->child;
   
   PORT_Assert((sec_asn1d_state *)NULL != child);
 
   if( child->missing ) {
     unsigned char child_found_tag_modifiers = 0;
     unsigned long child_found_tag_number = 0;
 
+	state->consumed += child->consumed;
+
+	if (child->endofcontents) {
+	    /* This choice is probably the first item in a GROUP
+	    ** (e.g. SET_OF) that was indefinite-length encoded.
+	    ** We're actually at the end of that GROUP.
+	    ** We should look up the stack to be sure that we find
+	    ** a state with indefinite length encoding before we
+	    ** find a state (like a SEQUENCE) that is definite.
+	    */
+	    child->place = notInUse;
+	    state->place = afterChoice;
+	    state->endofcontents = PR_TRUE;  /* propagate this up */
+	    if (sec_asn1d_parent_is_indefinite(state))
+		return state;
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return NULL;
+	}
+
     child->theTemplate++;
 
     if( 0 == child->theTemplate->kind ) {
       /* Ran out of choices */
       PORT_SetError(SEC_ERROR_BAD_DER);
       state->top->status = decodeError;
       return (sec_asn1d_state *)NULL;
     }
 
-    state->consumed += child->consumed;
-
     /* cargo'd from next_in_sequence innards */
     if( state->pending ) {
       PORT_Assert(!state->indefinite);
       if( child->consumed > state->pending ) {
 	PORT_SetError (SEC_ERROR_BAD_DER);
 	state->top->status = decodeError;
 	return NULL;
       }