fixup commit for branch 'THREADS_20060213_BASE' THREADS_20060213_BASE
authorcvs2hg
Sat, 21 Jan 2006 02:36:13 +0000
branchTHREADS_20060213_BASE
changeset 6486 67827e84702af32db41be27fe0cd06861584ea93
parent 6339 e2d54096fcebdbfe0708a95fc055da5aa1b55ee0
child 6487 b808ec008c4da3b4a4ee5471ad359a8a363d63d8
child 6630 c736977da64cd7102cf2e4a3b7872ffd35c36b0e
child 14012 f513f8761267c6d0eb3de132582dbfbf25262dd9
push idunknown
push userunknown
push dateunknown
fixup commit for branch 'THREADS_20060213_BASE'
dbm/src/db.c
security/coreconf/FreeBSD.mk
security/coreconf/Linux.mk
security/coreconf/Linux2.6.mk
security/dbm/Makefile
security/dbm/config/config.mk
security/dbm/include/Makefile
security/dbm/include/manifest.mn
security/dbm/manifest.mn
security/dbm/src/Makefile
security/dbm/src/config.mk
security/dbm/src/dirent.c
security/dbm/src/dirent.h
security/dbm/src/manifest.mn
security/dbm/tests/Makefile
security/nss/cmd/cmdlib/Makefile
security/nss/cmd/cmdlib/cmdline.c
security/nss/cmd/cmdlib/cmdutil.h
security/nss/cmd/cmdlib/config.mk
security/nss/cmd/cmdlib/manifest.mn
security/nss/cmd/fipstest/Makefile
security/nss/cmd/fipstest/ecdsa.sh
security/nss/cmd/fipstest/fipstest.c
security/nss/cmd/fipstest/hmac.sh
security/nss/cmd/fipstest/sha.sh
security/nss/cmd/fipstest/tdea.sh
security/nss/cmd/ilock/Makefile
security/nss/cmd/ilock/ilock.c
security/nss/cmd/ilock/manifest.mn
security/nss/cmd/include/secnew.h
security/nss/cmd/keyutil/Makefile
security/nss/cmd/keyutil/keyutil.c
security/nss/cmd/keyutil/manifest.mn
security/nss/cmd/pkiutil/Makefile
security/nss/cmd/pkiutil/manifest.mn
security/nss/cmd/pkiutil/pkiutil.c
security/nss/cmd/pkiutil/platlibs.mk
security/nss/cmd/shlibsign/sign.sh
security/nss/cmd/sslstrength/Makefile
security/nss/cmd/sslstrength/manifest.mn
security/nss/cmd/sslstrength/sslstr.cgi
security/nss/cmd/sslstrength/sslstrength.c
security/nss/cmd/sslstrength/sslwrap
security/nss/cmd/swfort/Makefile
security/nss/cmd/swfort/instinit/Makefile
security/nss/cmd/swfort/instinit/instinit.c
security/nss/cmd/swfort/instinit/manifest.mn
security/nss/cmd/swfort/manifest.mn
security/nss/cmd/swfort/newuser/Makefile
security/nss/cmd/swfort/newuser/manifest.mn
security/nss/cmd/swfort/newuser/mktst.c
security/nss/cmd/swfort/newuser/newuser.c
security/nss/cmd/ttformat/Makefile
security/nss/cmd/ttformat/manifest.mn
security/nss/cmd/ttformat/nClient
security/nss/cmd/ttformat/nServ
security/nss/cmd/ttformat/redux.pl
security/nss/cmd/ttformat/reduxhwm.pl
security/nss/cmd/ttformat/ttformat.c
security/nss/lib/fortcrypt/Makefile
security/nss/lib/fortcrypt/config.mk
security/nss/lib/fortcrypt/cryptint.h
security/nss/lib/fortcrypt/fmutex.c
security/nss/lib/fortcrypt/fmutex.h
security/nss/lib/fortcrypt/forsock.c
security/nss/lib/fortcrypt/fortinst.htm
security/nss/lib/fortcrypt/fortpk11.c
security/nss/lib/fortcrypt/fortsock.h
security/nss/lib/fortcrypt/fpkcs11.h
security/nss/lib/fortcrypt/fpkcs11f.h
security/nss/lib/fortcrypt/fpkcs11i.h
security/nss/lib/fortcrypt/fpkcs11t.h
security/nss/lib/fortcrypt/fpkmem.h
security/nss/lib/fortcrypt/fpkstrs.h
security/nss/lib/fortcrypt/genci.h
security/nss/lib/fortcrypt/globinst.htm
security/nss/lib/fortcrypt/handinst.htm
security/nss/lib/fortcrypt/homeinst.htm
security/nss/lib/fortcrypt/inst.js
security/nss/lib/fortcrypt/inst_PPC.js
security/nss/lib/fortcrypt/install.js
security/nss/lib/fortcrypt/maci.c
security/nss/lib/fortcrypt/maci.h
security/nss/lib/fortcrypt/macinst.htm
security/nss/lib/fortcrypt/manifest.mn
security/nss/lib/fortcrypt/replace.c
security/nss/lib/fortcrypt/secmodjar.html
security/nss/lib/fortcrypt/swfort/Makefile
security/nss/lib/fortcrypt/swfort/config.mk
security/nss/lib/fortcrypt/swfort/manifest.mn
security/nss/lib/fortcrypt/swfort/nsmap.h
security/nss/lib/fortcrypt/swfort/pkcs11/.cvsignore
security/nss/lib/fortcrypt/swfort/pkcs11/Makefile
security/nss/lib/fortcrypt/swfort/pkcs11/config.mk
security/nss/lib/fortcrypt/swfort/pkcs11/inst.js
security/nss/lib/fortcrypt/swfort/pkcs11/manifest.mn
security/nss/lib/fortcrypt/swfort/pkcs11/pk11inst
security/nss/lib/fortcrypt/swfort/pkcs11/stub.c
security/nss/lib/fortcrypt/swfort/swfalg.c
security/nss/lib/fortcrypt/swfort/swflib.c
security/nss/lib/fortcrypt/swfort/swfort.h
security/nss/lib/fortcrypt/swfort/swforti.h
security/nss/lib/fortcrypt/swfort/swfortt.h
security/nss/lib/fortcrypt/swfort/swfortti.h
security/nss/lib/fortcrypt/swfort/swfparse.c
security/nss/lib/fortcrypt/swfort/swfutl.c
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/arcfour-amd64-gas.s
security/nss/lib/freebl/ec.c
security/nss/lib/freebl/ecl/ecl-curve.h
security/nss/lib/freebl/ecl/ecl_mult.c
security/nss/lib/freebl/loader.c
security/nss/lib/freebl/mpi/mpi.c
security/nss/lib/freebl/mpi/mpi_amd64_gas.s
security/nss/lib/nss/nss.h
security/nss/lib/ssl/sslimpl.h
--- a/dbm/src/db.c
+++ b/dbm/src/db.c
@@ -82,17 +82,17 @@ dbopen(const char *fname, int flags,int 
 	  {
 		errno = EINVAL;
 		return(NULL);
 	  }
 
 #define	DB_FLAGS	(DB_LOCK | DB_SHMEM | DB_TXN)
 
 
-#if 0  /* most systems dont have EXLOCK and SHLOCK */
+#if 0  /* most systems don't have EXLOCK and SHLOCK */
 #define	USE_OPEN_FLAGS							\
 	(O_CREAT | O_EXCL | O_EXLOCK | O_NONBLOCK | O_RDONLY |		\
 	 O_RDWR | O_SHLOCK | O_TRUNC)
 #else
 #define	USE_OPEN_FLAGS							\
 	(O_CREAT | O_EXCL  | O_RDONLY |		\
 	 O_RDWR | O_TRUNC)
 #endif
--- a/security/coreconf/FreeBSD.mk
+++ b/security/coreconf/FreeBSD.mk
@@ -70,16 +70,16 @@ MOZ_OBJFORMAT		:= $(shell test -x /usr/b
 ifeq ($(MOZ_OBJFORMAT),elf)
 DLL_SUFFIX		= so
 else
 DLL_SUFFIX		= so.1.0
 endif
 
 MKSHLIB			= $(CC) $(DSO_LDOPTS)
 ifdef MAPFILE
-# Add LD options to restrict exported symbols to those in the map file
+	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
-# Change PROCESS to put the mapfile in the correct format for this platform
-PROCESS_MAP_FILE = cp $< $@
+PROCESS_MAP_FILE = grep -v ';-' $< | \
+        sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
 G++INCLUDES		= -I/usr/include/g++
 
 INCLUDES		+= -I/usr/X11R6/include
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -160,17 +160,17 @@ OS_LIBS			= $(OS_PTHREAD) -ldl -lc
 
 ifdef USE_PTHREADS
 	DEFINES		+= -D_REENTRANT
 endif
 
 ARCH			= linux
 
 DSO_CFLAGS		= -fPIC
-DSO_LDOPTS		= -shared $(ARCHFLAG) -z defs
+DSO_LDOPTS		= -shared $(ARCHFLAG)
 DSO_LDFLAGS		=
 LDFLAGS			+= $(ARCHFLAG)
 
 # INCLUDES += -I/usr/include -Y/usr/include/linux
 G++INCLUDES		= -I/usr/include/g++
 
 #
 # Always set CPU_TAG on Linux, OpenVMS, WINCE.
--- a/security/coreconf/Linux2.6.mk
+++ b/security/coreconf/Linux2.6.mk
@@ -32,16 +32,18 @@
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 include $(CORE_DEPTH)/coreconf/Linux.mk
 
+DSO_LDOPTS      += -Wl,-z,defs
+
 OS_REL_CFLAGS   += -DLINUX2_1
 MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
 
 ifdef MAPFILE
 	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';-' $< | \
         sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
deleted file mode 100644
--- a/security/dbm/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-coreconf_hack:
-	cd ../coreconf; gmake
-	gmake import
-
-RelEng_bld: coreconf_hack
-	gmake
deleted file mode 100644
--- a/security/dbm/config/config.mk
+++ /dev/null
@@ -1,67 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# These macros are defined by mozilla's configure script.
-# We define them manually here.
-#
-
-DEFINES += -DSTDC_HEADERS -DHAVE_STRERROR
-
-#
-# Most platforms have snprintf, so it's simpler to list the exceptions.
-#
-HAVE_SNPRINTF = 1
-#
-# OSF1 V4.0D doesn't have snprintf but V5.0A does.
-#
-ifeq ($(OS_TARGET)$(OS_RELEASE),OSF1V4.0D)
-HAVE_SNPRINTF =
-endif
-ifdef HAVE_SNPRINTF
-DEFINES += -DHAVE_SNPRINTF
-endif
-
-ifeq (,$(filter-out IRIX Linux,$(OS_TARGET)))
-DEFINES += -DHAVE_SYS_CDEFS_H
-endif
-
-ifeq (,$(filter-out DGUX NCR ReliantUNIX SCO_SV SCOOS UNIXWARE,$(OS_TARGET)))
-DEFINES += -DHAVE_SYS_BYTEORDER_H
-endif
-
-#
-# None of the platforms that we are interested in need to
-# define HAVE_MEMORY_H.
-#
deleted file mode 100644
--- a/security/dbm/include/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/dbm/include/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../..
-
-VPATH  = $(CORE_DEPTH)/../dbm/include
-
-MODULE = dbm
-
-EXPORTS =	nsres.h   \
-		cdefs.h   \
-		mcom_db.h \
-		ncompat.h \
-		winfile.h \
-		$(NULL)
-
-PRIVATE_EXPORTS =	hsearch.h \
-			page.h    \
-			extern.h  \
-			ndbm.h    \
-			queue.h   \
-			hash.h    \
-			mpool.h   \
-			search.h  \
-			$(NULL)
-
deleted file mode 100644
--- a/security/dbm/manifest.mn
+++ /dev/null
@@ -1,45 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ..
-
-MODULE = dbm
-
-IMPORTS = nspr20/v4.4.1
-
-RELEASE = dbm
-
-DIRS =  include \
-        src     \
-	$(NULL)
deleted file mode 100644
--- a/security/dbm/src/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(CORE_DEPTH)/dbm/config/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/dbm/src/config.mk
+++ /dev/null
@@ -1,63 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-DEFINES += -DMEMMOVE -D__DBINTERFACE_PRIVATE $(SECURITY_FLAG)
-
-INCLUDES += -I$(CORE_DEPTH)/../dbm/include
-
-#
-#  Currently, override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
-ifdef SHARED_LIBRARY
-	ifeq (,$(filter-out WINNT WIN95 WINCE,$(OS_TARGET))) # list omits WIN16
-		DLLBASE=/BASE:0x30000000
-		RES=$(OBJDIR)/dbm.res
-		RESNAME=../include/dbm.rc
-	endif
-	ifeq ($(DLL_SUFFIX),dll)
-		DEFINES += -D_DLL
-	endif
-endif
-
-ifeq ($(OS_TARGET),AIX)
-	OS_LIBS += -lc_r
-endif
deleted file mode 100644
--- a/security/dbm/src/dirent.c
+++ /dev/null
@@ -1,348 +0,0 @@
-#ifdef OS2
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-#include <dirent.h>
-#include <errno.h>
-
-/*#ifndef __EMX__ 
-#include <libx.h>
-#endif */
-
-#define INCL_DOSFILEMGR
-#define INCL_DOSERRORS
-#include <os2.h>
-
-#if OS2 >= 2
-# define FFBUF	FILEFINDBUF3
-# define Word	ULONG
-  /*
-   * LS20 recommends a request count of 100, but according to the
-   * APAR text it does not lead to missing files, just to funny
-   * numbers of returned entries.
-   *
-   * LS30 HPFS386 requires a count greater than 2, or some files
-   * are missing (those starting with a character less that '.').
-   *
-   * Novell looses entries which overflow the buffer. In previous
-   * versions of dirent2, this could have lead to missing files
-   * when the average length of 100 directory entries was 40 bytes
-   * or more (quite unlikely for files on a Novell server).
-   *
-   * Conclusion: Make sure that the entries all fit into the buffer
-   * and that the buffer is large enough for more than 2 entries
-   * (each entry is at most 300 bytes long). And ignore the LS20
-   * effect.
-   */
-# define Count	25
-# define BufSz	(25 * (sizeof(FILEFINDBUF3)+1))
-#else
-# define FFBUF	FILEFINDBUF
-# define Word	USHORT
-# define BufSz	1024
-# define Count	3
-#endif
-
-#if defined(__IBMC__) || defined(__IBMCPP__)
-  #define error(rc) _doserrno = rc, errno = EOS2ERR
-#elif defined(MICROSOFT)
-  #define error(rc) _doserrno = rc, errno = 255
-#else
-  #define error(rc) errno = 255
-#endif
-
-struct _dirdescr {
-	HDIR		handle;		/* DosFindFirst handle */
-	char		fstype;		/* filesystem type */
-	Word		count;		/* valid entries in <ffbuf> */
-	long		number;		/* absolute number of next entry */
-	int		index;		/* relative number of next entry */
-	FFBUF *		next;		/* pointer to next entry */
-	char		name[MAXPATHLEN+3]; /* directory name */
-	unsigned	attrmask;	/* attribute mask for seekdir */
-	struct dirent	entry;		/* buffer for directory entry */
-	BYTE		ffbuf[BufSz];
-};
-
-/*
- * Return first char of filesystem type, or 0 if unknown.
- */
-static char
-getFSType(const char *path)
-{
-	static char cache[1+26];
-	char drive[3], info[512];
-	Word unit, infolen;
-	char r;
-
-	if (isalpha(path[0]) && path[1] == ':') {
-		unit = toupper(path[0]) - '@';
-		path += 2;
-	} else {
-		ULONG driveMap;
-#if OS2 >= 2
-		if (DosQueryCurrentDisk(&unit, &driveMap))
-#else
-		if (DosQCurDisk(&unit, &driveMap))
-#endif
-			return 0;
-	}
-
-	if ((path[0] == '\\' || path[0] == '/')
-	 && (path[1] == '\\' || path[1] == '/'))
-		return 0;
-
-	if (cache [unit])
-		return cache [unit];
-
-	drive[0] = '@' + unit;
-	drive[1] = ':';
-	drive[2] = '\0';
-	infolen = sizeof info;
-#if OS2 >= 2
-	if (DosQueryFSAttach(drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen))
-		return 0;
-	if (infolen >= sizeof(FSQBUFFER2)) {
-		FSQBUFFER2 *p = (FSQBUFFER2 *)info;
-		r = p->szFSDName[p->cbName];
-	} else
-#else
-	if (DosQFSAttach((PSZ)drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen, 0))
-		return 0;
-	if (infolen >= 9) {
-		char *p = info + sizeof(USHORT);
-		p += sizeof(USHORT) + *(USHORT *)p + 1 + sizeof(USHORT);
-		r = *p;
-	} else
-#endif
-		r = 0;
-	return cache [unit] = r;
-}
-
-char *
-abs_path(const char *name, char *buffer, int len)
-{
-	char buf[4];
-	if (isalpha(name[0]) && name[1] == ':' && name[2] == '\0') {
-		buf[0] = name[0];
-		buf[1] = name[1];
-		buf[2] = '.';
-		buf[3] = '\0';
-		name = buf;
-	}
-#if OS2 >= 2
-	if (DosQueryPathInfo((PSZ)name, FIL_QUERYFULLNAME, buffer, len))
-#else
-	if (DosQPathInfo((PSZ)name, FIL_QUERYFULLNAME, (PBYTE)buffer, len, 0L))
-#endif
-		return NULL;
-	return buffer;
-}
-
-DIR *
-openxdir(const char *path, unsigned att_mask)
-{
-	DIR *dir;
-	char name[MAXPATHLEN+3];
-	Word rc;
-
-	dir = malloc(sizeof(DIR));
-	if (dir == NULL) {
-		errno = ENOMEM;
-		return NULL;
-	}
-
-	strncpy(name, path, MAXPATHLEN);
-	name[MAXPATHLEN] = '\0';
-	switch (name[strlen(name)-1]) {
-	default:
-		strcat(name, "\\");
-	case '\\':
-	case '/':
-	case ':':
-		;
-	}
-	strcat(name, ".");
-	if (!abs_path(name, dir->name, MAXPATHLEN+1))
-		strcpy(dir->name, name);
-	if (dir->name[strlen(dir->name)-1] == '\\')
-		strcat(dir->name, "*");
-	else
-		strcat(dir->name, "\\*");
-
-	dir->fstype = getFSType(dir->name);
-	dir->attrmask = att_mask | A_DIR;
-
-	dir->handle = HDIR_CREATE;
-	dir->count = 100;
-#if OS2 >= 2
-	rc = DosFindFirst(dir->name, &dir->handle, dir->attrmask,
-		dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD);
-#else
-	rc = DosFindFirst((PSZ)dir->name, &dir->handle, dir->attrmask,
-		(PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0);
-#endif
-	switch (rc) {
-	default:
-		free(dir);
-		error(rc);
-		return NULL;
-	case NO_ERROR:
-	case ERROR_NO_MORE_FILES:
-		;
-	}
-
-	dir->number = 0;
-	dir->index = 0;
-	dir->next = (FFBUF *)dir->ffbuf;
-
-	return (DIR *)dir;
-}
-
-DIR *
-opendir(const char *pathname)
-{
-	return openxdir(pathname, 0);
-}
-
-struct dirent *
-readdir(DIR *dir)
-{
-	static int dummy_ino = 2;
-
-	if (dir->index == dir->count) {
-		Word rc;
-		dir->count = 100;
-#if OS2 >= 2
-		rc = DosFindNext(dir->handle, dir->ffbuf,
-			sizeof dir->ffbuf, &dir->count);
-#else
-		rc = DosFindNext(dir->handle, (PFILEFINDBUF)dir->ffbuf,
-			sizeof dir->ffbuf, &dir->count);
-#endif
-		if (rc) {
-			error(rc);
-			return NULL;
-		}
-
-		dir->index = 0;
-		dir->next = (FFBUF *)dir->ffbuf;
-	}
-
-	if (dir->index == dir->count)
-		return NULL;
-
-	memcpy(dir->entry.d_name, dir->next->achName, dir->next->cchName);
-	dir->entry.d_name[dir->next->cchName] = '\0';
-	dir->entry.d_ino = dummy_ino++;
-	dir->entry.d_reclen = dir->next->cchName;
-	dir->entry.d_namlen = dir->next->cchName;
-	dir->entry.d_size = dir->next->cbFile;
-	dir->entry.d_attribute = dir->next->attrFile;
-	dir->entry.d_time = *(USHORT *)&dir->next->ftimeLastWrite;
-	dir->entry.d_date = *(USHORT *)&dir->next->fdateLastWrite;
-
-	switch (dir->fstype) {
-	case 'F': /* FAT */
-	case 'C': /* CDFS */
-		if (dir->next->attrFile & FILE_DIRECTORY)
-			strupr(dir->entry.d_name);
-		else
-			strlwr(dir->entry.d_name);
-	}
-
-#if OS2 >= 2
-	dir->next = (FFBUF *)((BYTE *)dir->next + dir->next->oNextEntryOffset);
-#else
-	dir->next = (FFBUF *)((BYTE *)dir->next->achName + dir->next->cchName + 1);
-#endif
-	++dir->number;
-	++dir->index;
-
-	return &dir->entry;
-}
-
-long
-telldir(DIR *dir)
-{
-	return dir->number;
-}
-
-void
-seekdir(DIR *dir, long off)
-{
-	if (dir->number > off) {
-		char name[MAXPATHLEN+2];
-		Word rc;
-
-		DosFindClose(dir->handle);
-
-		strcpy(name, dir->name);
-		strcat(name, "*");
-
-		dir->handle = HDIR_CREATE;
-		dir->count = 32767;
-#if OS2 >= 2
-		rc = DosFindFirst(name, &dir->handle, dir->attrmask,
-			dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD);
-#else
-		rc = DosFindFirst((PSZ)name, &dir->handle, dir->attrmask,
-			(PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0);
-#endif
-		switch (rc) {
-		default:
-			error(rc);
-			return;
-		case NO_ERROR:
-		case ERROR_NO_MORE_FILES:
-			;
-		}
-
-		dir->number = 0;
-		dir->index = 0;
-		dir->next = (FFBUF *)dir->ffbuf;
-	}
-
-	while (dir->number < off && readdir(dir))
-		;
-}
-
-void
-closedir(DIR *dir)
-{
-	DosFindClose(dir->handle);
-	free(dir);
-}
-
-/*****************************************************************************/
-
-#ifdef TEST
-
-main(int argc, char **argv)
-{
-	int i;
-	DIR *dir;
-	struct dirent *ep;
-
-	for (i = 1; i < argc; ++i) {
-		dir = opendir(argv[i]);
-		if (!dir)
-			continue;
-		while (ep = readdir(dir))
-			if (strchr("\\/:", argv[i] [strlen(argv[i]) - 1]))
-				printf("%s%s\n", argv[i], ep->d_name);
-			else
-				printf("%s/%s\n", argv[i], ep->d_name);
-		closedir(dir);
-	}
-
-	return 0;
-}
-
-#endif
-
-#endif /* OS2 */
-
deleted file mode 100644
--- a/security/dbm/src/dirent.h
+++ /dev/null
@@ -1,97 +0,0 @@
-#ifndef __DIRENT_H__
-#define __DIRENT_H__
-/*
- * @(#)msd_dir.h 1.4 87/11/06   Public Domain.
- *
- *  A public domain implementation of BSD directory routines for
- *  MS-DOS.  Written by Michael Rendell ({uunet,utai}michael@garfield),
- *  August 1897
- *
- *  Extended by Peter Lim (lim@mullian.oz) to overcome some MS DOS quirks
- *  and returns 2 more pieces of information - file size & attribute.
- *  Plus a little reshuffling of some #define's positions    December 1987
- *
- *  Some modifications by Martin Junius                      02-14-89
- *
- *	AK900712
- *	AK910410	abs_path - make absolute path
- *
- */
-
-#ifdef __EMX__
-#include <sys/param.h>
-#else
-#if defined(__IBMC__) || defined(__IBMCPP__) || defined(XP_W32_MSVC)
-#include <stdio.h>
-#ifdef MAXPATHLEN
-	#undef MAXPATHLEN
-#endif
-#define MAXPATHLEN (FILENAME_MAX*4)
-#define MAXNAMLEN FILENAME_MAX
-
-#else
-#include <param.h>
-#endif
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* attribute stuff */
-#ifndef A_RONLY
-# define A_RONLY   0x01
-# define A_HIDDEN  0x02
-# define A_SYSTEM  0x04
-# define A_LABEL   0x08
-# define A_DIR     0x10
-# define A_ARCHIVE 0x20
-#endif
-
-struct dirent {
-#if defined(OS2) || defined(WIN32)        /* use the layout of EMX to avoid trouble */
-    int            d_ino;                 /* Dummy */
-    int            d_reclen;		  /* Dummy, same as d_namlen */
-    int            d_namlen;              /* length of name */
-    char           d_name[MAXNAMLEN + 1];
-    unsigned long  d_size;
-    unsigned short d_attribute;           /* attributes (see above) */
-    unsigned short d_time;                /* modification time */
-    unsigned short d_date;                /* modification date */
-#else
-    char	   d_name[MAXNAMLEN + 1]; /* garentee null termination */
-    char	   d_attribute;		  /* .. extension .. */
-    unsigned long  d_size;		  /* .. extension .. */
-#endif
-};
-
-typedef struct _dirdescr DIR;
-/* the structs do not have to be defined here */
-
-extern DIR		*opendir(const char *);
-extern DIR		*openxdir(const char *, unsigned);
-extern struct dirent	*readdir(DIR *);
-extern void		seekdir(DIR *, long);
-extern long		telldir(DIR *);
-extern void 		closedir(DIR *);
-#define			rewinddir(dirp) seekdir(dirp, 0L)
-
-extern char *		abs_path(const char *name, char *buffer, int len);
-
-#ifndef S_IFMT
-#define S_IFMT ( S_IFDIR | S_IFREG )
-#endif
-
-#ifndef S_ISDIR
-#define S_ISDIR( m )                    (((m) & S_IFMT) == S_IFDIR)
-#endif
-
-#ifndef S_ISREG
-#define S_ISREG( m )                    (((m) & S_IFMT) == S_IFREG)
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
deleted file mode 100644
--- a/security/dbm/src/manifest.mn
+++ /dev/null
@@ -1,61 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../..
-
-VPATH  = $(CORE_DEPTH)/../dbm/src
-
-MODULE = dbm
-
-#
-# memmove.c, snprintf.c, and strerror.c are not in CSRCS because
-# the Standard C Library has memmove and strerror and DBM is not
-# using snprintf.
-#
-
-CSRCS = db.c	   \
-	h_bigkey.c \
-	h_func.c   \
-	h_log2.c   \
-	h_page.c   \
-	hash.c	   \
-	hash_buf.c \
-	hsearch.c  \
-	mktemp.c   \
-	ndbm.c	   \
-	nsres.c	   \
-	dirent.c	   \
-	$(NULL)
-
-LIBRARY_NAME = dbm
deleted file mode 100644
--- a/security/dbm/tests/Makefile
+++ /dev/null
@@ -1,69 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-DEPTH		= ../..
-CORE_DEPTH	= ../..
-
-VPATH		= $(CORE_DEPTH)/../dbm/tests
-
-MODULE		= dbm
-
-CSRCS		= lots.c
-
-PROGRAM		= lots
-
-include $(DEPTH)/coreconf/config.mk
-
-include $(DEPTH)/dbm/config/config.mk
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET))) 
-LIBDBM		= ../src/$(PLATFORM)/dbm$(STATIC_LIB_SUFFIX)
-else
-LIBDBM		= ../src/$(PLATFORM)/libdbm$(STATIC_LIB_SUFFIX)
-endif
-
-INCLUDES	+= -I$(CORE_DEPTH)/../dbm/include
-
-LDFLAGS		= $(LDOPTS) $(LIBDBM)
-
-include $(DEPTH)/coreconf/rules.mk
-
-lots.pure: lots
-	purify $(CC) -o lots.pure $(CFLAGS) $(OBJS) $(MYLIBS)
-
-crash: crash.o $(MYLIBS)
-	$(CC) -o crash $(CFLAGS) $^
-
-crash.pure: crash.o $(MYLIBS)
-	purify $(CC) -o crash.pure $(CFLAGS) $^
-
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/cmdlib/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/cmdlib/cmdline.c
@@ -0,0 +1,477 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <string.h>
+#include <ctype.h>
+
+#include "cmdutil.h"
+
+static int s_indent_size = 4;
+
+void
+CMD_SetIndentSize(int size) 
+{
+    s_indent_size = size;
+}
+
+#if 0
+static void
+indent(PRFileDesc *out, int level)
+{
+    int i, j;
+    for (i=0; i<level; i++)
+	for (j=0; j<s_indent_size; j++)	
+	    PR_fprintf(out, " ");
+}
+#endif
+
+struct cmdPrintStateStr {
+    PRFileDesc *file;
+    int width;
+    int indent;
+    int linepos;
+};
+
+static void
+init_print_ps(cmdPrintState *ps, PRFileDesc *outfile, int width, int indent)
+{
+    ps->file = (outfile) ? outfile : PR_STDOUT;
+    ps->width = (width > 0) ? width : 80;
+    ps->indent = (indent > 0) ? indent : 0;
+    ps->linepos = 0;
+}
+
+static void
+print_ps_indent(cmdPrintState *ps)
+{
+    int j;
+    if (ps->linepos != 0) {
+	PR_fprintf(ps->file, "\n");
+	ps->linepos = 0;
+    }
+    for (j=0; j<=ps->indent; j++) PR_fprintf(ps->file, " ");
+    ps->linepos = ps->indent;
+}
+
+static void
+print_ps_to_indent(cmdPrintState *ps)
+{
+    if (ps->linepos > ps->indent)
+	PR_fprintf(ps->file, "\n");
+    while (ps->linepos <= ps->indent) {
+	PR_fprintf(ps->file, " ");
+	ps->linepos++;
+    }
+}
+
+static void
+nprintbuf(cmdPrintState *ps, char *buf, int start, int len)
+{
+    int j;
+    for (j=start; j<start + len; j++) {
+	if (buf[j] == '\n') {
+	    PR_fprintf(ps->file, "\n");
+	    ps->linepos = 0;
+	    print_ps_indent(ps);
+	} else {
+	    PR_fprintf(ps->file, "%c", buf[j]);
+	    ps->linepos++;
+	}
+    }
+}
+
+static void 
+nprintf(cmdPrintState *ps, char *msg, ...)
+{
+    char buf[256];
+    int i, len, grouplen;
+    PRBool openquote, openbracket, openparen, openangle, itsaword;
+    va_list args;
+    va_start(args, msg);
+    vsprintf(buf, msg, args);
+    len = strlen(buf);
+    /* print_ps_indent(ps); */
+    if (len < ps->width - ps->linepos) {
+	nprintbuf(ps, buf, 0, len + 1);
+	return;
+    }
+    /* group in this order: " [ ( < word > ) ] " */
+    i=0;
+    openquote=openbracket=openparen=openangle=itsaword=PR_FALSE;
+    while (i<len) {
+	grouplen = 0;
+	if (buf[i] == '\"') { openquote = PR_TRUE; grouplen = 1; }
+	else if (buf[i] == '[') { openbracket = PR_TRUE; grouplen = 1; }
+	else if (buf[i] == '(') { openparen = PR_TRUE; grouplen = 1; }
+	else if (buf[i] == '<') { openangle = PR_TRUE; grouplen = 1; }
+	else itsaword = PR_TRUE;
+	while (grouplen < len && buf[i+grouplen] != '\0' &&
+	       ((openquote && buf[i+grouplen] != '\"') ||
+	        (openbracket && buf[i+grouplen] != ']') ||
+	        (openparen && buf[i+grouplen] != ')') ||
+	        (openangle && buf[i+grouplen] != '>') ||
+	        (itsaword && !isspace(buf[i+grouplen]))))
+	    grouplen++;
+	grouplen++; /* grab the terminator (whitespace for word) */
+	if (!itsaword && isspace(buf[i+grouplen])) grouplen++;
+	if (grouplen < ps->width - ps->linepos) {
+	    nprintbuf(ps, buf, i, grouplen);
+	} else if (grouplen < ps->width - ps->indent) {
+	    print_ps_indent(ps);
+	    nprintbuf(ps, buf, i, grouplen);
+	} else {
+	    /* it's just too darn long.  what to do? */
+	}
+	i += grouplen;
+	openquote=openbracket=openparen=openangle=itsaword=PR_FALSE;
+    }
+    va_end(args);
+}
+
+void 
+CMD_PrintUsageString(cmdPrintState *ps, char *str)
+{
+    nprintf(ps, "%s", str);
+}
+
+/* void because it exits with Usage() if failure */
+static void
+command_line_okay(cmdCommand *cmd, char *progName)
+{
+    int i, c = -1;
+    /* user asked for help.  hope somebody gives it to them. */
+    if (cmd->opt[0].on) return;
+    /* check that the command got all of its needed options */
+    for (i=0; i<cmd->ncmd; i++) {
+	if (cmd->cmd[i].on) {
+	    if (c > 0) {
+		fprintf(stderr, 
+		        "%s: only one command can be given at a time.\n",
+		        progName);
+		CMD_Usage(progName, cmd);
+	    } else {
+		c = i;
+	    }
+	}
+    }
+    if (cmd->cmd[c].argUse == CMDArgReq && cmd->cmd[c].arg == NULL) {
+	/* where's the arg when you need it... */
+	fprintf(stderr, "%s: command --%s requires an argument.\n",
+	                 progName, cmd->cmd[c].s);
+	fprintf(stderr, "type \"%s --%s --help\" for help.\n",
+	                 progName, cmd->cmd[c].s);
+	CMD_Usage(progName, cmd);
+    }
+    for (i=0; i<cmd->nopt; i++) {
+	if (cmd->cmd[c].req & CMDBIT(i)) {
+	    /* command requires this option */
+	    if (!cmd->opt[i].on) {
+		/* but it ain't there */
+		fprintf(stderr, "%s: command --%s requires option --%s.\n",
+		                 progName, cmd->cmd[c].s, cmd->opt[i].s);
+	    } else {
+		/* okay, its there, but does it have an arg? */
+		if (cmd->opt[i].argUse == CMDArgReq && !cmd->opt[i].arg) {
+		    fprintf(stderr, "%s: option --%s requires an argument.\n",
+		                     progName, cmd->opt[i].s);
+		}
+	    }
+	} else if (cmd->cmd[c].opt & CMDBIT(i)) {
+	   /* this option is optional */
+	    if (cmd->opt[i].on) {
+		/* okay, its there, but does it have an arg? */
+		if (cmd->opt[i].argUse == CMDArgReq && !cmd->opt[i].arg) {
+		    fprintf(stderr, "%s: option --%s requires an argument.\n",
+		                     progName, cmd->opt[i].s);
+		}
+	    }
+	} else {
+	   /* command knows nothing about it */
+	   if (cmd->opt[i].on) {
+		/* so why the h--- is it on? */
+		fprintf(stderr, "%s: option --%s not used with command --%s.\n",
+		                 progName, cmd->opt[i].s, cmd->cmd[c].s);
+	   }
+	}
+    }
+}
+
+static char *
+get_arg(char *curopt, char **nextopt, int argc, int *index)
+{
+    char *str;
+    if (curopt) {
+	str = curopt;
+    } else {
+	if (*index + 1 >= argc) return NULL;
+	/* not really an argument but another flag */
+	if (nextopt[*index+1][0] == '-') return NULL;
+	str = nextopt[++(*index)];
+    }
+    /* parse the option */
+    return strdup(str);
+}
+
+int
+CMD_ParseCommandLine(int argc, char **argv, char *progName, cmdCommand *cmd)
+{
+    int i, j, k;
+    int cmdToRun = -1;
+    char *flag;
+    i=1;
+    if (argc <= 1) return -2; /* gross hack for cmdless things like atob */
+    do {
+	flag = argv[i];
+	if (strlen(flag) < 2) /* huh? */
+	    return -1;
+	if (flag[0] != '-')
+	    return -1;
+	/* ignore everything after lone "--" (app-specific weirdness there) */
+	if (strcmp(flag, "--") == 0)
+	    return cmdToRun;
+	/* single hyphen means short alias (single-char) */
+	if (flag[1] != '-') {
+	    j=1;
+	    /* collect a set of opts, ex. -abc */
+	    while (flag[j] != '\0') {
+		PRBool found = PR_FALSE;
+		/* walk the command set looking for match */
+		for (k=0; k<cmd->ncmd; k++) {
+		    if (flag[j] == cmd->cmd[k].c) {
+			/* done - only take one command at a time */
+			if (j > 1) return -1;
+			cmd->cmd[k].on = found = PR_TRUE;
+			cmdToRun = k;
+			if (cmd->cmd[k].argUse != CMDNoArg)
+			    cmd->cmd[k].arg = get_arg(NULL, argv, argc, &i);
+			goto next_flag;
+		    }
+		}
+		/* wasn't found in commands, try options */
+		for (k=0; k<cmd->nopt; k++) {
+		    if (flag[j] == cmd->opt[k].c) {
+			/* collect this option and keep going */
+			cmd->opt[k].on = found = PR_TRUE;
+			if (flag[j+1] == '\0') {
+			    if (cmd->opt[k].argUse != CMDNoArg)
+				cmd->opt[k].arg = get_arg(NULL, argv, argc, &i);
+			    goto next_flag;
+			}
+		    }
+		}
+		j++;
+		if (!found) return -1;
+	    }
+	} else { /* long alias, ex. --list */
+	    char *fl = NULL, *arg = NULL;
+	    PRBool hyphened = PR_FALSE;
+	    fl = &flag[2];
+	    arg = strchr(fl, '=');
+	    if (arg) {
+		*arg++ = '\0';
+	    } else {
+		arg = strchr(fl, '-');
+		if (arg) {
+		    hyphened = PR_TRUE; /* watch this, see below */
+		    *arg++ = '\0';
+		}
+	    }
+	    for (k=0; k<cmd->ncmd; k++) {
+		if (strcmp(fl, cmd->cmd[k].s) == 0) {
+		    cmd->cmd[k].on = PR_TRUE;
+		    cmdToRun = k;
+		    if (cmd->cmd[k].argUse != CMDNoArg || hyphened) {
+			cmd->cmd[k].arg = get_arg(arg, argv, argc, &i);
+		    }
+		    if (arg) arg[-1] = '=';
+		    goto next_flag;
+		}
+	    }
+	    for (k=0; k<cmd->nopt; k++) {
+		if (strcmp(fl, cmd->opt[k].s) == 0) {
+		    cmd->opt[k].on = PR_TRUE;
+		    if (cmd->opt[k].argUse != CMDNoArg || hyphened) {
+			cmd->opt[k].arg = get_arg(arg, argv, argc, &i);
+		    }
+		    if (arg) arg[-1] = '=';
+		    goto next_flag;
+		}
+	    }
+	    return -1;
+	}
+next_flag:
+	i++;
+    } while (i < argc);
+    command_line_okay(cmd, progName);
+    return cmdToRun;
+}
+
+void
+CMD_LongUsage(char *progName, cmdCommand *cmd, cmdUsageCallback usage)
+{
+    int i, j;
+    PRBool oneCommand = PR_FALSE;
+    cmdPrintState ps;
+    init_print_ps(&ps, PR_STDERR, 80, 0);
+    nprintf(&ps, "\n%s:   ", progName);
+    /* prints app-specific header */
+    ps.indent = strlen(progName) + 4;
+    usage(&ps, 0, PR_FALSE, PR_TRUE, PR_FALSE);
+    for (i=0; i<cmd->ncmd; i++) if (cmd->cmd[i].on) oneCommand = PR_TRUE;
+    for (i=0; i<cmd->ncmd; i++) {
+	if ((oneCommand  && cmd->cmd[i].on) || !oneCommand) {
+	    ps.indent = 0;
+	    print_ps_indent(&ps);
+	    if (cmd->cmd[i].c != 0) {
+		nprintf(&ps, "-%c, ", cmd->cmd[i].c);
+		nprintf(&ps, "--%-16s ", cmd->cmd[i].s);
+	    } else {
+		nprintf(&ps, "--%-20s ", cmd->cmd[i].s);
+	    }
+	    ps.indent += 20;
+	    usage(&ps, i, PR_TRUE, PR_FALSE, PR_FALSE);
+	    for (j=0; j<cmd->nopt; j++) {
+		if (cmd->cmd[i].req & CMDBIT(j)) {
+		    ps.indent = 0;
+		    print_ps_indent(&ps);
+		    nprintf(&ps, "%3s* ", "");
+		    if (cmd->opt[j].c != 0) {
+			nprintf(&ps, "-%c, ", cmd->opt[j].c);
+			nprintf(&ps, "--%-16s  ", cmd->opt[j].s);
+		    } else {
+			nprintf(&ps, "--%-20s  ", cmd->opt[j].s);
+		    }
+		    ps.indent += 29;
+		    usage(&ps, j, PR_FALSE, PR_FALSE, PR_FALSE);
+		}
+	    }
+	    for (j=0; j<cmd->nopt; j++) {
+		if (cmd->cmd[i].opt & CMDBIT(j)) {
+		    ps.indent = 0;
+		    print_ps_indent(&ps);
+		    nprintf(&ps, "%5s", "");
+		    if (cmd->opt[j].c != 0) {
+			nprintf(&ps, "-%c, ", cmd->opt[j].c);
+			nprintf(&ps, "--%-16s  ", cmd->opt[j].s);
+		    } else {
+			nprintf(&ps, "--%-20s  ", cmd->opt[j].s);
+		    }
+		    ps.indent += 29;
+		    usage(&ps, j, PR_FALSE, PR_FALSE, PR_FALSE);
+		}
+	    }
+	}
+	nprintf(&ps, "\n");
+    }
+    ps.indent = 0;
+    nprintf(&ps, "\n* - required flag for command\n\n");
+    /* prints app-specific footer */
+    usage(&ps, 0, PR_FALSE, PR_FALSE, PR_TRUE);
+    /*nprintf(&ps, "\n\n");*/
+    exit(1);
+}
+
+void
+CMD_Usage(char *progName, cmdCommand *cmd)
+{
+    int i, j, inc;
+    PRBool first;
+    cmdPrintState ps;
+    init_print_ps(&ps, PR_STDERR, 80, 0);
+    nprintf(&ps, "%s", progName);
+    ps.indent = strlen(progName) + 1;
+    print_ps_to_indent(&ps);
+    for (i=0; i<cmd->ncmd; i++) {
+	if (cmd->cmd[i].c != 0) {
+	    nprintf(&ps, "-%c", cmd->cmd[i].c);
+	    inc = 4;
+	} else {
+	    nprintf(&ps, "--%s", cmd->cmd[i].s);
+	    inc = 4 + strlen(cmd->cmd[i].s);
+	}
+	first = PR_TRUE;
+	ps.indent += inc;
+	print_ps_to_indent(&ps);
+	for (j=0; j<cmd->nopt; j++) {
+	    if (cmd->cmd[i].req & CMDBIT(j)) {
+		if (cmd->opt[j].c != 0 && cmd->opt[j].argUse == CMDNoArg) {
+		    if (first) {
+			nprintf(&ps, "-");
+			first = !first;
+		    }
+		    nprintf(&ps, "%c", cmd->opt[j].c);
+		}
+	    }
+	}
+	for (j=0; j<cmd->nopt; j++) {
+	    if (cmd->cmd[i].req & CMDBIT(j)) {
+		if (cmd->opt[j].c != 0)
+		    nprintf(&ps, "-%c ", cmd->opt[j].c);
+		else
+		    nprintf(&ps, "--%s ", cmd->opt[j].s);
+		if (cmd->opt[j].argUse != CMDNoArg)
+		    nprintf(&ps, "%s ", cmd->opt[j].s);
+	    }
+	}
+	first = PR_TRUE;
+	for (j=0; j<cmd->nopt; j++) {
+	    if (cmd->cmd[i].opt & CMDBIT(j)) {
+		if (cmd->opt[j].c != 0 && cmd->opt[j].argUse == CMDNoArg) {
+		    if (first) {
+			nprintf(&ps, "[-");
+			first = !first;
+		    }
+		    nprintf(&ps, "%c", cmd->opt[j].c);
+		}
+	    }
+	}
+	if (!first) nprintf(&ps, "] ");
+	for (j=0; j<cmd->nopt; j++) {
+	    if (cmd->cmd[i].opt & CMDBIT(j) && 
+	         cmd->opt[j].argUse != CMDNoArg) {
+		if (cmd->opt[j].c != 0)
+		    nprintf(&ps, "[-%c %s] ", cmd->opt[j].c, cmd->opt[j].s);
+		else
+		    nprintf(&ps, "[--%s %s] ", cmd->opt[j].s, cmd->opt[j].s);
+	    }
+	}
+	ps.indent -= inc;
+	print_ps_indent(&ps);
+    }
+    ps.indent = 0;
+    nprintf(&ps, "\n");
+    exit(1);
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/cmdlib/cmdutil.h
@@ -0,0 +1,118 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _CMDUTIL_H_
+#define _CMDUTIL_H_
+
+#include <stdio.h>
+#include "nspr.h"
+#include "nssbase.h"
+
+typedef int 
+(* CMD_PPFunc)(PRFileDesc *out, NSSItem *item, char *msg, int level);
+
+
+/*
+ * Command Line Parsing routines
+ *
+ * The attempt here is to provide common functionality for command line
+ * parsing across an array of tools.  The tools should obey the historical
+ * rules of:
+ *
+ * (1) one command per line,
+ * (2) the command should be uppercase,
+ * (3) options should be lowercase,
+ * (4) a short usage statement is presented in case of error,
+ * (5) a long usage statement is given by -? or --help
+ */
+
+/* To aid in formatting usage output.  XXX Uh, why exposed? */
+typedef struct cmdPrintStateStr cmdPrintState;
+
+typedef enum {
+    CMDArgReq = 0,
+    CMDArgOpt,
+    CMDNoArg
+} CMDArg;
+
+struct cmdCommandLineArgStr {
+    char     c;      /* one-character alias for flag    */
+    char    *s;      /* string alias for flag           */
+    CMDArg   argUse; /* flag takes an argument          */
+    char    *arg;    /* argument given for flag         */
+    PRBool   on;     /* flag was issued at command-line */
+    int      req;    /* required arguments for commands */
+    int      opt;    /* optional arguments for commands */
+};
+
+struct cmdCommandLineOptStr {
+    char     c;      /* one-character alias for flag    */
+    char    *s;      /* string alias for flag           */
+    CMDArg   argUse; /* flag takes an argument          */
+    char    *arg;    /* argument given for flag         */
+    PRBool   on;     /* flag was issued at command-line */
+};
+
+typedef struct cmdCommandLineArgStr cmdCommandLineArg;
+typedef struct cmdCommandLineOptStr cmdCommandLineOpt;
+
+struct cmdCommandStr {
+    int ncmd;
+    int nopt;
+    cmdCommandLineArg *cmd;
+    cmdCommandLineOpt *opt;
+};
+
+typedef struct cmdCommandStr cmdCommand;
+
+int 
+CMD_ParseCommandLine(int argc, char **argv, char *progName, cmdCommand *cmd);
+
+typedef void 
+(* cmdUsageCallback)(cmdPrintState *, int, PRBool, PRBool, PRBool);
+
+#define CMDBIT(n) (1<<n)
+
+void 
+CMD_Usage(char *progName, cmdCommand *cmd);
+
+void 
+CMD_LongUsage(char *progName, cmdCommand *cmd, cmdUsageCallback use);
+
+void 
+CMD_PrintUsageString(cmdPrintState *ps, char *str);
+
+#endif /* _CMDUTIL_H_ */
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/cmdlib/config.mk
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/cmdlib/manifest.mn
@@ -0,0 +1,53 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH	= ../../..
+
+LIBRARY_NAME	= cmdutil
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE		= seccmd
+
+DEFINES		= -DNSPR20
+
+EXPORTS		= cmdutil.h \
+		  $(NULL)
+
+CSRCS		= cmdline.c \
+		$(NULL)
+
+REQUIRES	= nss nspr dbm
+
--- a/security/nss/cmd/fipstest/Makefile
+++ b/security/nss/cmd/fipstest/Makefile
@@ -57,20 +57,19 @@ include $(CORE_DEPTH)/coreconf/config.mk
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
 include ../platlibs.mk
 
-#EXTRA_SHARED_LIBS += \
-#	-L/usr/lib \
-#	-lposix4 \
-#	$(NULL)
+ifdef NSS_ENABLE_ECC
+DEFINES += -DNSS_ENABLE_ECC
+endif
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/fipstest/ecdsa.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST ECDSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+request=KeyPair.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa keypair $request > $response
+
+request=PKV.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa pkv $request > $response
+
+request=SigGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa siggen $request > $response
+
+request=SigVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa sigver $request > $response
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -36,308 +36,35 @@
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <ctype.h>
 
 #include "secitem.h"
 #include "blapi.h"
 #include "nss.h"
+#include "secerr.h"
+#include "secoidt.h"
+#include "keythi.h"
+#include "ec.h"
 #if 0
 #include "../../lib/freebl/mpi/mpi.h"
 #endif
 
-static const unsigned char
-table3[32][8] = {
-  { 0x10, 0x46, 0x91, 0x34, 0x89, 0x98, 0x01, 0x31 },
-  { 0x10, 0x07, 0x10, 0x34, 0x89, 0x98, 0x80, 0x20 },
-  { 0x10, 0x07, 0x10, 0x34, 0xc8, 0x98, 0x01, 0x20 },
-  { 0x10, 0x46, 0x10, 0x34, 0x89, 0x98, 0x80, 0x20 },
-  { 0x10, 0x86, 0x91, 0x15, 0x19, 0x19, 0x01, 0x01 },
-  { 0x10, 0x86, 0x91, 0x15, 0x19, 0x58, 0x01, 0x01 },
-  { 0x51, 0x07, 0xb0, 0x15, 0x19, 0x58, 0x01, 0x01 },
-  { 0x10, 0x07, 0xb0, 0x15, 0x19, 0x19, 0x01, 0x01 },
-  { 0x31, 0x07, 0x91, 0x54, 0x98, 0x08, 0x01, 0x01 },
-  { 0x31, 0x07, 0x91, 0x94, 0x98, 0x08, 0x01, 0x01 },
-  { 0x10, 0x07, 0x91, 0x15, 0xb9, 0x08, 0x01, 0x40 },
-  { 0x31, 0x07, 0x91, 0x15, 0x98, 0x08, 0x01, 0x40 },
-  { 0x10, 0x07, 0xd0, 0x15, 0x89, 0x98, 0x01, 0x01 },
-  { 0x91, 0x07, 0x91, 0x15, 0x89, 0x98, 0x01, 0x01 },
-  { 0x91, 0x07, 0xd0, 0x15, 0x89, 0x19, 0x01, 0x01 },
-  { 0x10, 0x07, 0xd0, 0x15, 0x98, 0x98, 0x01, 0x20 },
-  { 0x10, 0x07, 0x94, 0x04, 0x98, 0x19, 0x01, 0x01 },
-  { 0x01, 0x07, 0x91, 0x04, 0x91, 0x19, 0x04, 0x01 },
-  { 0x01, 0x07, 0x91, 0x04, 0x91, 0x19, 0x01, 0x01 },
-  { 0x01, 0x07, 0x94, 0x04, 0x91, 0x19, 0x04, 0x01 },
-  { 0x19, 0x07, 0x92, 0x10, 0x98, 0x1a, 0x01, 0x01 },
-  { 0x10, 0x07, 0x91, 0x19, 0x98, 0x19, 0x08, 0x01 },
-  { 0x10, 0x07, 0x91, 0x19, 0x98, 0x1a, 0x08, 0x01 },
-  { 0x10, 0x07, 0x92, 0x10, 0x98, 0x19, 0x01, 0x01 },
-  { 0x10, 0x07, 0x91, 0x15, 0x98, 0x19, 0x01, 0x0b },
-  { 0x10, 0x04, 0x80, 0x15, 0x98, 0x19, 0x01, 0x01 },
-  { 0x10, 0x04, 0x80, 0x15, 0x98, 0x19, 0x01, 0x02 },
-  { 0x10, 0x04, 0x80, 0x15, 0x98, 0x19, 0x01, 0x08 },
-  { 0x10, 0x02, 0x91, 0x15, 0x98, 0x10, 0x01, 0x04 },
-  { 0x10, 0x02, 0x91, 0x15, 0x98, 0x19, 0x01, 0x04 },
-  { 0x10, 0x02, 0x91, 0x15, 0x98, 0x10, 0x02, 0x01 },
-  { 0x10, 0x02, 0x91, 0x16, 0x98, 0x10, 0x01, 0x01 }
-};
-
-static const unsigned char
-table4_key[19][8] = {
-  { 0x7c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 },
-  { 0x01, 0x31, 0xd9, 0x61, 0x9d, 0xc1, 0x37, 0x6e },
-  { 0x07, 0xa1, 0x13, 0x3e, 0x4a, 0x0b, 0x26, 0x86 },
-  { 0x38, 0x49, 0x67, 0x4c, 0x26, 0x02, 0x31, 0x9e },
-  { 0x04, 0xb9, 0x15, 0xba, 0x43, 0xfe, 0xb5, 0xb6 },
-  { 0x01, 0x13, 0xb9, 0x70, 0xfd, 0x34, 0xf2, 0xce },
-  { 0x01, 0x70, 0xf1, 0x75, 0x46, 0x8f, 0xb5, 0xe6 },
-  { 0x43, 0x29, 0x7f, 0xad, 0x38, 0xe3, 0x73, 0xfe },
-  { 0x07, 0xa7, 0x13, 0x70, 0x45, 0xda, 0x2a, 0x16 },
-  { 0x04, 0x68, 0x91, 0x04, 0xc2, 0xfd, 0x3b, 0x2f },
-  { 0x37, 0xd0, 0x6b, 0xb5, 0x16, 0xcb, 0x75, 0x46 },
-  { 0x1f, 0x08, 0x26, 0x0d, 0x1a, 0xc2, 0x46, 0x5e },
-  { 0x58, 0x40, 0x23, 0x64, 0x1a, 0xba, 0x61, 0x76 },
-  { 0x02, 0x58, 0x16, 0x16, 0x46, 0x29, 0xb0, 0x07 },
-  { 0x49, 0x79, 0x3e, 0xbc, 0x79, 0xb3, 0x25, 0x8f },
-  { 0x4f, 0xb0, 0x5e, 0x15, 0x15, 0xab, 0x73, 0xa7 },
-  { 0x49, 0xe9, 0x5d, 0x6d, 0x4c, 0xa2, 0x29, 0xbf },
-  { 0x01, 0x83, 0x10, 0xdc, 0x40, 0x9b, 0x26, 0xd6 },
-  { 0x1c, 0x58, 0x7f, 0x1c, 0x13, 0x92, 0x4f, 0xef }
-};
-
-static const unsigned char
-table4_inp[19][8] = {
-  { 0x01, 0xa1, 0xd6, 0xd0, 0x39, 0x77, 0x67, 0x42 },
-  { 0x5c, 0xd5, 0x4c, 0xa8, 0x3d, 0xef, 0x57, 0xda },
-  { 0x02, 0x48, 0xd4, 0x38, 0x06, 0xf6, 0x71, 0x72 },
-  { 0x51, 0x45, 0x4b, 0x58, 0x2d, 0xdf, 0x44, 0x0a },
-  { 0x42, 0xfd, 0x44, 0x30, 0x59, 0x57, 0x7f, 0xa2 },
-  { 0x05, 0x9b, 0x5e, 0x08, 0x51, 0xcf, 0x14, 0x3a },
-  { 0x07, 0x56, 0xd8, 0xe0, 0x77, 0x47, 0x61, 0xd2 },
-  { 0x76, 0x25, 0x14, 0xb8, 0x29, 0xbf, 0x48, 0x6a },
-  { 0x3b, 0xdd, 0x11, 0x90, 0x49, 0x37, 0x28, 0x02 },
-  { 0x26, 0x95, 0x5f, 0x68, 0x35, 0xaf, 0x60, 0x9a },
-  { 0x16, 0x4d, 0x5e, 0x40, 0x4f, 0x27, 0x52, 0x32 },
-  { 0x6b, 0x05, 0x6e, 0x18, 0x75, 0x9f, 0x5c, 0xca },
-  { 0x00, 0x4b, 0xd6, 0xef, 0x09, 0x17, 0x60, 0x62 },
-  { 0x48, 0x0d, 0x39, 0x00, 0x6e, 0xe7, 0x62, 0xf2 },
-  { 0x43, 0x75, 0x40, 0xc8, 0x69, 0x8f, 0x3c, 0xfa },
-  { 0x07, 0x2d, 0x43, 0xa0, 0x77, 0x07, 0x52, 0x92 },
-  { 0x02, 0xfe, 0x55, 0x77, 0x81, 0x17, 0xf1, 0x2a },
-  { 0x1d, 0x9d, 0x5c, 0x50, 0x18, 0xf7, 0x28, 0xc2 },
-  { 0x30, 0x55, 0x32, 0x28, 0x6d, 0x6f, 0x29, 0x5a }
-};
-
-static const unsigned char 
-des_ecb_enc_sample_key[8] = { 0x97, 0xae, 0x43, 0x08, 0xb6, 0xa8, 0x7a, 0x08 };
-static const unsigned char 
-des_ecb_enc_sample_inp[8] = { 0xcf, 0xcd, 0x91, 0xf1, 0xb3, 0x40, 0xc9, 0x91 };
-
-static const unsigned char 
-des_ecb_dec_sample_key[8] = { 0x0b, 0x8c, 0x38, 0xef, 0x52, 0x01, 0xda, 0x13 };
-static const unsigned char 
-des_ecb_dec_sample_inp[8] = { 0x58, 0x0b, 0x39, 0x57, 0x3d, 0x9b, 0x8d, 0xdf };
-
-static const unsigned char 
-des_cbc_enc_sample_key[8] = { 0x58, 0x62, 0xd3, 0xf8, 0x04, 0xe9, 0xb3, 0x98 };
-static const unsigned char 
-des_cbc_enc_sample_iv[8]  = { 0xac, 0xcf, 0x45, 0x4c, 0x1a, 0x28, 0x68, 0xcf };
-static const unsigned char 
-des_cbc_enc_sample_inp[8] = { 0xf1, 0x55, 0x47, 0x63, 0x76, 0x0e, 0x43, 0xa9 };
-
-static const unsigned char 
-des_cbc_dec_sample_key[8] = { 0x64, 0x6d, 0x02, 0x75, 0xe9, 0x34, 0xe6, 0x7a };
-static const unsigned char 
-des_cbc_dec_sample_iv[8]  = { 0xb4, 0x32, 0xa3, 0x8c, 0xd5, 0xe3, 0x20, 0x1a };
-static const unsigned char 
-des_cbc_dec_sample_inp[8] = { 0x5a, 0xfe, 0xe8, 0xf2, 0xf6, 0x63, 0x4f, 0xb6 };
-
-static const unsigned char 
-tdea_ecb_enc_sample_key[24] = { 
-                            0x0b, 0x62, 0x7f, 0x67, 0xea, 0xda, 0x0b, 0x34,
-                            0x08, 0x07, 0x3b, 0xc8, 0x8c, 0x23, 0x1a, 0xb6,
-                            0x75, 0x0b, 0x9e, 0x57, 0x83, 0xf4, 0xe6, 0xa4 };
-static const unsigned char 
-tdea_ecb_enc_sample_inp[8] = { 0x44, 0x15, 0x7a, 0xb0, 0x0a, 0x78, 0x6d, 0xbf };
-
-static const unsigned char 
-tdea_ecb_dec_sample_key[24] = { 
-                           0x91, 0xe5, 0x07, 0xba, 0x01, 0x01, 0xb6, 0xdc,
-                           0x0e, 0x51, 0xf1, 0xd0, 0x25, 0xc2, 0xc2, 0x1c,
-                           0x1f, 0x54, 0x2f, 0xa1, 0xf8, 0xce, 0xda, 0x89  };
-static const unsigned char 
-tdea_ecb_dec_sample_inp[8] = { 0x66, 0xe8, 0x72, 0x0d, 0x42, 0x85, 0x4b, 0xba };
-
-static const unsigned char 
-tdea_cbc_enc_sample_key[24] = { 
-                           0xd5, 0xe5, 0x61, 0x61, 0xb0, 0xc4, 0xa4, 0x25,
-                           0x45, 0x1a, 0x15, 0x67, 0xa4, 0x89, 0x6b, 0xc4,
-                           0x3b, 0x54, 0x1a, 0x4c, 0x1a, 0xb5, 0x49, 0x0d };
-static const unsigned char 
-tdea_cbc_enc_sample_iv[8]  = { 0x5a, 0xb2, 0xa7, 0x3e, 0xc4, 0x3c, 0xe7, 0x1e };
-static const unsigned char 
-tdea_cbc_enc_sample_inp[8] = { 0x9e, 0x76, 0x87, 0x7c, 0x54, 0x14, 0xab, 0x50 };
-
-static const unsigned char 
-tdea_cbc_dec_sample_key[24] = {
-                           0xf8, 0x25, 0xcd, 0x02, 0xc7, 0x76, 0xe6, 0xce,
-                           0x9e, 0x16, 0xe6, 0x40, 0x7f, 0xcd, 0x01, 0x80,
-                           0x5b, 0x38, 0xc4, 0xe0, 0xb5, 0x6e, 0x94, 0x61 };
-static const unsigned char 
-tdea_cbc_dec_sample_iv[8]  = { 0x74, 0x3e, 0xdc, 0xc2, 0xc6, 0xc4, 0x18, 0xe3 };
-static const unsigned char 
-tdea_cbc_dec_sample_inp[8] = { 0xbe, 0x47, 0xd1, 0x77, 0xa5, 0xe8, 0x29, 0xfb };
-
+#ifdef NSS_ENABLE_ECC
+extern SECStatus
+EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
+#endif
 
-static const unsigned char 
-des_ecb_enc_key[8] = { 0x49, 0x45, 0xd9, 0x3d, 0x83, 0xcd, 0x61, 0x9b };
-static const unsigned char 
-des_ecb_enc_inp[8] = { 0x81, 0xf2, 0x12, 0x0d, 0x99, 0x04, 0x5d, 0x16 };
-
-static const unsigned char 
-des_ecb_dec_key[8] = { 0x7a, 0x6b, 0x61, 0x76, 0xc8, 0x85, 0x43, 0x31 };
-static const unsigned char 
-des_ecb_dec_inp[8] = { 0xef, 0xe4, 0x6e, 0x4f, 0x4f, 0xc3, 0x28, 0xcc };
-
-static const unsigned char 
-des_cbc_enc_key[8] = { 0xc8, 0x5e, 0xfd, 0xa7, 0xa7, 0xc2, 0xc4, 0x0d };
-static const unsigned char 
-des_cbc_enc_iv[8]  = { 0x4c, 0xb9, 0xcf, 0x46, 0xff, 0x7a, 0x3d, 0xff };
-static const unsigned char 
-des_cbc_enc_inp[8] = { 0x80, 0x1b, 0x24, 0x9b, 0x24, 0x0e, 0xa5, 0x96 };
-
-static const unsigned char 
-des_cbc_dec_key[8] = { 0x2c, 0x3d, 0xa1, 0x67, 0x4c, 0xfb, 0x85, 0x23 };
-static const unsigned char 
-des_cbc_dec_iv[8]  = { 0x7a, 0x0a, 0xc2, 0x15, 0x1d, 0x22, 0x98, 0x3a };
-static const unsigned char 
-des_cbc_dec_inp[8] = { 0x2d, 0x5d, 0x02, 0x04, 0x98, 0x5d, 0x5e, 0x28 };
-
-static const unsigned char 
-tdea1_ecb_enc_key[24] = { 
-                        0x89, 0xcd, 0xd3, 0xf1, 0x01, 0xc1, 0x1a, 0xf4,
-                        0x89, 0xcd, 0xd3, 0xf1, 0x01, 0xc1, 0x1a, 0xf4,
-                        0x89, 0xcd, 0xd3, 0xf1, 0x01, 0xc1, 0x1a, 0xf4 };
-                        
-static const unsigned char 
-tdea1_ecb_enc_inp[8] = { 0xe5, 0x8c, 0x48, 0xf0, 0x91, 0x4e, 0xeb, 0x87 };
-
-static const unsigned char 
-tdea1_ecb_dec_key[24] = {
-                        0xbf, 0x86, 0x94, 0xe0, 0x83, 0x46, 0x70, 0x37,
-                        0xbf, 0x86, 0x94, 0xe0, 0x83, 0x46, 0x70, 0x37,
-                        0xbf, 0x86, 0x94, 0xe0, 0x83, 0x46, 0x70, 0x37 };
-                        
-static const unsigned char 
-tdea1_ecb_dec_inp[8] = { 0x35, 0x7a, 0x6c, 0x05, 0xe0, 0x8c, 0x3d, 0xb7 };
-
-static const unsigned char 
-tdea1_cbc_enc_key[24] = { 
-                        0x46, 0xf1, 0x6d, 0xbf, 0xe3, 0xd5, 0xd3, 0x94,
-                        0x46, 0xf1, 0x6d, 0xbf, 0xe3, 0xd5, 0xd3, 0x94,
-                        0x46, 0xf1, 0x6d, 0xbf, 0xe3, 0xd5, 0xd3, 0x94 };
-                        
-                        
-static const unsigned char 
-tdea1_cbc_enc_iv[8]  = { 0xf7, 0x3e, 0x14, 0x05, 0x88, 0xeb, 0x2e, 0x96 };
-static const unsigned char 
-tdea1_cbc_enc_inp[8] = { 0x18, 0x1b, 0xdf, 0x18, 0x10, 0xb2, 0xe0, 0x05 };
-
-static const unsigned char 
-tdea1_cbc_dec_key[24] = {
-                        0x83, 0xd0, 0x54, 0xa2, 0x92, 0xe9, 0x6e, 0x7c,
-                        0x83, 0xd0, 0x54, 0xa2, 0x92, 0xe9, 0x6e, 0x7c,
-                        0x83, 0xd0, 0x54, 0xa2, 0x92, 0xe9, 0x6e, 0x7c };
-                        
-                        
-static const unsigned char 
-tdea1_cbc_dec_iv[8]  = { 0xb9, 0x65, 0x4a, 0x94, 0xba, 0x6a, 0x66, 0xf9 };
-static const unsigned char 
-tdea1_cbc_dec_inp[8] = { 0xce, 0xb8, 0x30, 0x95, 0xac, 0x82, 0xdf, 0x9b };
-
-static const unsigned char 
-tdea2_ecb_enc_key[24] = { 
-                        0x79, 0x98, 0x4a, 0xe9, 0x23, 0xad, 0x10, 0xda,
-                        0x16, 0x3e, 0xb5, 0xfe, 0xcd, 0x52, 0x20, 0x01,
-                        0x79, 0x98, 0x4a, 0xe9, 0x23, 0xad, 0x10, 0xda };
-static const unsigned char 
-tdea2_ecb_enc_inp[8] = { 0x99, 0xd2, 0xca, 0xe8, 0xa7, 0x90, 0x13, 0xc2 };
-
-static const unsigned char 
-tdea2_ecb_dec_key[24] = { 
-                        0x98, 0xcd, 0x29, 0x52, 0x85, 0x91, 0x75, 0xe3,
-			0xab, 0x29, 0xe3, 0x10, 0xa2, 0x10, 0x04, 0x58,
-                        0x98, 0xcd, 0x29, 0x52, 0x85, 0x91, 0x75, 0xe3 };
-                        
-static const unsigned char 
-tdea2_ecb_dec_inp[8] = { 0xc0, 0x35, 0x24, 0x1f, 0xc9, 0x29, 0x5c, 0x7a };
-
-static const unsigned char 
-tdea2_cbc_enc_key[24] = {
-                        0xba, 0x5d, 0x70, 0xf8, 0x08, 0x13, 0xb0, 0x4c,
-			0xf8, 0x46, 0xa8, 0xce, 0xe6, 0xb3, 0x08, 0x02,
-                        0xba, 0x5d, 0x70, 0xf8, 0x08, 0x13, 0xb0, 0x4c };
-                        
-                        
-static const unsigned char 
-tdea2_cbc_enc_iv[8]  = { 0xe8, 0x39, 0xd7, 0x3a, 0x8d, 0x8c, 0x59, 0x8a };
-static const unsigned char 
-tdea2_cbc_enc_inp[8] = { 0x6e, 0x85, 0x0a, 0x4c, 0x86, 0x86, 0x70, 0x23 };
-
-static const unsigned char 
-tdea2_cbc_dec_key[24] = {
-                        0x25, 0xf8, 0x9e, 0x7a, 0xef, 0x26, 0xb5, 0x9e,
-			0x46, 0x32, 0x19, 0x9b, 0xea, 0x1c, 0x19, 0xad,
-                        0x25, 0xf8, 0x9e, 0x7a, 0xef, 0x26, 0xb5, 0x9e };
-                        
-                        
-static const unsigned char 
-tdea2_cbc_dec_iv[8]  = { 0x48, 0x07, 0x6f, 0xf9, 0x05, 0x14, 0xc1, 0xdc };
-static const unsigned char 
-tdea2_cbc_dec_inp[8] = { 0x9e, 0xf4, 0x10, 0x55, 0xe8, 0x7e, 0x7e, 0x25 }; 
-
-static const unsigned char 
-tdea3_ecb_enc_key[24] = { 
-                        0x6d, 0x37, 0x16, 0x31, 0x6e, 0x02, 0x83, 0xb6,
-                        0xf7, 0x16, 0xa2, 0x64, 0x57, 0x8c, 0xae, 0x34,
-                        0xd0, 0xce, 0x38, 0xb6, 0x31, 0x5e, 0xae, 0x1a };
-static const unsigned char 
-tdea3_ecb_enc_inp[8] = { 0x28, 0x8a, 0x45, 0x22, 0x53, 0x95, 0xba, 0x3c };
-
-static const unsigned char 
-tdea3_ecb_dec_key[24] = {
-                        0xb0, 0x75, 0x92, 0x2c, 0xfd, 0x67, 0x8a, 0x26,
-                        0xc8, 0xba, 0xad, 0x68, 0xb6, 0xba, 0x92, 0x49,
-                        0xe3, 0x2c, 0xec, 0x83, 0x34, 0xe6, 0xda, 0x98 };
-static const unsigned char 
-tdea3_ecb_dec_inp[8] = { 0x03, 0xcc, 0xe6, 0x65, 0xf6, 0xc5, 0xc3, 0xba };
-
-static const unsigned char 
-tdea3_cbc_enc_key[24] = { 
-                        0x01, 0x32, 0x73, 0xe9, 0xcb, 0x8a, 0x89, 0x80,
-                        0x02, 0x7a, 0xc1, 0x5d, 0xf4, 0xd5, 0x6b, 0x76,
-                        0x2f, 0xef, 0xfd, 0x58, 0x57, 0x1a, 0xce, 0x29 };
-static const unsigned char 
-tdea3_cbc_enc_iv[8]  = { 0x93, 0x98, 0x7c, 0x66, 0x98, 0x21, 0x5b, 0x9e };
-static const unsigned char 
-tdea3_cbc_enc_inp[8] = { 0x16, 0x54, 0x09, 0xd2, 0x2c, 0xad, 0x6d, 0x99 };
-
-static const unsigned char 
-tdea3_cbc_dec_key[24] = {
-                        0x57, 0x70, 0x3b, 0x4f, 0xae, 0xe6, 0x9d, 0x0e,
-                        0x4c, 0x3b, 0x23, 0xcd, 0x54, 0x20, 0xbc, 0x58,
-                        0x3b, 0x8a, 0x4a, 0xf1, 0x73, 0xf8, 0xf8, 0x38 };
-static const unsigned char 
-tdea3_cbc_dec_iv[8]  = { 0x5f, 0x62, 0xe4, 0xea, 0xa7, 0xb2, 0xb5, 0x70 };
-static const unsigned char 
-tdea3_cbc_dec_inp[8] = { 0x44, 0xb3, 0xe6, 0x3b, 0x1f, 0xbb, 0x43, 0x02 };
+#define ENCRYPT 1
+#define DECRYPT 0
+#define BYTE unsigned char
 
 SECStatus
-hex_from_2char(unsigned char *c2, unsigned char *byteval)
+hex_from_2char(const unsigned char *c2, unsigned char *byteval)
 {
     int i;
     unsigned char offset;
     *byteval = 0;
     for (i=0; i<2; i++) {
 	if (c2[i] >= '0' && c2[i] <= '9') {
 	    offset = c2[i] - '0';
 	    *byteval |= offset << 4*(1-i);
@@ -376,473 +103,788 @@ to_hex_str(char *str, const unsigned cha
     unsigned int i;
     for (i=0; i<len; i++) {
 	char2_from_hex(buf[i], &str[2*i], 'a');
     }
     str[2*len] = '\0';
 }
 
 void
-to_hex_str_cap(char *str, unsigned char *buf, unsigned int len)
+to_hex_str_cap(char *str, const unsigned char *buf, unsigned int len)
 {
     unsigned int i;
     for (i=0; i<len; i++) {
 	char2_from_hex(buf[i], &str[2*i], 'A');
     }
+    str[2*len] = '\0';
+}
+
+/*
+ * Convert a string of hex digits (str) to an array (buf) of len bytes.
+ * Return PR_TRUE if the hex string can fit in the byte array.  Return
+ * PR_FALSE if the hex string is empty or is too long.
+ */
+PRBool
+from_hex_str(unsigned char *buf, unsigned int len, const char *str)
+{
+    unsigned int nxdigit;  /* number of hex digits in str */
+    unsigned int i;  /* index into buf */
+    unsigned int j;  /* index into str */
+
+    /* count the hex digits */
+    nxdigit = 0;
+    for (nxdigit = 0; isxdigit(str[nxdigit]); nxdigit++) {
+	/* empty body */
+    }
+    if (nxdigit == 0) {
+	return PR_FALSE;
+    }
+    if (nxdigit > 2*len) {
+	/*
+	 * The input hex string is too long, but we allow it if the
+	 * extra digits are leading 0's.
+	 */
+	for (j = 0; j < nxdigit-2*len; j++) {
+	    if (str[j] != '0') {
+		return PR_FALSE;
+	    }
+	}
+	/* skip leading 0's */
+	str += nxdigit-2*len;
+	nxdigit = 2*len;
+    }
+    for (i=0, j=0; i< len; i++) {
+	if (2*i < 2*len-nxdigit) {
+	    /* Handle a short input as if we padded it with leading 0's. */
+	    if (2*i+1 < 2*len-nxdigit) {
+		buf[i] = 0;
+	    } else {
+		char tmp[2];
+		tmp[0] = '0';
+		tmp[1] = str[j];
+		hex_from_2char(tmp, &buf[i]);
+		j++;
+	    }
+	} else {
+	    hex_from_2char(&str[j], &buf[i]);
+	    j += 2;
+	}
+    }
+    return PR_TRUE;
 }
 
-void
-des_var_pt_kat(int mode, PRBool encrypt, unsigned int len,
-               unsigned char *key, unsigned char *iv,
-               unsigned char *inp)
+SECStatus
+tdea_encrypt_buf(
+    int mode,
+    const unsigned char *key, 
+    const unsigned char *iv,
+    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
+    const unsigned char *input, unsigned int inputlen)
 {
-    int i;
-    unsigned int olen, mbnum = 0;
-    unsigned char mod_byte = 0x80;
-    unsigned char in[8];
-    unsigned char out[8];
-    char keystr[17], ivstr[17], instr[17], outstr[17];
-    char *ptty = (len == 8) ? "PT" : "PLAINTEXT";
-    char *ctty = (len == 8) ? "CT" : "CIPHERTEXT";
-    char tchar = (len == 8) ? '\t' : '\n';
-    DESContext *cx1 = NULL, *cx2 = NULL;
-    memset(in, 0, sizeof in);
-    memset(keystr, 0, sizeof keystr);
-    memset(ivstr, 0, sizeof ivstr);
-    memset(instr, 0, sizeof instr);
-    memset(outstr, 0, sizeof outstr);
-    in[mbnum] = mod_byte;
-    for (i=1; i<=64; i++) {
-	cx1 = DES_CreateContext(key, iv, mode, PR_TRUE);
-	if (!encrypt) {
-	    cx2 = DES_CreateContext(key, iv, mode, PR_FALSE);
-	}
-	if (len > 8) {
-	    printf("COUNT = %d\n", i);
-	    to_hex_str(keystr, key, 8);
-	    printf("KEY1=%s\n", keystr);
-	    to_hex_str(keystr, key+8, 8);
-	    printf("KEY2=%s\n", keystr);
-	    to_hex_str(keystr, key+16, 8);
-	    printf("KEY3=%s\n", keystr);
-	} else {
-	    to_hex_str(keystr, key, 8);
-	    printf("%ld\tKEY=%s\t", i, keystr);
-	}
-	if (iv) {
-	    to_hex_str(ivstr, iv, 8);
-	    printf("IV=%s%c", ivstr, tchar);
-	}
-	DES_Encrypt(cx1, out, &olen, 8, in, 8);
-	if (encrypt) {
-	    to_hex_str(instr, in, 8);
-	    to_hex_str(outstr, out, 8);
-	    printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr);
-	} else {
-	    unsigned char inv[8];
-	    DES_Decrypt(cx2, inv, &olen, 8, out, 8);
-	    to_hex_str(instr, out, 8);
-	    to_hex_str(outstr, inv, 8);
-	    printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr);
-	}
-	if (mod_byte > 0x01) {
-	    mod_byte >>= 1;
-	} else {
-	    in[mbnum] = 0x00;
-	    mod_byte = 0x80;
-	    mbnum++;
-	}
-	in[mbnum] = mod_byte;
-	DES_DestroyContext(cx1, PR_TRUE);
-	if (cx2) {
-	    DES_DestroyContext(cx2, PR_TRUE);
-	}
+    SECStatus rv = SECFailure;
+    DESContext *cx;
+    unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
+    unsigned int doublechecklen = 0;
+
+    cx = DES_CreateContext(key, iv, mode, PR_TRUE);
+    if (cx == NULL) {
+        goto loser;
+    }
+    rv = DES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (*outputlen != inputlen) {
+        goto loser;
+    }
+    DES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+
+    /*
+     * Doublecheck our result by decrypting the ciphertext and
+     * compare the output with the input plaintext.
+     */
+    cx = DES_CreateContext(key, iv, mode, PR_FALSE);
+    if (cx == NULL) {
+        goto loser;
+    }
+    rv = DES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
+                    output, *outputlen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (doublechecklen != *outputlen) {
+        goto loser;
+    }
+    DES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+    if (memcmp(doublecheck, input, inputlen) != 0) {
+        goto loser;
+    }
+    rv = SECSuccess;
+
+loser:
+    if (cx != NULL) {
+        DES_DestroyContext(cx, PR_TRUE);
     }
+    return rv;
+}
+
+SECStatus
+tdea_decrypt_buf(
+    int mode,
+    const unsigned char *key, 
+    const unsigned char *iv,
+    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
+    const unsigned char *input, unsigned int inputlen)
+{
+    SECStatus rv = SECFailure;
+    DESContext *cx;
+    unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
+    unsigned int doublechecklen = 0;
+
+    cx = DES_CreateContext(key, iv, mode, PR_FALSE);
+    if (cx == NULL) {
+        goto loser;
+    }
+    rv = DES_Decrypt(cx, output, outputlen, maxoutputlen,
+                    input, inputlen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (*outputlen != inputlen) {
+        goto loser;
+    }
+    DES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+
+    /*
+     * Doublecheck our result by encrypting the plaintext and
+     * compare the output with the input ciphertext.
+     */
+    cx = DES_CreateContext(key, iv, mode, PR_TRUE);
+    if (cx == NULL) {
+        goto loser;
+    }
+    rv = DES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
+        output, *outputlen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (doublechecklen != *outputlen) {
+        goto loser;
+    }
+    DES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+    if (memcmp(doublecheck, input, inputlen) != 0) {
+        goto loser;
+    }
+    rv = SECSuccess;
+
+loser:
+    if (cx != NULL) {
+        DES_DestroyContext(cx, PR_TRUE);
+    }
+    return rv;
 }
 
+/*
+ * Perform the TDEA Known Answer Test (KAT) or Multi-block Message
+ * Test (MMT) in ECB or CBC mode.  The KAT (there are five types)
+ * and MMT have the same structure: given the key and IV (CBC mode
+ * only), encrypt the given plaintext or decrypt the given ciphertext.
+ * So we can handle them the same way.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
 void
-des_inv_perm_kat(int mode, PRBool encrypt, unsigned int len,
-                 unsigned char *key, unsigned char *iv,
-                 unsigned char *inp)
+tdea_kat_mmt(char *reqfn)
 {
-    int i;
-    unsigned int olen, mbnum = 0;
-    unsigned char mod_byte = 0x80;
-    unsigned char in[8];
-    unsigned char out[8];
-    char keystr[17], ivstr[17], instr[17], outstr[17];
-    char *ptty = (len == 8) ? "PT" : "PLAINTEXT";
-    char *ctty = (len == 8) ? "CT" : "CIPHERTEXT";
-    char tchar = (len == 8) ? '\t' : '\n';
-    DESContext *cx1 = NULL, *cx2 = NULL;
-    memset(in, 0, sizeof in);
-    memset(keystr, 0, sizeof keystr);
-    memset(ivstr, 0, sizeof ivstr);
-    memset(instr, 0, sizeof instr);
-    memset(outstr, 0, sizeof outstr);
-    in[mbnum] = mod_byte;
-    for (i=1; i<=64; i++) {
-	if (encrypt) {
-	    cx1 = DES_CreateContext(key, iv, mode, PR_TRUE);
-	    cx2 = DES_CreateContext(key, iv, mode, PR_TRUE);
-	} else {
-	    cx1 = DES_CreateContext(key, iv, mode, PR_FALSE);
-	}
-	if (len > 8) {
-	    printf("COUNT = %d\n", i);
-	    to_hex_str(keystr, key, 8);
-	    printf("KEY1=%s\n", keystr);
-	    to_hex_str(keystr, key+8, 8);
-	    printf("KEY2=%s\n", keystr);
-	    to_hex_str(keystr, key+16, 8);
-	    printf("KEY3=%s\n", keystr);
-	} else {
-	    to_hex_str(keystr, key, 8);
-	    printf("%ld\tKEY=%s\t", i, keystr);
-	}
-	if (iv) {
-	    to_hex_str(ivstr, iv, 8);
-	    printf("IV=%s%c", ivstr, tchar);
-	}
-	if (encrypt) {
-	    unsigned char inv[8];
-	    DES_Encrypt(cx1, out, &olen, 8, in, 8);
-	    DES_Encrypt(cx2, inv, &olen, 8, out, 8);
-	    to_hex_str(instr, out, 8);
-	    to_hex_str(outstr, inv, 8);
-	    printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr);
-	} else {
-	    DES_Decrypt(cx1, out, &olen, 8, in, 8);
-	    to_hex_str(instr, in, 8);
-	    to_hex_str(outstr, out, 8);
-	    printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr);
-	}
-	if (mod_byte > 0x01) {
-	    mod_byte >>= 1;
-	} else {
-	    in[mbnum] = 0x00;
-	    mod_byte = 0x80;
-	    mbnum++;
-	}
-	in[mbnum] = mod_byte;
-	DES_DestroyContext(cx1, PR_TRUE);
-	if (cx2) {
-	    DES_DestroyContext(cx2, PR_TRUE);
-	}
+    char buf[180];      /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "CIPHERTEXT = <180 hex digits>\n".
+                         */
+    FILE *req;       /* input stream from the REQUEST file */
+    FILE *resp;      /* output stream to the RESPONSE file */
+    int i, j;
+    int mode;           /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */
+    int crypt = DECRYPT;    /* 1 means encrypt, 0 means decrypt */
+    unsigned char key[24];              /* TDEA 3 key bundle */
+    unsigned int numKeys = 0;
+    unsigned char iv[8];		/* for all modes except ECB */
+    unsigned char plaintext[8*20];     /* 1 to 20 blocks */
+    unsigned int plaintextlen;
+    unsigned char ciphertext[8*20];   /* 1 to 20 blocks */  
+    unsigned int ciphertextlen;
+    SECStatus rv;
+
+    req = fopen(reqfn, "r");
+    resp = stdout;
+    while (fgets(buf, sizeof buf, req) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, resp);
+            continue;
+        }
+        /* [ENCRYPT] or [DECRYPT] */
+        if (buf[0] == '[') {
+            if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
+                crypt = ENCRYPT;
+            } else {
+                crypt = DECRYPT;
+            }
+            fputs(buf, resp);
+            continue;
+        }
+        /* NumKeys */
+        if (strncmp(&buf[0], "NumKeys", 7) == 0) {
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            numKeys = buf[i];
+            fputs(buf, resp);
+            continue;
+        }
+        /* "COUNT = x" begins a new data set */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            /* mode defaults to ECB, if dataset has IV mode will be set CBC */
+            mode = NSS_DES_EDE3;
+            /* zeroize the variables for the test with this data set */
+            memset(key, 0, sizeof key);
+            memset(iv, 0, sizeof iv);
+            memset(plaintext, 0, sizeof plaintext);
+            plaintextlen = 0;
+            memset(ciphertext, 0, sizeof ciphertext);
+            ciphertextlen = 0;
+            fputs(buf, resp);
+            continue;
+        }
+        if (numKeys == 0) {
+            if (strncmp(buf, "KEYs", 4) == 0) {
+                i = 4;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                    hex_from_2char(&buf[i], &key[j]);
+                    key[j+8] = key[j];
+                    key[j+16] = key[j];
+                }
+                fputs(buf, resp);
+                continue;
+            }
+        } else {
+            /* KEY1 = ... */
+            if (strncmp(buf, "KEY1", 4) == 0) {
+                i = 4;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                    hex_from_2char(&buf[i], &key[j]);
+                }
+                fputs(buf, resp);
+                continue;
+            }
+            /* KEY2 = ... */
+            if (strncmp(buf, "KEY2", 4) == 0) {
+                i = 4;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=8; isxdigit(buf[i]); i+=2,j++) {
+                    hex_from_2char(&buf[i], &key[j]);
+                }
+                fputs(buf, resp);
+                continue;
+            }
+            /* KEY3 = ... */
+            if (strncmp(buf, "KEY3", 4) == 0) {
+                i = 4;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=16; isxdigit(buf[i]); i+=2,j++) {
+                    hex_from_2char(&buf[i], &key[j]);
+                }
+                fputs(buf, resp);
+                continue;
+            }
+        }
+
+        /* IV = ... */
+        if (strncmp(buf, "IV", 2) == 0) {
+            mode = NSS_DES_EDE3_CBC;
+            i = 2;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j<sizeof iv; i+=2,j++) {
+                hex_from_2char(&buf[i], &iv[j]);
+            }
+            fputs(buf, resp);
+            continue;
+        }
+
+        /* PLAINTEXT = ... */
+        if (strncmp(buf, "PLAINTEXT", 9) == 0) {
+            /* sanity check */
+            if (crypt != ENCRYPT) {
+                goto loser;
+            }
+            i = 9;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                hex_from_2char(&buf[i], &plaintext[j]);
+            }
+            plaintextlen = j;
+            rv = tdea_encrypt_buf(mode, key,
+                            (mode == NSS_DES_EDE3) ? NULL : iv,
+                            ciphertext, &ciphertextlen, sizeof ciphertext,
+                            plaintext, plaintextlen);
+            if (rv != SECSuccess) {
+                goto loser;
+            }
+    
+            fputs(buf, resp);
+            fputs("CIPHERTEXT = ", resp);
+            to_hex_str(buf, ciphertext, ciphertextlen);
+            fputs(buf, resp);
+            fputc('\n', resp);
+            continue;
+        }
+        /* CIPHERTEXT = ... */
+        if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
+            /* sanity check */
+            if (crypt != DECRYPT) {
+                goto loser;
+            }
+ 
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                hex_from_2char(&buf[i], &ciphertext[j]);
+            }
+            ciphertextlen = j;
+ 
+            rv = tdea_decrypt_buf(mode, key,
+                            (mode == NSS_DES_EDE3) ? NULL : iv,
+                            plaintext, &plaintextlen, sizeof plaintext,
+                            ciphertext, ciphertextlen);
+            if (rv != SECSuccess) {
+                goto loser;
+            }
+ 
+            fputs(buf, resp);
+            fputs("PLAINTEXT = ", resp);
+            to_hex_str(buf, plaintext, plaintextlen);
+            fputs(buf, resp);
+            fputc('\n', resp);
+            continue;
+        }
     }
+
+loser:
+    fclose(req);
 }
 
+/*
+* Set the parity bit for the given byte
+*/
+BYTE odd_parity( BYTE in)
+{
+    BYTE out = in;
+    in ^= in >> 4;
+    in ^= in >> 2;
+    in ^= in >> 1;
+    return (BYTE)(out ^ !(in & 1));
+}
+
+/*
+ * Generate Keys [i+1] from Key[i], PT/CT[j-2], PT/CT[j-1], and PT/CT[j] 
+ * for TDEA Monte Carlo Test (MCT) in ECB and CBC modes.
+ */
 void
-des_var_key_kat(int mode, PRBool encrypt, unsigned int len,
-                unsigned char *key, unsigned char *iv,
-                unsigned char *inp)
+tdea_mct_next_keys(unsigned char *key,
+    const unsigned char *text_2, const unsigned char *text_1, 
+    const unsigned char *text, unsigned int numKeys)
 {
-    int i;
-    unsigned int olen, mbnum = 0;
-    unsigned char mod_byte = 0x80;
-    unsigned char keyin[24];
-    unsigned char out[8];
-    char keystr[17], ivstr[17], instr[17], outstr[17];
-    char *ptty = (len == 8) ? "PT" : "PLAINTEXT";
-    char *ctty = (len == 8) ? "CT" : "CIPHERTEXT";
-    char tchar = (len == 8) ? '\t' : '\n';
-    DESContext *cx1 = NULL, *cx2 = NULL;
-    memset(keyin, 1, sizeof keyin);
-    memset(keystr, 0, sizeof keystr);
-    memset(ivstr, 0, sizeof ivstr);
-    memset(instr, 0, sizeof instr);
-    memset(outstr, 0, sizeof outstr);
-    keyin[mbnum] = mod_byte;
-    keyin[mbnum+8] = mod_byte;
-    keyin[mbnum+16] = mod_byte;
-    for (i=1; i<=56; i++) {
-	cx1 = DES_CreateContext(keyin, iv, mode, PR_TRUE);
-	if (!encrypt) {
-	    cx2 = DES_CreateContext(keyin, iv, mode, PR_FALSE);
-	}
-	if (len > 8) {
-	    printf("COUNT = %d\n", i);
-	    to_hex_str(keystr, keyin, 8);
-	    printf("KEY1=%s\n", keystr);
-	    to_hex_str(keystr, keyin+8, 8);
-	    printf("KEY2=%s\n", keystr);
-	    to_hex_str(keystr, keyin+16, 8);
-	    printf("KEY3=%s\n", keystr);
-	} else {
-	    to_hex_str(keystr, keyin, 8);
-	    printf("%ld\tKEY=%s\t", i, keystr);
-	}
-	if (iv) {
-	    to_hex_str(ivstr, iv, 8);
-	    printf("IV=%s%c", ivstr, tchar);
-	}
-	DES_Encrypt(cx1, out, &olen, 8, inp, 8);
-	if (encrypt) {
-	    to_hex_str(instr, inp, 8);
-	    to_hex_str(outstr, out, 8);
-	    printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr);
-	} else {
-	    unsigned char inv[8];
-	    DES_Decrypt(cx2, inv, &olen, 8, out, 8);
-	    to_hex_str(instr, out, 8);
-	    to_hex_str(outstr, inv, 8);
-	    printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr);
-	}
-	if (mod_byte > 0x02) {
-	    mod_byte >>= 1;
-	} else {
-	    keyin[mbnum] = 0x01;
-	    keyin[mbnum+8] = 0x01;
-	    keyin[mbnum+16] = 0x01;
-	    mod_byte = 0x80;
-	    mbnum++;
-	}
-	keyin[mbnum] = mod_byte;
-	keyin[mbnum+8] = mod_byte;
-	keyin[mbnum+16] = mod_byte;
-	DES_DestroyContext(cx1, PR_TRUE);
-	if (cx2) {
-	    DES_DestroyContext(cx2, PR_TRUE);
-	}
+    int k;
+
+    /* key1[i+1] = key1[i] xor PT/CT[j] */
+    for (k=0; k<8; k++) {
+        key[k] ^= text[k];
+    }
+    /* key2 */
+    if (numKeys == 2 || numKeys == 3)  {
+        /* key2 independent */
+        for (k=8; k<16; k++) {
+            /* key2[i+1] = KEY2[i] xor PT/CT[j-1] */
+            key[k] ^= text_1[k-8];
+        }
+    } else {
+        /* key2 == key 1 */
+        for (k=8; k<16; k++) {
+            /* key2[i+1] = KEY2[i] xor PT/CT[j] */
+            key[k] = key[k-8];
+        }
+    }
+    /* key3 */
+    if (numKeys == 1 || numKeys == 2) {
+        /* key3 == key 1 */
+        for (k=16; k<24; k++) {
+            /* key3[i+1] = KEY3[i] xor PT/CT[j] */
+            key[k] = key[k-16];
+        }
+    } else {
+        /* key3 independent */ 
+        for (k=16; k<24; k++) {
+            /* key3[i+1] = KEY3[i] xor PT/CT[j-2] */
+            key[k] ^= text_2[k-16];
+        }
+    }
+    /* set the parity bits */            
+    for (k=0; k<24; k++) {
+        key[k] = odd_parity(key[k]);
     }
 }
 
-void
-des_perm_op_kat(int mode, PRBool encrypt, unsigned int len,
-                unsigned char *key, unsigned char *iv,
-                unsigned char *inp)
-{
-    int i;
-    unsigned int olen;
-    unsigned char keyin[24];
-    unsigned char out[8];
-    char keystr[17], ivstr[17], instr[17], outstr[17];
-    char *ptty = (len == 8) ? "PT" : "PLAINTEXT";
-    char *ctty = (len == 8) ? "CT" : "CIPHERTEXT";
-    char tchar = (len == 8) ? '\t' : '\n';
-    DESContext *cx1 = NULL, *cx2 = NULL;
-    memset(keyin, 0, sizeof keyin);
-    memset(keystr, 0, sizeof keystr);
-    memset(ivstr, 0, sizeof ivstr);
-    memset(instr, 0, sizeof instr);
-    memset(outstr, 0, sizeof outstr);
-    for (i=0; i<32; i++) {
-	memcpy(keyin, table3[i], 8);
-	memcpy(keyin+8, table3[i], 8);
-	memcpy(keyin+16, table3[i], 8);
-	cx1 = DES_CreateContext(keyin, iv, mode, PR_TRUE);
-	if (!encrypt) {
-	    cx2 = DES_CreateContext(keyin, iv, mode, PR_FALSE);
-	}
-	if (len > 8) {
-	    printf("COUNT = %d\n", i);
-	    to_hex_str(keystr, keyin, 8);
-	    printf("KEY1=%s\n", keystr);
-	    to_hex_str(keystr, keyin+8, 8);
-	    printf("KEY2=%s\n", keystr);
-	    to_hex_str(keystr, keyin+16, 8);
-	    printf("KEY3=%s\n", keystr);
-	} else {
-	    to_hex_str(keystr, keyin, 8);
-	    printf("%ld\tKEY=%s\t", i, keystr);
-	}
-	if (iv) {
-	    to_hex_str(ivstr, iv, 8);
-	    printf("IV=%s%c", ivstr, tchar);
-	}
-	DES_Encrypt(cx1, out, &olen, 8, inp, 8);
-	if (encrypt) {
-	    to_hex_str(instr, inp, 8);
-	    to_hex_str(outstr, out, 8);
-	    printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr);
-	} else {
-	    unsigned char inv[8];
-	    DES_Decrypt(cx2, inv, &olen, 8, out, 8);
-	    to_hex_str(instr, out, 8);
-	    to_hex_str(outstr, inv, 8);
-	    printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr);
-	}
-	DES_DestroyContext(cx1, PR_TRUE);
-	if (cx2) {
-	    DES_DestroyContext(cx2, PR_TRUE);
-	}
+/*
+ * Perform the Monte Carlo Test
+ *
+ * mode = NSS_DES_EDE3 or NSS_DES_EDE3_CBC
+ * crypt = ENCRYPT || DECRYPT
+ * inputtext = plaintext or Cyphertext depending on the value of crypt
+ * inputlength is expected to be size 8 bytes 
+ * iv = needs to be set for NSS_DES_EDE3_CBC mode
+ * resp = is the output response file. 
+ */
+ void                                                       
+tdea_mct_test(int mode, unsigned char* key, unsigned int numKeys, 
+              unsigned int crypt, unsigned char* inputtext, 
+              unsigned int inputlength, unsigned char* iv, FILE *resp) { 
+
+    int i, j;
+    unsigned char outputtext_1[8];      /* PT/CT[j-1] */
+    unsigned char outputtext_2[8];      /* PT/CT[j-2] */
+    char buf[80];       /* holds one line from the input REQUEST file. */
+    unsigned int outputlen;
+    unsigned char outputtext[8];
+    
+        
+    SECStatus rv;
+
+    if (mode == NSS_DES_EDE3 && iv != NULL) {
+        printf("IV must be NULL for NSS_DES_EDE3 mode");
+        goto loser;
+    } else if (mode == NSS_DES_EDE3_CBC && iv == NULL) {
+        printf("IV must not be NULL for NSS_DES_EDE3_CBC mode");
+        goto loser;
     }
+
+    /* loop 400 times */
+    for (i=0; i<400; i++) {
+        /* if i == 0 CV[0] = IV  not necessary */        
+        /* record the count and key values and plainText */
+        sprintf(buf, "COUNT = %d\n", i);
+        fputs(buf, resp);
+        /* Output KEY1[i] */
+        fputs("KEY1 = ", resp);
+        to_hex_str(buf, key, 8);
+        fputs(buf, resp);
+        fputc('\n', resp);
+        /* Output KEY2[i] */
+        fputs("KEY2 = ", resp);
+        to_hex_str(buf, &key[8], 8);
+        fputs(buf, resp);
+        fputc('\n', resp);
+        /* Output KEY3[i] */
+        fputs("KEY3 = ", resp);
+        to_hex_str(buf, &key[16], 8);
+        fputs(buf, resp);
+        fputc('\n', resp);
+        if (mode == NSS_DES_EDE3_CBC) {
+            /* Output CV[i] */
+            fputs("IV = ", resp);
+            to_hex_str(buf, iv, 8);
+            fputs(buf, resp);
+            fputc('\n', resp);
+        }
+        if (crypt == ENCRYPT) {
+            /* Output PT[0] */
+            fputs("PLAINTEXT = ", resp);
+        } else {
+            /* Output CT[0] */
+            fputs("CIPHERTEXT = ", resp);
+        }
+
+        to_hex_str(buf, inputtext, inputlength);
+        fputs(buf, resp);
+        fputc('\n', resp);
+
+        /* loop 10,000 times */
+        for (j=0; j<10000; j++) {
+
+            outputlen = 0;
+            if (crypt == ENCRYPT) {
+                /* inputtext == ciphertext outputtext == plaintext*/
+                rv = tdea_encrypt_buf(mode, key,
+                            (mode == NSS_DES_EDE3) ? NULL : iv,
+                            outputtext, &outputlen, 8,
+                            inputtext, 8);
+            } else {
+                /* inputtext == plaintext outputtext == ciphertext */
+                rv = tdea_decrypt_buf(mode, key,
+                            (mode == NSS_DES_EDE3) ? NULL : iv,
+                            outputtext, &outputlen, 8,
+                            inputtext, 8);
+            }
+
+            if (rv != SECSuccess) {
+                goto loser;
+            }
+            if (outputlen != inputlength) {
+                goto loser;
+            }
+
+            if (mode == NSS_DES_EDE3_CBC) {
+                if (crypt == ENCRYPT) {
+                    if (j == 0) {
+                        /*P[j+1] = CV[0] */
+                        memcpy(inputtext, iv, 8);
+                    } else {
+                        /* p[j+1] = C[j-1] */
+                        memcpy(inputtext, outputtext_1, 8);
+                    }
+                    /* CV[j+1] = C[j] */
+                    memcpy(iv, outputtext, 8);
+                    if (j != 9999) {
+                        /* save C[j-1] */
+                        memcpy(outputtext_1, outputtext, 8);
+                    }
+                } else { /* DECRYPT */
+                    /* CV[j+1] = C[j] */
+                    memcpy(iv, inputtext, 8);
+                    /* C[j+1] = P[j] */
+                    memcpy(inputtext, outputtext, 8);
+                }
+            } else {
+                /* ECB mode PT/CT[j+1] = CT/PT[j] */
+                memcpy(inputtext, outputtext, 8);
+            }
+
+            /* Save PT/CT[j-2] and PT/CT[j-1] */
+            if (j==9997) memcpy(outputtext_2, outputtext, 8);
+            if (j==9998) memcpy(outputtext_1, outputtext, 8);
+            /* done at the end of the for(j) loop */
+        }
+
+
+        if (crypt == ENCRYPT) {
+            /* Output CT[j] */
+            fputs("CIPHERTEXT = ", resp);
+        } else {
+            /* Output PT[j] */
+            fputs("PLAINTEXT = ", resp);
+        }
+        to_hex_str(buf, outputtext, 8);
+        fputs(buf, resp);
+        fputc('\n', resp);
+
+        /* Key[i+1] = Key[i] xor ...  outputtext_2 == PT/CT[j-2] 
+         *  outputtext_1 == PT/CT[j-1] outputtext == PT/CT[j] 
+         */
+        tdea_mct_next_keys(key, outputtext_2, 
+                           outputtext_1, outputtext, numKeys);
+
+        if (mode == NSS_DES_EDE3_CBC) {
+            /* taken care of in the j=9999 iteration */
+            if (crypt == ENCRYPT) {
+                /* P[i] = C[j-1] */
+                /* CV[i] = C[j] */
+            } else {
+                /* taken care of in the j=9999 iteration */
+                /* CV[i] = C[j] */
+                /* C[i] = P[j]  */
+            }
+        } else {
+            /* ECB PT/CT[i] = PT/CT[j]  */
+            memcpy(inputtext, outputtext, 8);
+        }
+        /* done at the end of the for(i) loop */
+        fputc('\n', resp);
+    }
+
+loser:
+    return;
 }
 
+/*
+ * Perform the TDEA Monte Carlo Test (MCT) in ECB/CBC modes.
+ * by gathering the input from the request file, and then 
+ * calling tdea_mct_test.
+ *
+ * reqfn is the pathname of the input REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
 void
-des_sub_tbl_kat(int mode, PRBool encrypt, unsigned int len,
-                unsigned char *key, unsigned char *iv,
-                unsigned char *inp)
-{
-    int i;
-    unsigned int olen;
-    unsigned char keyin[24];
-    unsigned char out[8];
-    char keystr[17], ivstr[17], instr[17], outstr[17];
-    char *ptty = (len == 8) ? "PT" : "PLAINTEXT";
-    char *ctty = (len == 8) ? "CT" : "CIPHERTEXT";
-    char tchar = (len == 8) ? '\t' : '\n';
-    DESContext *cx1 = NULL, *cx2 = NULL;
-    memset(keyin, 0, sizeof keyin);
-    memset(keystr, 0, sizeof keystr);
-    memset(ivstr, 0, sizeof ivstr);
-    memset(instr, 0, sizeof instr);
-    memset(outstr, 0, sizeof outstr);
-    for (i=0; i<19; i++) {
-	memcpy(keyin, table4_key[i], 8);
-	memcpy(keyin+8, table4_key[i], 8);
-	memcpy(keyin+16, table4_key[i], 8);
-	cx1 = DES_CreateContext(keyin, iv, mode, PR_TRUE);
-	if (!encrypt) {
-	    cx2 = DES_CreateContext(keyin, iv, mode, PR_FALSE);
-	}
-	if (len > 8) {
-	    printf("COUNT = %d\n", i);
-	    to_hex_str(keystr, keyin, 8);
-	    printf("KEY1=%s\n", keystr);
-	    to_hex_str(keystr, keyin+8, 8);
-	    printf("KEY2=%s\n", keystr);
-	    to_hex_str(keystr, keyin+16, 8);
-	    printf("KEY3=%s\n", keystr);
-	} else {
-	    to_hex_str(keystr, keyin, 8);
-	    printf("%ld\tKEY=%s\t", i, keystr);
-	}
-	if (iv) {
-	    to_hex_str(ivstr, iv, 8);
-	    printf("IV=%s%c", ivstr, tchar);
-	}
-	DES_Encrypt(cx1, out, &olen, 8, table4_inp[i], 8);
-	if (encrypt) {
-	    to_hex_str(instr, table4_inp[i], 8);
-	    to_hex_str(outstr, out, 8);
-	    printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr);
-	} else {
-	    unsigned char inv[8];
-	    DES_Decrypt(cx2, inv, &olen, 8, out, 8);
-	    to_hex_str(instr, out, 8);
-	    to_hex_str(outstr, inv, 8);
-	    printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr);
-	}
-	DES_DestroyContext(cx1, PR_TRUE);
-	if (cx2) {
-	    DES_DestroyContext(cx2, PR_TRUE);
-	}
-    }
-}
-
-unsigned char make_odd_parity(unsigned char b)
-{
-    int i;
-    int sum = 0;
-    for (i=1; i<8; i++) {
-	sum += (b & (1 << i)) ? 1 : 0;
-    }
-    if (sum & 0x01) {
-	return (b & 0xfe);
-    } else {
-	return (b | 0x01);
-    }
-}
-
-void
-des_modes(int mode, PRBool encrypt, unsigned int len,
-          const unsigned char *key, const unsigned char *iv,
-          const unsigned char *inp, int keymode)
+tdea_mct(int mode, char *reqfn)
 {
     int i, j;
-    unsigned int olen;
-    unsigned char keyin[24];
-    unsigned char in[8];
-    unsigned char cv[8];
-    unsigned char cv0[8];
-    unsigned char in0[8];
-    unsigned char out[8];
-    unsigned char cj9998[8], cj9997[8];
-    char keystr[17], ivstr[17], instr[17], outstr[17];
-    char *ptty = (len == 8) ? "PT" : "PLAINTEXT";
-    char *ctty = (len == 8) ? "CT" : "CIPHERTEXT";
-    char tchar = (len == 8) ? '\t' : '\n';
-    DESContext *cx1 = NULL;
-    memset(keystr, 0, sizeof keystr);
-    memset(ivstr, 0, sizeof ivstr);
-    memset(instr, 0, sizeof instr);
-    memset(outstr, 0, sizeof outstr);
-    memcpy(in, inp, 8);
-    if (iv) memcpy(cv, iv, 8);
-    memcpy(keyin, key, len);
-    for (i=0; i<400; i++) {
-	if (iv) memcpy(cv0, cv, 8);
-	memcpy(in0, in, 8);
-	for (j=0; j<10000; j++) {
-	    if (encrypt) {
-		cx1 = DES_CreateContext(keyin, cv, mode, PR_TRUE);
-		DES_Encrypt(cx1, out, &olen, 8, in, 8);
-	    } else {
-		cx1 = DES_CreateContext(keyin, cv, mode, PR_FALSE);
-		DES_Decrypt(cx1, out, &olen, 8, in, 8);
-	    }
-	    if (j==9997) memcpy(cj9997, out, 8);
-	    if (j==9998) memcpy(cj9998, out, 8);
-	    if (iv) {
-		if (encrypt) {
-		    memcpy(in, cv, 8);
-		    memcpy(cv, out, 8);
-		} else {
-		    memcpy(cv, in, 8);
-		    memcpy(in, out, 8);
-		}
-	    } else {
-		memcpy(in, out, 8);
-	    }
-	    DES_DestroyContext(cx1, PR_TRUE);
-	}
-	if (keymode > 0) {
-	    printf("COUNT = %d\n", i);
-	    to_hex_str(keystr, keyin, 8);
-	    printf("KEY1=%s\n", keystr);
-	    to_hex_str(keystr, keyin+8, 8);
-	    printf("KEY2=%s\n", keystr);
-	    to_hex_str(keystr, keyin+16, 8);
-	    printf("KEY3=%s\n", keystr);
-	} else {
-	    to_hex_str(keystr, keyin, 8);
-	    printf("%ld\tKEY=%s\t", i, keystr);
-	}
-	if (iv) {
-	    to_hex_str(ivstr, cv0, 8);
-	    printf("CV=%s%c", ivstr, tchar);
-	}
-	to_hex_str(instr, in0, 8);
-	to_hex_str(outstr, out, 8);
-	if (encrypt) {
-	    printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr);
-	} else {
-	    printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr);
-	}
-	for (j=0; j<8; j++) {
-	    keyin[j] ^= out[j];
-	    keyin[j] = make_odd_parity(keyin[j]);
-	    if (keymode == 0) continue;
-	    if (keymode > 1) {
-		keyin[j+8] ^= cj9998[j];
-		keyin[j+8] = make_odd_parity(keyin[j+8]);
-	    } else {
-		keyin[j+8] = keyin[j];
-	    }
-	    if (keymode > 2) {
-		keyin[j+16] ^= cj9997[j];
-		keyin[j+16] = make_odd_parity(keyin[j+16]);
-	    } else {
-		keyin[j+16] = keyin[j];
-	    }
-	}
+    char buf[80];    /* holds one line from the input REQUEST file. */
+    FILE *req;       /* input stream from the REQUEST file */
+    FILE *resp;      /* output stream to the RESPONSE file */
+    unsigned int crypt = 0;    /* 1 means encrypt, 0 means decrypt */
+    unsigned char key[24];              /* TDEA 3 key bundle */
+    unsigned int numKeys = 0;
+    unsigned char plaintext[8];        /* PT[j] */
+    unsigned char ciphertext[8];       /* CT[j] */
+    unsigned char iv[8];
+
+    /* zeroize the variables for the test with this data set */
+    memset(key, 0, sizeof key);
+    memset(plaintext, 0, sizeof plaintext);
+    memset(ciphertext, 0, sizeof ciphertext);
+    memset(iv, 0, sizeof iv);
+
+    req = fopen(reqfn, "r");
+    resp = stdout;
+    while (fgets(buf, sizeof buf, req) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, resp);
+            continue;
+        }
+        /* [ENCRYPT] or [DECRYPT] */
+        if (buf[0] == '[') {
+            if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
+                crypt = ENCRYPT;
+            } else {
+                crypt = DECRYPT;
+           }
+           fputs(buf, resp);
+           continue;
+        }
+        /* NumKeys */
+        if (strncmp(&buf[0], "NumKeys", 7) == 0) {
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            numKeys = atoi(&buf[i]);
+            continue;
+        }
+        /* KEY1 = ... */
+        if (strncmp(buf, "KEY1", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                hex_from_2char(&buf[i], &key[j]);
+            }
+            continue;
+        }
+        /* KEY2 = ... */
+        if (strncmp(buf, "KEY2", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=8; isxdigit(buf[i]); i+=2,j++) {
+                hex_from_2char(&buf[i], &key[j]);
+            }
+            continue;
+        }
+        /* KEY3 = ... */
+        if (strncmp(buf, "KEY3", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=16; isxdigit(buf[i]); i+=2,j++) {
+                hex_from_2char(&buf[i], &key[j]);
+            }
+            continue;
+        }
+
+        /* IV = ... */
+        if (strncmp(buf, "IV", 2) == 0) {
+            i = 2;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j<sizeof iv; i+=2,j++) {
+                hex_from_2char(&buf[i], &iv[j]);
+            }
+            continue;
+        }
+
+       /* PLAINTEXT = ... */
+       if (strncmp(buf, "PLAINTEXT", 9) == 0) {
+
+            /* sanity check */
+            if (crypt != ENCRYPT) {
+                goto loser;
+            }
+            /* PT[0] = PT */
+            i = 9;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j<sizeof plaintext; i+=2,j++) {
+                hex_from_2char(&buf[i], &plaintext[j]);
+            }                                     
+
+            /* do the Monte Carlo test */
+            if (mode==NSS_DES_EDE3) {
+                tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, plaintext, sizeof plaintext, NULL, resp);
+            } else {
+                tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, plaintext, sizeof plaintext, iv, resp);
+            }
+            continue;
+        }
+        /* CIPHERTEXT = ... */
+        if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
+            /* sanity check */
+            if (crypt != DECRYPT) {
+                goto loser;
+            }
+            /* CT[0] = CT */
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                hex_from_2char(&buf[i], &ciphertext[j]);
+            }
+            
+            /* do the Monte Carlo test */
+            if (mode==NSS_DES_EDE3) {
+                tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, ciphertext, sizeof ciphertext, NULL, resp); 
+            } else {
+                tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, ciphertext, sizeof ciphertext, iv, resp); 
+            }
+            continue;
+        }
     }
+
+loser:
+    fclose(req);
 }
 
+
 SECStatus
 aes_encrypt_buf(
     int mode,
     const unsigned char *key, unsigned int keysize,
     const unsigned char *iv,
     unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
     const unsigned char *input, unsigned int inputlen)
 {
@@ -1792,162 +1834,16 @@ void write_compact_string(FILE *out, uns
 	}
     }
     fprintf(out, "^\n");
     fseek(out, start, SEEK_SET);
     fprintf(out, "%d ", z);
     fseek(out, 0, SEEK_END);
 }
 
-void do_shs_type3(FILE *out, unsigned char *M, unsigned int len)
-{
-    int i, j, a;
-    unsigned char zero[30];
-    unsigned char iword[4];
-    unsigned int l = len;
-    char hashstr[41];
-    SHA1Context *cx;
-    memset(zero, 0, sizeof zero);
-    for (j=0; j<100; j++) {
-	cx = SHA1_NewContext();
-	for (i=1; i<=50000; i++) {
-	    SHA1_Begin(cx);
-	    SHA1_Update(cx, M, l);
-	    a = j/4 + 3;
-	    SHA1_Update(cx, zero, a);
-	    iword[3] = (char)i;
-	    iword[2] = (char)(i >> 8);
-	    iword[1] = (char)(i >> 16);
-	    iword[0] = (char)(i >> 24);
-	    SHA1_Update(cx, iword, 4);
-	    SHA1_End(cx, M, &l, 20);
-	}
-	SHA1_DestroyContext(cx, PR_TRUE);
-	to_hex_str_cap(hashstr, M, l);
-	hashstr[40] = '\0';
-	fprintf(out, "%s ^", hashstr);
-	if (j<99) fprintf(out, "\n");
-    }
-}
-
-void
-shs_test(char *reqfn)
-{
-    char buf[80];
-    FILE *shareq, *sharesp;
-    char readbuf[64];
-    int i, nr;
-    int newline, skip, r_z, r_b, r_n, r, b, z, n, reading;
-    unsigned char hash[20];
-    char hashstr[41];
-    unsigned char input[13000];
-    int next_bit = 0;
-    int shs_type = 0;
-    shareq = fopen(reqfn, "r");
-    sharesp = stdout;
-    newline = 1;
-    reading = skip = r_z = r_b = r_n = z = r = n = 0;
-    while ((nr = fread(buf, 1, sizeof buf, shareq)) > 0) {
-	for (i=0; i<nr; i++) {
-	    if (newline) {
-		if (buf[i] == '#' || buf[i] == 'D' || buf[i] == '<') {
-		    skip = 1;
-		} else if (buf[i] == 'H') {
-		    skip = 0;
-		    shs_type++;
-		    fprintf(sharesp, "H>SHS Type %d Hashes<H", shs_type);
-		} else if (isdigit(buf[i])) {
-		    r_z = 1;
-		    readbuf[r++] = buf[i];
-		}
-		newline =  (buf[i] == '\n') ? 1 : 0;
-	    } else {
-		if (buf[i] == '\n' && !r_n) {
-		    skip = r_z = r_n = 0;
-		    newline = 1;
-		} else if (r_z) {
-		    if (buf[i] == ' ') {
-			r_z = 0;
-			readbuf[r] = '\0';
-			z = atoi(readbuf);
-			r_b = 1;
-			r = 0;
-		    } else if (isdigit(buf[i])) {
-			readbuf[r++] = buf[i];
-		    }
-		} else if (r_b) {
-		    if (buf[i] == ' ') {
-			r_b = 0;
-			readbuf[r] = '\0';
-			b = atoi(readbuf);
-			r_n = 1;
-			r = 0;
-		    } else if (isdigit(buf[i])) {
-			readbuf[r++] = buf[i];
-		    }
-		} else if (r_n) {
-		    if (buf[i] == ' ') {
-			readbuf[r++] = '\0';
-			n = atoi(readbuf);
-			if (b == 0) {
-			    next_bit += n;
-			    b = 1;
-			} else {
-			    int next_byte = next_bit / 8;
-			    int shift = next_bit % 8;
-			    unsigned char m = 0xff;
-			    if (n < 8 - shift) {
-				m <<= (8 - n);
-				m >>= shift;
-				input[next_byte] |= m;
-				next_bit += n;
-			    } else {
-				m >>= shift;
-				input[next_byte++] |= m;
-				next_bit += 8 - shift;
-				n -= (8 - shift);
-				while (n > 8) {
-				    m = 0xff;
-				    input[next_byte++] |= m;
-				    next_bit += 8;
-				    n -= 8;
-				}
-				if (n > 0) {
-				    m = 0xff << (8 - n);
-				    input[next_byte] |= m;
-				    next_bit += n;
-				}
-			    }
-			    b = 0;
-			}
-			r = 0;
-		    } else if (buf[i] == '^') {
-			r_n = 0;
-			if (shs_type < 3) {
-			    SHA1_HashBuf(hash, input, next_bit/8);
-			    to_hex_str_cap(hashstr, hash, sizeof hash);
-			    hashstr[40] = '\0';
-			    fprintf(sharesp, "%s ^", hashstr);
-			    memset(input, 0, sizeof input);
-			    next_bit = 0;
-			} else {
-			    do_shs_type3(sharesp, input, next_bit/8);
-			}
-		    } else if (isdigit(buf[i])) {
-			readbuf[r++] = buf[i];
-		    }
-		}
-	    }
-	    if (skip || newline) {
-		fprintf(sharesp, "%c", buf[i]);
-	    }
-	}
-    }
-}
-
 int get_next_line(FILE *req, char *key, char *val, FILE *rsp)
 {
     int ignore = 0;
     char *writeto = key;
     int w = 0;
     int c;
     while ((c = fgetc(req)) != EOF) {
 	if (ignore) {
@@ -2326,295 +2222,1130 @@ do_sigver:
 		}
 	    }
 	}
     }
     fclose(req);
     fclose(rsp);
 }
 
+#ifdef NSS_ENABLE_ECC
+typedef struct curveNameTagPairStr {
+    char *curveName;
+    SECOidTag curveOidTag;
+} CurveNameTagPair;
+
+#define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
+/* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
+
+static CurveNameTagPair nameTagPair[] =
+{ 
+  { "sect163k1", SEC_OID_SECG_EC_SECT163K1},
+  { "nistk163", SEC_OID_SECG_EC_SECT163K1},
+  { "sect163r1", SEC_OID_SECG_EC_SECT163R1},
+  { "sect163r2", SEC_OID_SECG_EC_SECT163R2},
+  { "nistb163", SEC_OID_SECG_EC_SECT163R2},
+  { "sect193r1", SEC_OID_SECG_EC_SECT193R1},
+  { "sect193r2", SEC_OID_SECG_EC_SECT193R2},
+  { "sect233k1", SEC_OID_SECG_EC_SECT233K1},
+  { "nistk233", SEC_OID_SECG_EC_SECT233K1},
+  { "sect233r1", SEC_OID_SECG_EC_SECT233R1},
+  { "nistb233", SEC_OID_SECG_EC_SECT233R1},
+  { "sect239k1", SEC_OID_SECG_EC_SECT239K1},
+  { "sect283k1", SEC_OID_SECG_EC_SECT283K1},
+  { "nistk283", SEC_OID_SECG_EC_SECT283K1},
+  { "sect283r1", SEC_OID_SECG_EC_SECT283R1},
+  { "nistb283", SEC_OID_SECG_EC_SECT283R1},
+  { "sect409k1", SEC_OID_SECG_EC_SECT409K1},
+  { "nistk409", SEC_OID_SECG_EC_SECT409K1},
+  { "sect409r1", SEC_OID_SECG_EC_SECT409R1},
+  { "nistb409", SEC_OID_SECG_EC_SECT409R1},
+  { "sect571k1", SEC_OID_SECG_EC_SECT571K1},
+  { "nistk571", SEC_OID_SECG_EC_SECT571K1},
+  { "sect571r1", SEC_OID_SECG_EC_SECT571R1},
+  { "nistb571", SEC_OID_SECG_EC_SECT571R1},
+  { "secp160k1", SEC_OID_SECG_EC_SECP160K1},
+  { "secp160r1", SEC_OID_SECG_EC_SECP160R1},
+  { "secp160r2", SEC_OID_SECG_EC_SECP160R2},
+  { "secp192k1", SEC_OID_SECG_EC_SECP192K1},
+  { "secp192r1", SEC_OID_SECG_EC_SECP192R1},
+  { "nistp192", SEC_OID_SECG_EC_SECP192R1},
+  { "secp224k1", SEC_OID_SECG_EC_SECP224K1},
+  { "secp224r1", SEC_OID_SECG_EC_SECP224R1},
+  { "nistp224", SEC_OID_SECG_EC_SECP224R1},
+  { "secp256k1", SEC_OID_SECG_EC_SECP256K1},
+  { "secp256r1", SEC_OID_SECG_EC_SECP256R1},
+  { "nistp256", SEC_OID_SECG_EC_SECP256R1},
+  { "secp384r1", SEC_OID_SECG_EC_SECP384R1},
+  { "nistp384", SEC_OID_SECG_EC_SECP384R1},
+  { "secp521r1", SEC_OID_SECG_EC_SECP521R1},
+  { "nistp521", SEC_OID_SECG_EC_SECP521R1},
+
+  { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 },
+  { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 },
+  { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 },
+  { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 },
+  { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 },
+  { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 },
+
+  { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 },
+  { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 },
+  { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 },
+  { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 },
+  { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 },
+  { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 },
+  { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 },
+  { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 },
+  { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 },
+  { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 },
+  { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 },
+  { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 },
+  { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 },
+  { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 },
+  { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 },
+  { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 },
+  { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 },
+  { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 },
+  { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 },
+  { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 },
+
+  { "secp112r1", SEC_OID_SECG_EC_SECP112R1},
+  { "secp112r2", SEC_OID_SECG_EC_SECP112R2},
+  { "secp128r1", SEC_OID_SECG_EC_SECP128R1},
+  { "secp128r2", SEC_OID_SECG_EC_SECP128R2},
+
+  { "sect113r1", SEC_OID_SECG_EC_SECT113R1},
+  { "sect113r2", SEC_OID_SECG_EC_SECT113R2},
+  { "sect131r1", SEC_OID_SECG_EC_SECT131R1},
+  { "sect131r2", SEC_OID_SECG_EC_SECT131R2},
+};
+
+static SECKEYECParams * 
+getECParams(const char *curve)
+{
+    SECKEYECParams *ecparams;
+    SECOidData *oidData = NULL;
+    SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */
+    int i, numCurves;
+
+    if (curve != NULL) {
+        numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair);
+	for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN)); 
+	     i++) {
+	    if (PL_strcmp(curve, nameTagPair[i].curveName) == 0)
+	        curveOidTag = nameTagPair[i].curveOidTag;
+	}
+    }
+
+    /* Return NULL if curve name is not recognized */
+    if ((curveOidTag == SEC_OID_UNKNOWN) || 
+	(oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
+        fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
+	return NULL;
+    }
+
+    ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
+
+    /* 
+     * ecparams->data needs to contain the ASN encoding of an object ID (OID)
+     * representing the named curve. The actual OID is in 
+     * oidData->oid.data so we simply prepend 0x06 and OID length
+     */
+    ecparams->data[0] = SEC_ASN1_OBJECT_ID;
+    ecparams->data[1] = oidData->oid.len;
+    memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
+
+    return ecparams;
+}
+
+/*
+ * Perform the ECDSA Key Pair Generation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+ecdsa_keypair_test(char *reqfn)
+{
+    char buf[256];      /* holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * needs to be large enough to hold the longest
+                         * line "Qx = <144 hex digits>\n".
+                         */
+    FILE *ecdsareq;     /* input stream from the REQUEST file */
+    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
+    char curve[16];     /* "nistxddd" */
+    ECParams *ecparams;
+    int N;
+    int i;
+    unsigned int len;
+
+    ecdsareq = fopen(reqfn, "r");
+    ecdsaresp = stdout;
+    strcpy(curve, "nist");
+    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* [X-ddd] */
+	if (buf[0] == '[') {
+	    const char *src;
+	    char *dst;
+	    SECKEYECParams *encodedparams;
+
+	    src = &buf[1];
+	    dst = &curve[4];
+	    *dst++ = tolower(*src);
+	    src += 2;  /* skip the hyphen */
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst = '\0';
+	    encodedparams = getECParams(curve);
+	    if (encodedparams == NULL) {
+		goto loser;
+	    }
+	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
+		goto loser;
+	    }
+	    SECITEM_FreeItem(encodedparams, PR_TRUE);
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* N = x */
+	if (buf[0] == 'N') {
+	    if (sscanf(buf, "N = %d", &N) != 1) {
+		goto loser;
+	    }
+	    for (i = 0; i < N; i++) {
+		ECPrivateKey *ecpriv;
+
+		if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) {
+		    goto loser;
+		}
+		fputs("d = ", ecdsaresp);
+		to_hex_str(buf, ecpriv->privateValue.data,
+			   ecpriv->privateValue.len);
+		fputs(buf, ecdsaresp);
+		fputc('\n', ecdsaresp);
+		if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue)
+		    != SECSuccess) {
+		    goto loser;
+		}
+		len = ecpriv->publicValue.len;
+		if (len%2 == 0) {
+		    goto loser;
+		}
+		len = (len-1)/2;
+		if (ecpriv->publicValue.data[0]
+		    != EC_POINT_FORM_UNCOMPRESSED) {
+		    goto loser;
+		}
+		fputs("Qx = ", ecdsaresp);
+		to_hex_str(buf, &ecpriv->publicValue.data[1], len);
+		fputs(buf, ecdsaresp);
+		fputc('\n', ecdsaresp);
+		fputs("Qy = ", ecdsaresp);
+		to_hex_str(buf, &ecpriv->publicValue.data[1+len], len);
+		fputs(buf, ecdsaresp);
+		fputc('\n', ecdsaresp);
+		fputc('\n', ecdsaresp);
+		PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
+	    }
+	    PORT_FreeArena(ecparams->arena, PR_TRUE);
+	    continue;
+	}
+    }
+loser:
+    fclose(ecdsareq);
+}
+
+/*
+ * Perform the ECDSA Public Key Validation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+ecdsa_pkv_test(char *reqfn)
+{
+    char buf[256];      /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "Qx = <144 hex digits>\n".
+                         */
+    FILE *ecdsareq;     /* input stream from the REQUEST file */
+    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
+    char curve[16];     /* "nistxddd" */
+    ECParams *ecparams = NULL;
+    SECItem pubkey;
+    unsigned int i;
+    unsigned int len;
+    PRBool keyvalid = PR_TRUE;
+
+    ecdsareq = fopen(reqfn, "r");
+    ecdsaresp = stdout;
+    strcpy(curve, "nist");
+    pubkey.data = NULL;
+    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* [X-ddd] */
+	if (buf[0] == '[') {
+	    const char *src;
+	    char *dst;
+	    SECKEYECParams *encodedparams;
+
+	    src = &buf[1];
+	    dst = &curve[4];
+	    *dst++ = tolower(*src);
+	    src += 2;  /* skip the hyphen */
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst = '\0';
+	    if (ecparams != NULL) {
+		PORT_FreeArena(ecparams->arena, PR_TRUE);
+		ecparams = NULL;
+	    }
+	    encodedparams = getECParams(curve);
+	    if (encodedparams == NULL) {
+		goto loser;
+	    }
+	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
+		goto loser;
+	    }
+	    SECITEM_FreeItem(encodedparams, PR_TRUE);
+	    len = (ecparams->fieldID.size + 7) >> 3;
+	    if (pubkey.data != NULL) {
+		PORT_Free(pubkey.data);
+		pubkey.data = NULL;
+	    }
+	    SECITEM_AllocItem(NULL, &pubkey, 2*len+1);
+	    if (pubkey.data == NULL) {
+		goto loser;
+	    }
+	    pubkey.data[0] = EC_POINT_FORM_UNCOMPRESSED;
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* Qx = ... */
+	if (strncmp(buf, "Qx", 2) == 0) {
+	    fputs(buf, ecdsaresp);
+	    i = 2;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    keyvalid = from_hex_str(&pubkey.data[1], len, &buf[i]);
+	    continue;
+	}
+	/* Qy = ... */
+	if (strncmp(buf, "Qy", 2) == 0) {
+	    fputs(buf, ecdsaresp);
+	    if (!keyvalid) {
+		fputs("Result = F\n", ecdsaresp);
+		continue;
+	    }
+	    i = 2;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    keyvalid = from_hex_str(&pubkey.data[1+len], len, &buf[i]);
+	    if (!keyvalid) {
+		fputs("Result = F\n", ecdsaresp);
+		continue;
+	    }
+	    if (EC_ValidatePublicKey(ecparams, &pubkey) == SECSuccess) {
+		fputs("Result = P\n", ecdsaresp);
+	    } else if (PORT_GetError() == SEC_ERROR_BAD_KEY) {
+		fputs("Result = F\n", ecdsaresp);
+	    } else {
+		goto loser;
+	    }
+	    continue;
+	}
+    }
+loser:
+    if (ecparams != NULL) {
+	PORT_FreeArena(ecparams->arena, PR_TRUE);
+    }
+    if (pubkey.data != NULL) {
+	PORT_Free(pubkey.data);
+    }
+    fclose(ecdsareq);
+}
+
+/*
+ * Perform the ECDSA Signature Generation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+ecdsa_siggen_test(char *reqfn)
+{
+    char buf[1024];     /* holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * needs to be large enough to hold the longest
+                         * line "Msg = <256 hex digits>\n".
+                         */
+    FILE *ecdsareq;     /* input stream from the REQUEST file */
+    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
+    char curve[16];     /* "nistxddd" */
+    ECParams *ecparams = NULL;
+    int i, j;
+    unsigned int len;
+    unsigned char msg[512];  /* message to be signed (<= 128 bytes) */
+    unsigned int msglen;
+    unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
+    unsigned char sig[2*MAX_ECKEY_LEN];
+    SECItem signature, digest;
+
+    ecdsareq = fopen(reqfn, "r");
+    ecdsaresp = stdout;
+    strcpy(curve, "nist");
+    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* [X-ddd] */
+	if (buf[0] == '[') {
+	    const char *src;
+	    char *dst;
+	    SECKEYECParams *encodedparams;
+
+	    src = &buf[1];
+	    dst = &curve[4];
+	    *dst++ = tolower(*src);
+	    src += 2;  /* skip the hyphen */
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst = '\0';
+	    if (ecparams != NULL) {
+		PORT_FreeArena(ecparams->arena, PR_TRUE);
+		ecparams = NULL;
+	    }
+	    encodedparams = getECParams(curve);
+	    if (encodedparams == NULL) {
+		goto loser;
+	    }
+	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
+		goto loser;
+	    }
+	    SECITEM_FreeItem(encodedparams, PR_TRUE);
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* Msg = ... */
+	if (strncmp(buf, "Msg", 3) == 0) {
+	    ECPrivateKey *ecpriv;
+
+	    i = 3;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_from_2char(&buf[i], &msg[j]);
+	    }
+	    msglen = j;
+	    if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) {
+		goto loser;
+	    }
+	    fputs(buf, ecdsaresp);
+
+	    if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) {
+		goto loser;
+	    }
+	    if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue)
+		!= SECSuccess) {
+		goto loser;
+	    }
+	    len = ecpriv->publicValue.len;
+	    if (len%2 == 0) {
+		goto loser;
+	    }
+	    len = (len-1)/2;
+	    if (ecpriv->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+		goto loser;
+	    }
+	    fputs("Qx = ", ecdsaresp);
+	    to_hex_str(buf, &ecpriv->publicValue.data[1], len);
+	    fputs(buf, ecdsaresp);
+	    fputc('\n', ecdsaresp);
+	    fputs("Qy = ", ecdsaresp);
+	    to_hex_str(buf, &ecpriv->publicValue.data[1+len], len);
+	    fputs(buf, ecdsaresp);
+	    fputc('\n', ecdsaresp);
+
+	    digest.type = siBuffer;
+	    digest.data = sha1;
+	    digest.len = sizeof sha1;
+	    signature.type = siBuffer;
+	    signature.data = sig;
+	    signature.len = sizeof sig;
+	    if (ECDSA_SignDigest(ecpriv, &signature, &digest) != SECSuccess) {
+		goto loser;
+	    }
+	    len = signature.len;
+	    if (len%2 != 0) {
+		goto loser;
+	    }
+	    len = len/2;
+	    fputs("R = ", ecdsaresp);
+	    to_hex_str(buf, &signature.data[0], len);
+	    fputs(buf, ecdsaresp);
+	    fputc('\n', ecdsaresp);
+	    fputs("S = ", ecdsaresp);
+	    to_hex_str(buf, &signature.data[len], len);
+	    fputs(buf, ecdsaresp);
+	    fputc('\n', ecdsaresp);
+
+	    PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
+	    continue;
+	}
+    }
+loser:
+    if (ecparams != NULL) {
+	PORT_FreeArena(ecparams->arena, PR_TRUE);
+    }
+    fclose(ecdsareq);
+}
+
+/*
+ * Perform the ECDSA Signature Verification Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+ecdsa_sigver_test(char *reqfn)
+{
+    char buf[1024];     /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "Msg = <256 hex digits>\n".
+                         */
+    FILE *ecdsareq;     /* input stream from the REQUEST file */
+    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
+    char curve[16];     /* "nistxddd" */
+    ECParams *ecparams = NULL;
+    ECPublicKey ecpub;
+    unsigned int i, j;
+    unsigned int flen;  /* length in bytes of the field size */
+    unsigned int olen;  /* length in bytes of the base point order */
+    unsigned char msg[512];  /* message that was signed (<= 128 bytes) */
+    unsigned int msglen;
+    unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
+    unsigned char sig[2*MAX_ECKEY_LEN];
+    SECItem signature, digest;
+    PRBool keyvalid = PR_TRUE;
+    PRBool sigvalid = PR_TRUE;
+
+    ecdsareq = fopen(reqfn, "r");
+    ecdsaresp = stdout;
+    ecpub.publicValue.type = siBuffer;
+    ecpub.publicValue.data = NULL;
+    ecpub.publicValue.len = 0;
+    strcpy(curve, "nist");
+    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* [X-ddd] */
+	if (buf[0] == '[') {
+	    const char *src;
+	    char *dst;
+	    SECKEYECParams *encodedparams;
+
+	    src = &buf[1];
+	    dst = &curve[4];
+	    *dst++ = tolower(*src);
+	    src += 2;  /* skip the hyphen */
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst = '\0';
+	    if (ecparams != NULL) {
+		PORT_FreeArena(ecparams->arena, PR_TRUE);
+		ecparams = NULL;
+	    }
+	    encodedparams = getECParams(curve);
+	    if (encodedparams == NULL) {
+		goto loser;
+	    }
+	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
+		goto loser;
+	    }
+	    SECITEM_FreeItem(encodedparams, PR_TRUE);
+	    ecpub.ecParams = *ecparams;
+	    flen = (ecparams->fieldID.size + 7) >> 3;
+	    olen = ecparams->order.len;
+	    if (2*olen > sizeof sig) {
+		goto loser;
+	    }
+	    if (ecpub.publicValue.data != NULL) {
+		SECITEM_FreeItem(&ecpub.publicValue, PR_FALSE);
+	    }
+	    SECITEM_AllocItem(NULL, &ecpub.publicValue, 2*flen+1);
+	    if (ecpub.publicValue.data == NULL) {
+		goto loser;
+	    }
+	    ecpub.publicValue.data[0] = EC_POINT_FORM_UNCOMPRESSED;
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* Msg = ... */
+	if (strncmp(buf, "Msg", 3) == 0) {
+	    i = 3;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_from_2char(&buf[i], &msg[j]);
+	    }
+	    msglen = j;
+	    if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) {
+		goto loser;
+	    }
+	    fputs(buf, ecdsaresp);
+
+	    digest.type = siBuffer;
+	    digest.data = sha1;
+	    digest.len = sizeof sha1;
+
+	    continue;
+	}
+	/* Qx = ... */
+	if (strncmp(buf, "Qx", 2) == 0) {
+	    fputs(buf, ecdsaresp);
+	    i = 2;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    keyvalid = from_hex_str(&ecpub.publicValue.data[1], flen,
+				    &buf[i]);
+	    continue;
+	}
+	/* Qy = ... */
+	if (strncmp(buf, "Qy", 2) == 0) {
+	    fputs(buf, ecdsaresp);
+	    if (!keyvalid) {
+		continue;
+	    }
+	    i = 2;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    keyvalid = from_hex_str(&ecpub.publicValue.data[1+flen], flen,
+				    &buf[i]);
+	    if (!keyvalid) {
+		continue;
+	    }
+	    if (EC_ValidatePublicKey(ecparams, &ecpub.publicValue)
+		!= SECSuccess) {
+		if (PORT_GetError() == SEC_ERROR_BAD_KEY) {
+		    keyvalid = PR_FALSE;
+		} else {
+		    goto loser;
+		}
+	    }
+	    continue;
+	}
+	/* R = ... */
+	if (buf[0] == 'R') {
+	    fputs(buf, ecdsaresp);
+	    i = 1;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    sigvalid = from_hex_str(sig, olen, &buf[i]);
+	    continue;
+	}
+	/* S = ... */
+	if (buf[0] == 'S') {
+	    fputs(buf, ecdsaresp);
+	    i = 1;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    if (sigvalid) {
+		sigvalid = from_hex_str(&sig[olen], olen, &buf[i]);
+	    }
+	    signature.type = siBuffer;
+	    signature.data = sig;
+	    signature.len = 2*olen;
+
+	    if (!keyvalid || !sigvalid) {
+		fputs("Result = F\n", ecdsaresp);
+	    } else if (ECDSA_VerifyDigest(&ecpub, &signature, &digest)
+		== SECSuccess) {
+		fputs("Result = P\n", ecdsaresp);
+	    } else {
+		fputs("Result = F\n", ecdsaresp);
+	    }
+	    continue;
+	}
+    }
+loser:
+    if (ecparams != NULL) {
+	PORT_FreeArena(ecparams->arena, PR_TRUE);
+    }
+    if (ecpub.publicValue.data != NULL) {
+	SECITEM_FreeItem(&ecpub.publicValue, PR_FALSE);
+    }
+    fclose(ecdsareq);
+}
+#endif /* NSS_ENABLE_ECC */
+
 void do_random()
 {
     int i, j, k = 0;
     unsigned char buf[500];
     for (i=0; i<5; i++) {
 	RNG_GenerateGlobalRandomBytes(buf, sizeof buf);
 	for (j=0; j<sizeof buf / 2; j++) {
 	    printf("0x%02x%02x", buf[2*j], buf[2*j+1]);
 	    if (++k % 8 == 0) printf("\n"); else printf(" ");
 	}
     }
 }
 
+/*
+ * Calculate the SHA Message Digest 
+ *
+ * MD = Message digest 
+ * MDLen = length of Message Digest and SHA_Type
+ * msg = message to digest 
+ * msgLen = length of message to digest
+ */
+SECStatus sha_calcMD(unsigned char *MD, unsigned int MDLen, unsigned char *msg, unsigned int msgLen) 
+{    
+    SECStatus   sha_status = SECFailure;
+
+    if (MDLen == SHA1_LENGTH) {
+        sha_status = SHA1_HashBuf(MD, msg, msgLen);
+    } else if (MDLen == SHA256_LENGTH) {
+        sha_status = SHA256_HashBuf(MD, msg, msgLen);
+    } else if (MDLen == SHA384_LENGTH) {
+        sha_status = SHA384_HashBuf(MD, msg, msgLen);
+    } else if (MDLen == SHA512_LENGTH) {
+        sha_status = SHA512_HashBuf(MD, msg, msgLen);
+    }
+
+    return sha_status;
+}
+
+/*
+ * Perform the SHA Monte Carlo Test
+ *
+ * MDLen = length of Message Digest and SHA_Type
+ * seed = input seed value
+ * resp = is the output response file. 
+ */
+SECStatus sha_mct_test(unsigned int MDLen, unsigned char *seed, FILE *resp) 
+{
+    int i, j;
+    unsigned int msgLen = MDLen*3;
+    unsigned char MD_i3[HASH_LENGTH_MAX];  /* MD[i-3] */
+    unsigned char MD_i2[HASH_LENGTH_MAX];  /* MD[i-2] */
+    unsigned char MD_i1[HASH_LENGTH_MAX];  /* MD[i-1] */
+    unsigned char MD_i[HASH_LENGTH_MAX];   /* MD[i] */
+    unsigned char msg[HASH_LENGTH_MAX*3];
+    char buf[HASH_LENGTH_MAX*2 + 1];  /* MAX buf MD_i as a hex string */
+
+    for (j=0; j<100; j++) {
+        /* MD_0 = MD_1 = MD_2 = seed */
+        memcpy(MD_i3, seed, MDLen);
+        memcpy(MD_i2, seed, MDLen);
+        memcpy(MD_i1, seed, MDLen);
+
+        for (i=3; i < 1003; i++) {
+            /* Mi = MD[i-3] || MD [i-2] || MD [i-1] */
+            memcpy(msg, MD_i3, MDLen);
+            memcpy(&msg[MDLen], MD_i2, MDLen);
+            memcpy(&msg[MDLen*2], MD_i1,MDLen); 
+
+            /* MDi = SHA(Msg) */
+            if (sha_calcMD(MD_i, MDLen,   
+                           msg, msgLen) != SECSuccess) {
+                return SECFailure;
+            }
+
+            /* save MD[i-3] MD[i-2]  MD[i-1] */
+            memcpy(MD_i3, MD_i2, MDLen);
+            memcpy(MD_i2, MD_i1, MDLen);
+            memcpy(MD_i1, MD_i, MDLen);
+
+        }
+
+        /* seed = MD_i */
+        memcpy(seed, MD_i, MDLen);
+
+        sprintf(buf, "COUNT = %d\n", j);
+        fputs(buf, resp);
+
+        /* output MD_i */
+        fputs("MD = ", resp);
+        to_hex_str(buf, MD_i, MDLen);
+        fputs(buf, resp);
+        fputc('\n', resp);
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * Perform the SHA Tests.
+ *
+ * reqfn is the pathname of the input REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void sha_test(char *reqfn) 
+{
+    int i, j;
+    unsigned int MDlen;   /* the length of the Message Digest in Bytes  */
+    unsigned int msgLen;  /* the length of the input Message in Bytes */
+    char *msg = NULL;      /* holds the message to digest.*/
+    size_t bufSize = 25608; /*MAX buffer size */
+    char *buf = NULL;      /* holds one line from the input REQUEST file.*/
+    unsigned char seed[HASH_LENGTH_MAX];   /* max size of seed 64 bytes */
+    unsigned char MD[HASH_LENGTH_MAX];     /* message digest */
+
+    FILE *req;       /* input stream from the REQUEST file */
+    FILE *resp;      /* output stream to the RESPONSE file */
+
+    buf = PORT_ZAlloc(bufSize);
+    if (buf == NULL) {
+        goto loser;
+    }      
+
+    /* zeroize the variables for the test with this data set */
+    memset(seed, 0, sizeof seed);
+
+    req = fopen(reqfn, "r");
+    resp = stdout;
+    while (fgets(buf, bufSize, req) != NULL) {
+
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, resp);
+            continue;
+        }
+        /* [L = Length of the Message Digest and sha_type */
+        if (buf[0] == '[') {
+            if (strncmp(&buf[1], "L ", 1) == 0) {
+                i = 2;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                MDlen = atoi(&buf[i]);
+                fputs(buf, resp);
+                continue;
+            }
+        }
+        /* Len = Length of the Input Message Length  ... */
+        if (strncmp(buf, "Len", 3) == 0) {
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            if (msg) {
+                PORT_ZFree(msg,msgLen);
+                msg = NULL;
+            }
+            msgLen = atoi(&buf[i]); /* in bits */
+            msgLen = msgLen/8; /* convert to bytes */
+            fputs(buf, resp);
+            msg = PORT_ZAlloc(msgLen);
+            if (msg == NULL && msgLen != 0) {
+                goto loser;
+            } 
+            continue;
+        }
+        /* MSG = ... */
+        if (strncmp(buf, "Msg", 3) == 0) {
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< msgLen; i+=2,j++) {
+                hex_from_2char(&buf[i], &msg[j]);
+            }
+           fputs(buf, resp);
+           /* calculate the Message Digest */ 
+           memset(MD, 0, sizeof MD);
+           if (sha_calcMD(MD, MDlen,   
+                          msg, msgLen) != SECSuccess) {
+               goto loser;
+           }
+
+           fputs("MD = ", resp);
+           to_hex_str(buf, MD, MDlen);
+           fputs(buf, resp);
+           fputc('\n', resp);
+
+           continue;
+        }
+        /* Seed = ... */
+        if (strncmp(buf, "Seed", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j<sizeof seed; i+=2,j++) {
+                hex_from_2char(&buf[i], &seed[j]);
+            }                                     
+
+            fputs(buf, resp);
+            fputc('\n', resp);
+
+            /* do the Monte Carlo test */
+            if (sha_mct_test(MDlen, seed, resp) != SECSuccess) {
+                goto loser; 
+            }
+
+            continue;
+        }
+    }
+loser:
+    fclose(req);
+    if (buf) {
+        PORT_ZFree(buf, bufSize);
+    }
+    if (msg) {
+        PORT_ZFree(msg, msgLen);
+    }
+}
+
+/****************************************************/
+/* HMAC SHA-X calc                                  */
+/* hmac_computed - the computed HMAC                */
+/* hmac_length - the length of the computed HMAC    */
+/* secret_key - secret key to HMAC                  */
+/* secret_key_length - length of secret key,        */
+/* message - message to HMAC                        */
+/* message_length - length ofthe message            */
+/****************************************************/
+static SECStatus
+hmac_calc(unsigned char *hmac_computed,
+          const unsigned int hmac_length,
+          const char *secret_key,
+          const unsigned int secret_key_length,
+          const char *message,
+          const unsigned int message_length,
+          const HASH_HashType hashAlg )
+{
+    SECStatus hmac_status = SECFailure;
+    HMACContext *cx = NULL;
+    SECHashObject *hashObj = NULL;
+    unsigned int bytes_hashed = 0;
+
+    hashObj = (SECHashObject *) HASH_GetRawHashObject(hashAlg);
+ 
+    if (!hashObj) 
+        return( SECFailure );
+
+    cx = HMAC_Create(hashObj, secret_key, 
+                     secret_key_length, 
+                     PR_TRUE);  /* PR_TRUE for in FIPS mode */
+
+    if (cx == NULL) 
+        return( SECFailure );
+
+    HMAC_Begin(cx);
+    HMAC_Update(cx, message, message_length);
+    hmac_status = HMAC_Finish(cx, hmac_computed, &bytes_hashed, 
+                              hmac_length);
+
+    HMAC_Destroy(cx, PR_TRUE);
+
+    return( hmac_status );
+}
+
+/*
+ * Perform the HMAC Tests.
+ *
+ * reqfn is the pathname of the input REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void hmac_test(char *reqfn) 
+{
+    int i, j;
+    size_t bufSize =      288;    /* MAX buffer size */
+    char *buf = NULL;  /* holds one line from the input REQUEST file.*/
+    unsigned int keyLen;          /* Key Length */  
+    char key[140];                /* key MAX size = 140 */
+    unsigned int msgLen = 128;    /* the length of the input  */
+                                  /*  Message is always 128 Bytes */
+    char *msg = NULL;             /* holds the message to digest.*/
+    unsigned int HMACLen;         /* the length of the HMAC Bytes  */
+    unsigned char HMAC[HASH_LENGTH_MAX];  /* computed HMAC */
+    HASH_HashType hash_alg;       /* HMAC type */
+
+    FILE *req;       /* input stream from the REQUEST file */
+    FILE *resp;      /* output stream to the RESPONSE file */
+
+    buf = PORT_ZAlloc(bufSize);
+    if (buf == NULL) {
+        goto loser;
+    }      
+    msg = PORT_ZAlloc(msgLen);
+    memset(msg, 0, msgLen);
+    if (msg == NULL) {
+        goto loser;
+    } 
+
+    req = fopen(reqfn, "r");
+    resp = stdout;
+    while (fgets(buf, bufSize, req) != NULL) {
+
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, resp);
+            continue;
+        }
+        /* [L = Length of the MAC and HASH_type */
+        if (buf[0] == '[') {
+            if (strncmp(&buf[1], "L ", 1) == 0) {
+                i = 2;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                /* HMACLen will get reused for Tlen */
+                HMACLen = atoi(&buf[i]);
+                /* set the HASH algorithm for HMAC */
+                if (HMACLen == SHA1_LENGTH) {
+                    hash_alg = HASH_AlgSHA1;
+                } else if (HMACLen == SHA256_LENGTH) {
+                    hash_alg = HASH_AlgSHA256;
+                } else if (HMACLen == SHA384_LENGTH) {
+                    hash_alg = HASH_AlgSHA384;
+                } else if (HMACLen == SHA512_LENGTH) {
+                    hash_alg = HASH_AlgSHA512;
+                } else {
+                    goto loser;
+                }
+                fputs(buf, resp);
+                continue;
+            }
+        }
+        /* Count = test iteration number*/
+        if (strncmp(buf, "Count ", 5) == 0) {    
+            /* count can just be put into resp file */
+            fputs(buf, resp);
+            /* zeroize the variables for the test with this data set */
+            keyLen = 0; 
+            HMACLen = 0;
+            memset(key, 0, sizeof key);     
+            memset(msg, 0, sizeof msg);  
+            memset(HMAC, 0, sizeof HMAC);
+            continue;
+        }
+        /* KLen = Length of the Input Secret Key ... */
+        if (strncmp(buf, "Klen", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            keyLen = atoi(&buf[i]); /* in bytes */
+            fputs(buf, resp);
+            continue;
+        }
+        /* key = the secret key for the key to MAC */
+        if (strncmp(buf, "Key", 3) == 0) {
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< keyLen; i+=2,j++) {
+                hex_from_2char(&buf[i], &key[j]);
+            }
+           fputs(buf, resp);
+        }
+        /* TLen = Length of the calculated HMAC */
+        if (strncmp(buf, "Tlen", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            HMACLen = atoi(&buf[i]); /* in bytes */
+            fputs(buf, resp);
+            continue;
+        }
+        /* MSG = to HMAC always 128 bytes for these tests */
+        if (strncmp(buf, "Msg", 3) == 0) {
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< msgLen; i+=2,j++) {
+                hex_from_2char(&buf[i], &msg[j]);
+            }
+           fputs(buf, resp);
+           /* calculate the HMAC and output */ 
+           if (hmac_calc(HMAC, HMACLen, key, keyLen,   
+                         msg, msgLen, hash_alg) != SECSuccess) {
+               goto loser;
+           }
+           fputs("MAC = ", resp);
+           to_hex_str(buf, HMAC, HMACLen);
+           fputs(buf, resp);
+           fputc('\n', resp);
+           continue;
+        }
+    }
+loser:
+    fclose(req);
+    if (buf) {
+        PORT_ZFree(buf, bufSize);
+    }
+    if (msg) {
+        PORT_ZFree(msg, msgLen);
+    }
+}
+
 int main(int argc, char **argv)
 {
-    unsigned char key[24];
-    unsigned char inp[24];
-    unsigned char iv[8];
     if (argc < 2) exit (-1);
     NSS_NoDB_Init(NULL);
-    memset(inp, 0, sizeof inp);
-    /*************/
-    /*    DES    */
-    /*************/
-    /**** ECB ****/
-    /* encrypt */
-    if (       strcmp(argv[1], "des_5_1_1_1") == 0) {
-	printf("Variable Plaintext Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	des_var_pt_kat(NSS_DES, PR_TRUE, 8, key, NULL, NULL);
-    } else if (strcmp(argv[1], "des_5_1_1_2") == 0) {
-	printf("Inverse Plaintext Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	des_inv_perm_kat(NSS_DES, PR_TRUE, 8, key, NULL, NULL);
-    } else if (strcmp(argv[1], "des_5_1_1_3") == 0) {
-	printf("Variable Key Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	des_var_key_kat(NSS_DES, PR_TRUE, 8, key, NULL, inp);
-    } else if (strcmp(argv[1], "des_5_1_1_4") == 0) {
-	printf("Permutation Operation Known Answer Test - Encryption\n\n");
-	des_perm_op_kat(NSS_DES, PR_TRUE, 8, NULL, NULL, inp);
-    } else if (strcmp(argv[1], "des_5_1_1_5") == 0) {
-	printf("Substitution Table Known Answer Test - Encryption\n\n");
-	des_sub_tbl_kat(NSS_DES, PR_TRUE, 8, NULL, NULL, NULL);
-    } else if (strcmp(argv[1], "des_5_1_1_6") == 0) {
-	printf("Modes Test for the Encryption Process\n\n");
-	des_modes(NSS_DES, PR_TRUE, 8, des_ecb_enc_key, 
-                  NULL, des_ecb_enc_inp, 0);
-    /* decrypt */
-    } else if (strcmp(argv[1], "des_5_1_2_1") == 0) {
-	printf("Variable Ciphertext Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	des_var_pt_kat(NSS_DES, PR_FALSE, 8, key, NULL, NULL);
-    } else if (strcmp(argv[1], "des_5_1_2_2") == 0) {
-	printf("Inverse Permutation Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	des_inv_perm_kat(NSS_DES, PR_FALSE, 8, key, NULL, NULL);
-    } else if (strcmp(argv[1], "des_5_1_2_3") == 0) {
-	printf("Variable Key Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	des_var_key_kat(NSS_DES, PR_FALSE, 8, key, NULL, inp);
-    } else if (strcmp(argv[1], "des_5_1_2_4") == 0) {
-	printf("Permutation Operation Known Answer Test - Decryption\n\n");
-	des_perm_op_kat(NSS_DES, PR_FALSE, 8, NULL, NULL, inp);
-    } else if (strcmp(argv[1], "des_5_1_2_5") == 0) {
-	printf("Substitution Table Known Answer Test - Decryption\n\n");
-	des_sub_tbl_kat(NSS_DES, PR_FALSE, 8, NULL, NULL, NULL);
-    } else if (strcmp(argv[1], "des_5_1_2_6") == 0) {
-	printf("Modes Test for the Decryption Process\n\n");
-	des_modes(NSS_DES, PR_FALSE, 8, des_ecb_dec_key, 
-                  NULL, des_ecb_dec_inp, 0);
-    /**** CBC ****/
-    /* encrypt */
-    } else if (strcmp(argv[1], "des_5_2_1_1") == 0) {
-	printf("Variable Plaintext Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_var_pt_kat(NSS_DES_CBC, PR_TRUE, 8, key, iv, NULL);
-    } else if (strcmp(argv[1], "des_5_2_1_2") == 0) {
-	printf("Inverse Plaintext Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_inv_perm_kat(NSS_DES_CBC, PR_TRUE, 8, key, iv, NULL);
-    } else if (strcmp(argv[1], "des_5_2_1_3") == 0) {
-	printf("Variable Key Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_var_key_kat(NSS_DES_CBC, PR_TRUE, 8, key, iv, inp);
-    } else if (strcmp(argv[1], "des_5_2_1_4") == 0) {
-	printf("Permutation Operation Known Answer Test - Encryption\n\n");
-	memset(iv, 0, sizeof iv);
-	des_perm_op_kat(NSS_DES_CBC, PR_TRUE, 8, NULL, iv, inp);
-    } else if (strcmp(argv[1], "des_5_2_1_5") == 0) {
-	printf("Substitution Table Known Answer Test - Encryption\n\n");
-	memset(iv, 0, sizeof iv);
-	des_sub_tbl_kat(NSS_DES_CBC, PR_TRUE, 8, NULL, iv, NULL);
-    } else if (strcmp(argv[1], "des_5_2_1_6") == 0) {
-	printf("Modes Test for the Encryption Process\n\n");
-	des_modes(NSS_DES_CBC, PR_TRUE, 8, des_cbc_enc_key, 
-                  des_cbc_enc_iv, des_cbc_enc_inp, 0);
-    /* decrypt */
-    } else if (strcmp(argv[1], "des_5_2_2_1") == 0) {
-	printf("Variable Ciphertext Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_var_pt_kat(NSS_DES_CBC, PR_FALSE, 8, key, iv, NULL);
-    } else if (strcmp(argv[1], "des_5_2_2_2") == 0) {
-	printf("Inverse Permutation Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_inv_perm_kat(NSS_DES_CBC, PR_FALSE, 8, key, iv, NULL);
-    } else if (strcmp(argv[1], "des_5_2_2_3") == 0) {
-	printf("Variable Key Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_var_key_kat(NSS_DES_CBC, PR_FALSE, 8, key, iv, inp);
-    } else if (strcmp(argv[1], "des_5_2_2_4") == 0) {
-	printf("Permutation Operation Known Answer Test - Decryption\n\n");
-	memset(iv, 0, sizeof iv);
-	des_perm_op_kat(NSS_DES_CBC, PR_FALSE, 8, NULL, iv, inp);
-    } else if (strcmp(argv[1], "des_5_2_2_5") == 0) {
-	printf("Substitution Table Known Answer Test - Decryption\n\n");
-	memset(iv, 0, sizeof iv);
-	des_sub_tbl_kat(NSS_DES_CBC, PR_FALSE, 8, NULL, iv, NULL);
-    } else if (strcmp(argv[1], "des_5_2_2_6") == 0) {
-	printf("Modes Test for the Decryption Process\n\n");
-	des_modes(NSS_DES_CBC, PR_FALSE, 8, des_cbc_dec_key, 
-                  des_cbc_dec_iv, des_cbc_dec_inp, 0);
     /*************/
     /*   TDEA    */
     /*************/
-    /**** ECB ****/
-    /* encrypt */
-    } else if (strcmp(argv[1], "tdea_5_1_1_1") == 0) {
-	printf("Variable Plaintext Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	des_var_pt_kat(NSS_DES_EDE3, PR_TRUE, 24, key, NULL, NULL);
-    } else if (strcmp(argv[1], "tdea_5_1_1_2") == 0) {
-	printf("Inverse Plaintext Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	des_inv_perm_kat(NSS_DES_EDE3, PR_TRUE, 24, key, NULL, NULL);
-    } else if (strcmp(argv[1], "tdea_5_1_1_3") == 0) {
-	printf("Variable Key Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	des_var_key_kat(NSS_DES_EDE3, PR_TRUE, 24, key, NULL, inp);
-    } else if (strcmp(argv[1], "tdea_5_1_1_4") == 0) {
-	printf("Permutation Operation Known Answer Test - Encryption\n\n");
-	des_perm_op_kat(NSS_DES_EDE3, PR_TRUE, 24, NULL, NULL, inp);
-    } else if (strcmp(argv[1], "tdea_5_1_1_5") == 0) {
-	printf("Substitution Table Known Answer Test - Encryption\n\n");
-	des_sub_tbl_kat(NSS_DES_EDE3, PR_TRUE, 24, NULL, NULL, NULL);
-    } else if (strcmp(argv[1], "tdea_5_1_1_6_3") == 0) {
-	printf("Modes Test for the Encryption Process\n");
-	printf("DATA FILE UTILIZED: datecbmontee1\n\n");
-	des_modes(NSS_DES_EDE3, PR_TRUE, 24, tdea1_ecb_enc_key, 
-                  NULL, tdea1_ecb_enc_inp, 1);
-    } else if (strcmp(argv[1], "tdea_5_1_1_6_2") == 0) {
-	printf("Modes Test for the Encryption Process\n");
-	printf("DATA FILE UTILIZED: datecbmontee2\n\n");
-	des_modes(NSS_DES_EDE3, PR_TRUE, 24, tdea2_ecb_enc_key, 
-                  NULL, tdea2_ecb_enc_inp, 2);
-    } else if (strcmp(argv[1], "tdea_5_1_1_6_1") == 0) {
-	printf("Modes Test for the Encryption Process\n");
-	printf("DATA FILE UTILIZED: datecbmontee3\n\n");
-	des_modes(NSS_DES_EDE3, PR_TRUE, 24, tdea3_ecb_enc_key, 
-                  NULL, tdea3_ecb_enc_inp, 3);
-    /* decrypt */
-    } else if (strcmp(argv[1], "tdea_5_1_2_1") == 0) {
-	printf("Variable Ciphertext Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	des_var_pt_kat(NSS_DES_EDE3, PR_FALSE, 24, key, NULL, NULL);
-    } else if (strcmp(argv[1], "tdea_5_1_2_2") == 0) {
-	printf("Inverse Permutation Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	des_inv_perm_kat(NSS_DES_EDE3, PR_FALSE, 24, key, NULL, NULL);
-    } else if (strcmp(argv[1], "tdea_5_1_2_3") == 0) {
-	printf("Variable Key Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	des_var_key_kat(NSS_DES_EDE3, PR_FALSE, 24, key, NULL, inp);
-    } else if (strcmp(argv[1], "tdea_5_1_2_4") == 0) {
-	printf("Permutation Operation Known Answer Test - Decryption\n\n");
-	des_perm_op_kat(NSS_DES_EDE3, PR_FALSE, 24, NULL, NULL, inp);
-    } else if (strcmp(argv[1], "tdea_5_1_2_5") == 0) {
-	printf("Substitution Table Known Answer Test - Decryption\n\n");
-	des_sub_tbl_kat(NSS_DES_EDE3, PR_FALSE, 24, NULL, NULL, NULL);
-    } else if (strcmp(argv[1], "tdea_5_1_2_6_3") == 0) {
-	printf("Modes Test for the Decryption Process\n");
-	printf("DATA FILE UTILIZED: datecbmonted1\n\n");
-	des_modes(NSS_DES_EDE3, PR_FALSE, 24, tdea1_ecb_dec_key, 
-                  NULL, tdea1_ecb_dec_inp, 1);
-    } else if (strcmp(argv[1], "tdea_5_1_2_6_2") == 0) {
-	printf("Modes Test for the Decryption Process\n");
-	printf("DATA FILE UTILIZED: datecbmonted2\n\n");
-	des_modes(NSS_DES_EDE3, PR_FALSE, 24, tdea2_ecb_dec_key, 
-                  NULL, tdea2_ecb_dec_inp, 2);
-    } else if (strcmp(argv[1], "tdea_5_1_2_6_1") == 0) {
-	printf("Modes Test for the Decryption Process\n");
-	printf("DATA FILE UTILIZED: datecbmonted3\n\n");
-	des_modes(NSS_DES_EDE3, PR_FALSE, 24, tdea3_ecb_dec_key, 
-                  NULL, tdea3_ecb_dec_inp, 3);
-    /**** CBC ****/
-    /* encrypt */
-    } else if (strcmp(argv[1], "tdea_5_2_1_1") == 0) {
-	printf("Variable Plaintext Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_var_pt_kat(NSS_DES_EDE3_CBC, PR_TRUE, 24, key, iv, NULL);
-    } else if (strcmp(argv[1], "tdea_5_2_1_2") == 0) {
-	printf("Inverse Plaintext Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_inv_perm_kat(NSS_DES_EDE3_CBC, PR_TRUE, 24, key, iv, NULL);
-    } else if (strcmp(argv[1], "tdea_5_2_1_3") == 0) {
-	printf("Variable Key Known Answer Test - Encryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_var_key_kat(NSS_DES_EDE3_CBC, PR_TRUE, 24, key, iv, inp);
-    } else if (strcmp(argv[1], "tdea_5_2_1_4") == 0) {
-	printf("Permutation Operation Known Answer Test - Encryption\n\n");
-	memset(iv, 0, sizeof iv);
-	des_perm_op_kat(NSS_DES_EDE3_CBC, PR_TRUE, 24, NULL, iv, inp);
-    } else if (strcmp(argv[1], "tdea_5_2_1_5") == 0) {
-	memset(iv, 0, sizeof iv);
-	printf("Substitution Table Known Answer Test - Encryption\n\n");
-	des_sub_tbl_kat(NSS_DES_EDE3_CBC, PR_TRUE, 24, NULL, iv, NULL);
-    } else if (strcmp(argv[1], "tdea_5_2_1_6_3") == 0) {
-	printf("Modes Test for the Encryption Process\n");
-	printf("DATA FILE UTILIZED: datcbcmontee1\n\n");
-	des_modes(NSS_DES_EDE3_CBC, PR_TRUE, 24, tdea1_cbc_enc_key, 
-                  tdea1_cbc_enc_iv, tdea1_cbc_enc_inp, 1);
-    } else if (strcmp(argv[1], "tdea_5_2_1_6_2") == 0) {
-	printf("Modes Test for the Encryption Process\n");
-	printf("DATA FILE UTILIZED: datcbcmontee2\n\n");
-	des_modes(NSS_DES_EDE3_CBC, PR_TRUE, 24, tdea2_cbc_enc_key, 
-                  tdea2_cbc_enc_iv, tdea2_cbc_enc_inp, 2);
-    } else if (strcmp(argv[1], "tdea_5_2_1_6_1") == 0) {
-	printf("Modes Test for the Encryption Process\n");
-	printf("DATA FILE UTILIZED: datcbcmontee3\n\n");
-	des_modes(NSS_DES_EDE3_CBC, PR_TRUE, 24, tdea3_cbc_enc_key, 
-                  tdea3_cbc_enc_iv, tdea3_cbc_enc_inp, 3);
-    /* decrypt */
-    } else if (strcmp(argv[1], "tdea_5_2_2_1") == 0) {
-	printf("Variable Ciphertext Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_var_pt_kat(NSS_DES_EDE3_CBC, PR_FALSE, 24, key, iv, NULL);
-    } else if (strcmp(argv[1], "tdea_5_2_2_2") == 0) {
-	printf("Inverse Permutation Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_inv_perm_kat(NSS_DES_EDE3_CBC, PR_FALSE, 24, key, iv, NULL);
-    } else if (strcmp(argv[1], "tdea_5_2_2_3") == 0) {
-	printf("Variable Key Known Answer Test - Decryption\n\n");
-	memset(key, 1, sizeof key);
-	memset(iv, 0, sizeof iv);
-	des_var_key_kat(NSS_DES_EDE3_CBC, PR_FALSE, 24, key, iv, inp);
-    } else if (strcmp(argv[1], "tdea_5_2_2_4") == 0) {
-	printf("Permutation Operation Known Answer Test - Decryption\n\n");
-	memset(iv, 0, sizeof iv);
-	des_perm_op_kat(NSS_DES_EDE3_CBC, PR_FALSE, 24, NULL, iv, inp);
-    } else if (strcmp(argv[1], "tdea_5_2_2_5") == 0) {
-	printf("Substitution Table Known Answer Test - Decryption\n\n");
-	memset(iv, 0, sizeof iv);
-	des_sub_tbl_kat(NSS_DES_EDE3_CBC, PR_FALSE, 24, NULL, iv, NULL);
-    } else if (strcmp(argv[1], "tdea_5_2_2_6_3") == 0) {
-	printf("Modes Test for the Decryption Process\n");
-	printf("DATA FILE UTILIZED: datcbcmonted1\n\n");
-	des_modes(NSS_DES_EDE3_CBC, PR_FALSE, 24, tdea1_cbc_dec_key, 
-                  tdea1_cbc_dec_iv, tdea1_cbc_dec_inp, 1);
-    } else if (strcmp(argv[1], "tdea_5_2_2_6_2") == 0) {
-	printf("Modes Test for the Decryption Process\n");
-	printf("DATA FILE UTILIZED: datcbcmonted2\n\n");
-	des_modes(NSS_DES_EDE3_CBC, PR_FALSE, 24, tdea2_cbc_dec_key, 
-                  tdea2_cbc_dec_iv, tdea2_cbc_dec_inp, 2);
-    } else if (strcmp(argv[1], "tdea_5_2_2_6_1") == 0) {
-	printf("Modes Test for the Decryption Process\n");
-	printf("DATA FILE UTILIZED: datcbcmonted3\n\n");
-	des_modes(NSS_DES_EDE3_CBC, PR_FALSE, 24, tdea3_cbc_dec_key, 
-                  tdea3_cbc_dec_iv, tdea3_cbc_dec_inp, 3);
+    if (strcmp(argv[1], "tdea") == 0) {
+        /* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */
+        if (strcmp(argv[2], "kat") == 0) {
+            /* Known Answer Test (KAT) */
+            tdea_kat_mmt(argv[4]);     
+        } else if (strcmp(argv[2], "mmt") == 0) {
+            /* Multi-block Message Test (MMT) */
+                tdea_kat_mmt(argv[4]);
+        } else if (strcmp(argv[2], "mct") == 0) {
+                /* Monte Carlo Test (MCT) */
+                if (strcmp(argv[3], "ecb") == 0) {
+                    /* ECB mode */
+                    tdea_mct(NSS_DES_EDE3, argv[4]); 
+                } else if (strcmp(argv[3], "cbc") == 0) {
+                    /* CBC mode */
+                    tdea_mct(NSS_DES_EDE3_CBC, argv[4]);
+                }
+        }
     /*************/
     /*   AES     */
     /*************/
     } else if (strcmp(argv[1], "aes") == 0) {
 	/* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */
 	if (       strcmp(argv[2], "kat") == 0) {
 	    /* Known Answer Test (KAT) */
 	    aes_kat_mmt(argv[4]);
@@ -2627,25 +3358,50 @@ int main(int argc, char **argv)
 		/* ECB mode */
 		aes_ecb_mct(argv[4]);
 	    } else if (strcmp(argv[3], "cbc") == 0) {
 		/* CBC mode */
 		aes_cbc_mct(argv[4]);
 	    }
 	}
     /*************/
-    /*   SHS     */
+    /*   SHA     */
+    /*************/
+    } else if (strcmp(argv[1], "sha") == 0) {
+        sha_test(argv[2]);
     /*************/
-    } else if (strcmp(argv[1], "shs") == 0) {
-	shs_test(argv[2]);
+    /*   HMAC    */
+    /*************/
+    } else if (strcmp(argv[1], "hmac") == 0) {
+        hmac_test(argv[2]);
     /*************/
     /*   DSS     */
     /*************/
     } else if (strcmp(argv[1], "dss") == 0) {
 	dss_test(argv[2], argv[3]);
+#ifdef NSS_ENABLE_ECC
+    /*************/
+    /*   ECDSA   */
+    /*************/
+    } else if (strcmp(argv[1], "ecdsa") == 0) {
+	/* argv[2]=keypair|pkv|siggen|sigver argv[3]=<test name>.req */
+	if (       strcmp(argv[2], "keypair") == 0) {
+	    /* Key Pair Generation Test */
+	    ecdsa_keypair_test(argv[3]);
+	} else if (strcmp(argv[2], "pkv") == 0) {
+	    /* Public Key Validation Test */
+	    ecdsa_pkv_test(argv[3]);
+	} else if (strcmp(argv[2], "siggen") == 0) {
+	    /* Signature Generation Test */
+	    ecdsa_siggen_test(argv[3]);
+	} else if (strcmp(argv[2], "sigver") == 0) {
+	    /* Signature Verification Test */
+	    ecdsa_sigver_test(argv[3]);
+	}
+#endif /* NSS_ENABLE_ECC */
     /*************/
     /*   RNG     */
     /*************/
     } else if (strcmp(argv[1], "rng") == 0) {
 	do_random();
     }
     return 0;
 }
new file mode 100755
--- /dev/null
+++ b/security/nss/cmd/fipstest/hmac.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST HMAC Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+                               
+hmac_requests="
+HMAC.req
+"
+
+for request in $hmac_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest hmac $request > $response
+done
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/fipstest/sha.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST SHA Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+                               
+sha_ShortMsg_requests="
+SHA1ShortMsg.req
+SHA256ShortMsg.req
+SHA384ShortMsg.req
+SHA512ShortMsg.req
+"
+
+sha_LongMsg_requests="
+SHA1LongMsg.req
+SHA256LongMsg.req
+SHA384LongMsg.req
+SHA512LongMsg.req
+"
+
+sha_Monte_requests="
+SHA1Monte.req
+SHA256Monte.req
+SHA384Monte.req
+SHA512Monte.req
+"
+for request in $sha_ShortMsg_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest sha $request > $response
+done
+for request in $sha_LongMsg_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest sha $request > $response
+done
+for request in $sha_Monte_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest sha $request > $response
+done
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/fipstest/tdea.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST tdea Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+#CBC_Known_Answer_tests
+#Initial Permutation KAT  
+#Permutation Operation KAT 
+#Subsitution Table KAT    
+#Variable Key KAT         
+#Variable PlainText KAT   
+cbc_kat_requests="
+TCBCinvperm.req   
+TCBCpermop.req    
+TCBCsubtab.req    
+TCBCvarkey.req    
+TCBCvartext.req   
+"
+
+#CBC Monte Carlo KATs
+cbc_monte_requests="
+TCBCMonte1.req
+TCBCMonte2.req
+TCBCMonte3.req
+"
+#Multi-block Message KATs
+cbc_mmt_requests="
+TCBCMMT1.req
+TCBCMMT2.req
+TCBCMMT3.req
+"
+
+ecb_kat_requests="
+TECBinvperm.req   
+TECBpermop.req    
+TECBsubtab.req    
+TECBvarkey.req    
+TECBvartext.req   
+"
+
+ecb_monte_requests="
+TECBMonte1.req
+TECBMonte2.req
+TECBMonte3.req
+"
+
+ecb_mmt_requests="
+TECBMMT1.req
+TECBMMT2.req
+TECBMMT3.req
+"
+
+for request in $ecb_mmt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mmt ecb $request > $response
+done
+for request in $ecb_kat_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea kat ecb $request > $response
+done
+for request in $ecb_monte_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mct ecb $request > $response
+done
+for request in $cbc_mmt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mmt cbc $request > $response
+done
+for request in $cbc_kat_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea kat cbc $request > $response
+done
+for request in $cbc_monte_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mct cbc $request > $response
+done
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ilock/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ilock/ilock.c
@@ -0,0 +1,202 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape Portable Runtime (NSPR).
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** File: ilock.c
+** Description:  ilock.c is a unit test for nssilock. ilock.c
+** tests the basic operation of nssilock. It should not be
+** considered a complete test suite.
+**
+** To check that logging works, before running this test,
+** define the following environment variables:
+** 
+**
+**
+**
+**
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <plgetopt.h> 
+#include <nspr.h>
+#include <nssilock.h>
+
+
+/*
+** Test harness infrastructure
+*/
+PRLogModuleInfo *lm;
+PRLogModuleLevel msgLevel = PR_LOG_NONE;
+PRIntn  debug = 0;
+PRUint32  failed_already = 0;
+/* end Test harness infrastructure */
+
+PRIntn optIterations = 1; /* default iterations  */
+
+PRIntn main(PRIntn argc, char *argv[])
+{
+    PRIntn i;
+    {
+        /*
+        ** Get command line options
+        */
+        PLOptStatus os;
+        PLOptState *opt = PL_CreateOptState(argc, argv, "hdvi:");
+
+	    while (PL_OPT_EOL != (os = PL_GetNextOpt(opt)))
+        {
+		    if (PL_OPT_BAD == os) continue;
+            switch (opt->option)
+            {
+            case 'd':  /* debug */
+                debug = 1;
+			    msgLevel = PR_LOG_ERROR;
+                break;
+            case 'v':  /* verbose mode */
+			    msgLevel = PR_LOG_DEBUG;
+                break;
+            case 'i':  /* number of iterations */
+			    optIterations = atol( opt->value );
+                if ( 0 == optIterations ) optIterations = 1; /* coerce default on zero */
+                break;
+             default:
+                break;
+            }
+        }
+	    PL_DestroyOptState(opt);
+    }
+
+    for ( i = 0 ; i < optIterations ; i++ ) {
+        /* First, test Lock */ 
+        {
+            PZLock *pl;
+            PZMonitor *pm;
+            PZCondVar *cv;
+            PRStatus rc;
+
+            pl = PZ_NewLock( nssILockOther );
+            if ( NULL == pl )  {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+            PZ_Lock( pl );
+        
+            rc = PZ_Unlock( pl );
+            if ( PR_FAILURE == rc )  {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+            PZ_DestroyLock( pl );
+
+        /* now, test CVar */
+            /* re-create the lock we just destroyed */
+            pl = PZ_NewLock( nssILockOther );
+            if ( NULL == pl )  {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+
+            cv = PZ_NewCondVar( pl );
+            if ( NULL == cv ) {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+
+            PZ_Lock( pl );
+            rc = PZ_NotifyCondVar( cv );
+            if ( PR_FAILURE == rc ) {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+
+            rc = PZ_NotifyAllCondVar( cv );
+            if ( PR_FAILURE == rc ) {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+
+            rc = PZ_WaitCondVar( cv, PR_SecondsToInterval(1));
+            if ( PR_FAILURE == rc ) {
+                if ( PR_UNKNOWN_ERROR != PR_GetError())  {
+                    failed_already = PR_TRUE;
+                    goto Finished;
+                }
+            }
+            PZ_Unlock( pl );
+            PZ_DestroyCondVar( cv );
+
+        /* Now, test Monitor */
+            pm = PZ_NewMonitor( nssILockOther );
+            if ( NULL == pm )  {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+        
+            PZ_EnterMonitor( pm );
+
+            rc = PZ_Notify( pm );
+            if ( PR_FAILURE == rc )  {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+            rc = PZ_NotifyAll( pm );
+            if ( PR_FAILURE == rc )  {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+            rc = PZ_Wait( pm, PR_INTERVAL_NO_WAIT );
+            if ( PR_FAILURE == rc )  {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+            rc = PZ_ExitMonitor( pm );
+            if ( PR_FAILURE == rc )  {
+                failed_already = PR_TRUE;
+                goto Finished;
+            }
+            PZ_DestroyMonitor( pm );
+        }
+    } /* --- end for() --- */
+
+
+Finished:
+    if (debug) printf("%s\n", (failed_already)? "FAIL" : "PASS");
+    return( (failed_already == PR_TRUE )? 1 : 0 );
+}  /* main() */
+/* end ilock.c */
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ilock/manifest.mn
@@ -0,0 +1,48 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+DEFINES += -DNSPR20
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = ilock.c
+
+PROGRAM = ilock 
+# PROGRAM = ./$(OBJDIR)/ilock.exe
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/include/secnew.h
@@ -0,0 +1,166 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef __secnew_h_
+#define __secnew_h_
+
+#include <stdio.h>
+
+typedef struct BERTemplateStr BERTemplate;
+typedef struct BERParseStr BERParse;
+typedef struct SECArbStr SECArb;
+
+/*
+ * An array of these structures define an encoding for an object using
+ * DER. The array is terminated with an entry where kind == 0.
+ */
+struct BERTemplateStr {
+    /* Kind of item to decode/encode */
+    unsigned long kind;
+
+    /*
+     * Offset from base of structure to SECItem that will hold
+     * decoded/encoded value.
+     */
+    unsigned short offset;
+
+    /*
+     * Used with DER_SET or DER_SEQUENCE. If not zero then points to a
+     * sub-template. The sub-template is filled in and completed before
+     * continuing on.
+     */
+    BERTemplate *sub;
+
+    /*
+     * Argument value, dependent on kind.  Size of structure to allocate
+     * when kind==DER_POINTER For Context-Specific Implicit types its the
+     * underlying type to use.
+     */
+    unsigned long arg;
+};
+
+/*
+ * an arbitrary object
+ */
+struct SECArbStr {
+    unsigned long tag;		/* NOTE: does not support high tag form */
+    unsigned long length;	/* as reported in stream */
+    union {
+	SECItem item;
+	struct {
+	   int numSubs;
+	   SECArb **subs;
+	} cons;
+    } body;
+};
+
+/*
+ * Decode a piece of der encoded data.
+ *      "dest" points to a structure that will be filled in with the
+ *         decoding results.
+ *      "t" is a template structure which defines the shape of the
+ *         expected data.
+ *      "src" is the ber encoded data.
+ */
+
+extern SECStatus BER_Decode(PRArenaPool * arena, void *dest, BERTemplate *t,
+                           SECArb *arb);
+
+
+/*
+ * Encode a data structure into DER.
+ * 	"dest" will be filled in (and memory allocated) to hold the der
+ * 	   encoded structure in "src"
+ * 	"t" is a template structure which defines the shape of the
+ * 	   stored data
+ * 	"src" is a pointer to the structure that will be encoded
+ */
+
+extern SECStatus BER_Encode(PRArenaPool *arena, SECItem *dest, BERTemplate *t,
+			   void *src);
+
+/*
+ * Client provided function that will get called with all the bytes
+ * passing through the parser
+ */
+typedef void (*BERFilterProc)(void *instance, unsigned char *buf, int length);
+
+/*
+ * Client provided function that can will be called after the tag and
+ * length information has been collected. It can be set up to be called
+ * either before or after the data has been colleced.
+ */
+typedef void (*BERNotifyProc)(
+    void *instance, SECArb *arb, int depth, PRBool before);
+
+extern BERParse *BER_ParseInit(PRArenaPool *arena, PRBool forceDER);
+extern SECArb *BER_ParseFini(BERParse *h);
+extern SECStatus BER_ParseSome(BERParse *h, unsigned char *buf, int len);
+
+extern void BER_SetFilter(BERParse *h, BERFilterProc proc, void *instance);
+extern void BER_SetLeafStorage(BERParse *h, PRBool keep);
+extern void BER_SetNotifyProc(BERParse *h, BERNotifyProc proc, void *instance,
+			      PRBool beforeData);
+
+/*
+ * A BERUnparseProc is used as a callback to put the encoded SECArb tree
+ * tree to some stream. It returns PR_TRUE if the unparsing is to be
+ * aborted.
+ */
+typedef SECStatus (*BERUnparseProc)(
+    void *instance, unsigned char *data, int length, SECArb* arb);
+
+/*
+ * BER_Unparse walks the SECArb tree calling the BERUnparseProc with
+ * various pieces. It returns SECFailure if there was an error during that
+ * tree walk.
+ */
+extern SECStatus BER_Unparse(SECArb *arb, BERUnparseProc proc, void *instance);
+
+/*
+ * BER_ResolveLengths does a recursive walk through the tree generating
+ * non-zero entries for the length field of each node. It will fail if it
+ * discoveres a non-constructed node with a unknown length data field.
+ * Leaves are supposed to be of known length.
+ */
+extern SECStatus BER_ResolveLengths(SECArb *arb);
+
+/*
+ * BER_PRettyPrintArb will write an ASCII version of the tree to the FILE
+ * out.
+ */
+extern SECStatus BER_PrettyPrintArb(FILE *out, SECArb* a);
+
+#endif /* __secnew_h_ */
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/keyutil/Makefile
@@ -0,0 +1,77 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/keyutil/keyutil.c
@@ -0,0 +1,344 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <string.h>
+#include "secutil.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#include <sys/time.h>
+#include <termios.h>
+#endif
+
+#include "secopt.h"
+
+#if defined(XP_WIN)
+#include <time.h>
+#include <conio.h>
+#endif
+
+#if defined(__sun) && !defined(SVR4)
+extern int fclose(FILE*);
+extern int fprintf(FILE *, char *, ...);
+extern int getopt(int, char**, char*);
+extern int isatty(int);
+extern char *optarg;
+extern char *sys_errlist[];
+#define strerror(errno) sys_errlist[errno]
+#endif
+
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+
+static char *progName;
+
+static SECStatus
+ListKeys(SECKEYKeyDBHandle *handle, FILE *out)
+{
+    int rt;
+
+    rt = SECU_PrintKeyNames(handle, out);
+    if (rt) {
+	SECU_PrintError(progName, "unable to list nicknames");
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+DumpPublicKey(SECKEYKeyDBHandle *handle, char *nickname, FILE *out)
+{
+    SECKEYLowPrivateKey *privKey;
+    SECKEYLowPublicKey *publicKey;
+
+    /* check if key actually exists */
+    if (SECU_CheckKeyNameExists(handle, nickname) == PR_FALSE) {
+	SECU_PrintError(progName, "the key \"%s\" does not exist", nickname);
+	return SECFailure;
+    }
+
+    /* Read in key */
+    privKey = SECU_GetPrivateKey(handle, nickname);
+    if (!privKey) {
+	return SECFailure;
+    }
+
+    publicKey = SECKEY_LowConvertToPublicKey(privKey);
+
+    /* Output public key (in the clear) */
+    switch(publicKey->keyType) {
+      case rsaKey:
+	fprintf(out, "RSA Public-Key:\n");
+	SECU_PrintInteger(out, &publicKey->u.rsa.modulus, "modulus", 1);
+	SECU_PrintInteger(out, &publicKey->u.rsa.publicExponent,
+			  "publicExponent", 1);
+	break;
+      case dsaKey:
+	fprintf(out, "DSA Public-Key:\n");
+	SECU_PrintInteger(out, &publicKey->u.dsa.params.prime, "prime", 1);
+	SECU_PrintInteger(out, &publicKey->u.dsa.params.subPrime,
+			  "subPrime", 1);
+	SECU_PrintInteger(out, &publicKey->u.dsa.params.base, "base", 1);
+	SECU_PrintInteger(out, &publicKey->u.dsa.publicValue, "publicValue", 1);
+	break;
+      default:
+	fprintf(out, "unknown key type\n");
+	break;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+DumpPrivateKey(SECKEYKeyDBHandle *handle, char *nickname, FILE *out)
+{
+    SECKEYLowPrivateKey *key;
+
+    /* check if key actually exists */
+    if (SECU_CheckKeyNameExists(handle, nickname) == PR_FALSE) {
+	SECU_PrintError(progName, "the key \"%s\" does not exist", nickname);
+	return SECFailure;
+    }
+
+    /* Read in key */
+    key = SECU_GetPrivateKey(handle, nickname);
+    if (!key) {
+	SECU_PrintError(progName, "error retrieving key");
+	return SECFailure;
+    }
+
+    switch(key->keyType) {
+      case rsaKey:
+	fprintf(out, "RSA Private-Key:\n");
+	SECU_PrintInteger(out, &key->u.rsa.modulus, "modulus", 1);
+	SECU_PrintInteger(out, &key->u.rsa.publicExponent, "publicExponent", 1);
+	SECU_PrintInteger(out, &key->u.rsa.privateExponent,
+			  "privateExponent", 1);
+	SECU_PrintInteger(out, &key->u.rsa.prime1, "prime1", 1);
+	SECU_PrintInteger(out, &key->u.rsa.prime2, "prime2", 1);
+	SECU_PrintInteger(out, &key->u.rsa.exponent1, "exponent1", 1);
+	SECU_PrintInteger(out, &key->u.rsa.exponent2, "exponent2", 1);
+	SECU_PrintInteger(out, &key->u.rsa.coefficient, "coefficient", 1);
+	break;
+      case dsaKey:
+	fprintf(out, "DSA Private-Key:\n");
+	SECU_PrintInteger(out, &key->u.dsa.params.prime, "prime", 1);
+	SECU_PrintInteger(out, &key->u.dsa.params.subPrime, "subPrime", 1);
+	SECU_PrintInteger(out, &key->u.dsa.params.base, "base", 1);
+	SECU_PrintInteger(out, &key->u.dsa.publicValue, "publicValue", 1);
+	SECU_PrintInteger(out, &key->u.dsa.privateValue, "privateValue", 1);
+	break;
+      default:
+	fprintf(out, "unknown key type\n");
+	break;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+ChangePassword(SECKEYKeyDBHandle *handle)
+{
+    SECStatus rv;
+
+    /* Write out database with a new password */
+    rv = SECU_ChangeKeyDBPassword(handle, NULL);
+    if (rv) {
+	SECU_PrintError(progName, "unable to change key password");
+    }
+    return rv;
+}
+
+static SECStatus
+DeletePrivateKey (SECKEYKeyDBHandle *keyHandle, char *nickName)
+{
+    SECStatus rv;
+
+    rv = SECU_DeleteKeyByName (keyHandle, nickName);
+    if (rv != SECSuccess)
+	fprintf(stderr, "%s: problem deleting private key (%s)\n",
+		progName, SECU_Strerror(PR_GetError()));
+    return (rv);
+
+}
+
+
+static void
+Usage(const char *progName)
+{
+    fprintf(stderr,
+	    "Usage:  %s -p name [-d keydir]\n", progName);
+    fprintf(stderr,
+	    "        %s -P name [-d keydir]\n", progName);
+    fprintf(stderr,
+	    "        %s -D name [-d keydir]\n", progName);
+    fprintf(stderr,
+	    "        %s -l [-d keydir]\n", progName);
+    fprintf(stderr,
+	    "        %s -c [-d keydir]\n", progName);
+
+    fprintf(stderr, "%-20s Pretty print public key info for named key\n",
+	    "-p nickname");
+    fprintf(stderr, "%-20s Pretty print private key info for named key\n",
+	    "-P nickname");
+    fprintf(stderr, "%-20s Delete named private key from the key database\n",
+	    "-D nickname");
+    fprintf(stderr, "%-20s List the nicknames for the keys in a database\n",
+	    "-l");
+    fprintf(stderr, "%-20s Change the key database password\n",
+	    "-c");
+    fprintf(stderr, "\n");
+    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
+	    "-d keydir");
+
+    exit(-1);
+}
+
+int main(int argc, char **argv)
+{
+    int o, changePassword, deleteKey, dumpPublicKey, dumpPrivateKey, list;
+    char *nickname;
+    SECStatus rv;
+    SECKEYKeyDBHandle *keyHandle;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    /* Parse command line arguments */
+    changePassword = deleteKey = dumpPublicKey = dumpPrivateKey = list = 0;
+    nickname = NULL;
+
+    while ((o = getopt(argc, argv, "ADP:cd:glp:")) != -1) {
+	switch (o) {
+	  case '?':
+	    Usage(progName);
+	    break;
+
+	  case 'A':
+	    fprintf(stderr, "%s: Can no longer add a key.", progName);
+	    fprintf(stderr, " Use pkcs12 to import a key.\n\n");
+	    Usage(progName);
+	    break;
+
+	  case 'D':
+	    deleteKey = 1;
+	    nickname = optarg;
+	    break;
+
+	  case 'P':
+	    dumpPrivateKey = 1;
+	    nickname = optarg;
+	    break;
+
+	  case 'c':
+	    changePassword = 1;
+	    break;
+
+	  case 'd':
+	    SECU_ConfigDirectory(optarg);
+	    break;
+
+	  case 'g':
+	    fprintf(stderr, "%s: Can no longer generate a key.", progName);
+	    fprintf(stderr, " Use certutil to generate a cert request.\n\n");
+	    Usage(progName);
+	    break;
+
+	  case 'l':
+	    list = 1;
+	    break;
+
+	  case 'p':
+	    dumpPublicKey = 1;
+	    nickname = optarg;
+	    break;
+	}
+    }
+
+    if (dumpPublicKey+changePassword+dumpPrivateKey+list+deleteKey != 1)
+	Usage(progName);
+
+    if ((list || changePassword) && nickname)
+	Usage(progName);
+
+    if ((dumpPublicKey || dumpPrivateKey || deleteKey) && !nickname)
+	Usage(progName);
+
+
+    /* Call the libsec initialization routines */
+    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    SEC_Init();
+
+    /*
+     * XXX Note that the following opens the key database writable.
+     * If dumpPublicKey or dumpPrivateKey or list, though, we only want
+     * to open it read-only.  There needs to be a better interface
+     * to the initialization routines so that we can specify which way
+     * to open it.
+     */
+    rv = SECU_PKCS11Init();
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "SECU_PKCS11Init failed");
+	return -1;
+    }
+
+    keyHandle = SECKEY_GetDefaultKeyDB();
+    if (keyHandle == NULL) {
+        SECU_PrintError(progName, "could not open key database");
+	return -1;
+    }
+
+    SECU_RegisterDynamicOids();
+    if (dumpPublicKey) {
+	rv = DumpPublicKey(keyHandle, nickname, stdout);
+    } else
+    if (changePassword) {
+	rv = ChangePassword(keyHandle);
+    } else
+    if (dumpPrivateKey) {
+	rv = DumpPrivateKey(keyHandle, nickname, stdout);
+    } else
+    if (list) {
+	rv = ListKeys(keyHandle, stdout);
+    } else
+    if (deleteKey) {
+	rv = DeletePrivateKey(keyHandle, nickname);
+    }
+
+    
+    return rv ? -1 : 0;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/keyutil/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+DEFINES += -DNSPR20
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = \
+	keyutil.c \
+	$(NULL)
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd dbm
+
+
+PROGRAM = keyutil
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/pkiutil/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+ 
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/pkiutil/manifest.mn
@@ -0,0 +1,51 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+CSRCS = \
+	pkiutil.c \
+	$(NULL)
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = dbm seccmd
+
+PROGRAM = pkiutil
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/pkiutil/pkiutil.c
@@ -0,0 +1,376 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+#include "nss.h"
+#include "cmdutil.h"
+#include "nsspki.h"
+/* hmmm...*/
+#include "pki.h"
+
+#define PKIUTIL_VERSION_STRING "pkiutil version 0.1"
+
+char *progName = NULL;
+
+typedef struct {
+    PRBool      raw;
+    PRBool      ascii;
+    char       *name;
+    PRFileDesc *file;
+} objOutputMode;
+
+typedef enum {
+    PKIUnknown = -1,
+    PKICertificate,
+    PKIPublicKey,
+    PKIPrivateKey,
+    PKIAny
+} PKIObjectType;
+
+static PKIObjectType
+get_object_class(char *type)
+{
+    if (strcmp(type, "certificate") == 0 || strcmp(type, "cert") == 0 ||
+        strcmp(type, "Certificate") == 0 || strcmp(type, "Cert") == 0) {
+	return PKICertificate;
+    } else if (strcmp(type, "public_key") == 0 || 
+               strcmp(type, "PublicKey") == 0) {
+	return PKIPublicKey;
+    } else if (strcmp(type, "private_key") == 0 || 
+               strcmp(type, "PrivateKey") == 0) {
+	return PKIPrivateKey;
+    } else if (strcmp(type, "all") == 0 || strcmp(type, "any") == 0) {
+	return PKIAny;
+    }
+    fprintf(stderr, "%s: \"%s\" is not a valid PKCS#11 object type.\n",
+                     progName, type);
+    return PKIUnknown;
+}
+
+static PRStatus
+print_cert_callback(NSSCertificate *c, void *arg)
+{
+    int i;
+    NSSUTF8 *label;
+    NSSItem *id;
+    label = NSSCertificate_GetLabel(c);
+    printf("%s\n", label);
+    nss_ZFreeIf((void*)label);
+#if 0
+    id = NSSCertificate_GetID(c);
+    for (i=0; i<id->size; i++) {
+	printf("%c", ((char *)id->data)[i]);
+    }
+    printf("\n");
+#endif
+    return PR_SUCCESS;
+}
+
+/*  pkiutil commands  */
+enum {
+    cmd_Add = 0,
+    cmd_Dump,
+    cmd_List,
+    cmd_Version,
+    pkiutil_num_commands
+};
+
+/*  pkiutil options */
+enum {
+    opt_Help = 0,
+    opt_Ascii,
+    opt_ProfileDir,
+    opt_TokenName,
+    opt_InputFile,
+    opt_Nickname,
+    opt_OutputFile,
+    opt_Binary,
+    opt_Trust,
+    opt_Type,
+    pkiutil_num_options
+};
+
+static cmdCommandLineArg pkiutil_commands[] =
+{
+ { /* cmd_Add         */  'A', "add", CMDNoArg, 0, PR_FALSE, 
+                           CMDBIT(opt_Nickname) | CMDBIT(opt_Trust), 
+                           CMDBIT(opt_Ascii) | CMDBIT(opt_ProfileDir) 
+                           | CMDBIT(opt_TokenName) | CMDBIT(opt_InputFile) 
+                           | CMDBIT(opt_Binary) | CMDBIT(opt_Type) },
+ { /* cmd_Dump        */   0 , "dump", CMDNoArg, 0, PR_FALSE,
+                           CMDBIT(opt_Nickname),
+                           CMDBIT(opt_Ascii) | CMDBIT(opt_ProfileDir) 
+                           | CMDBIT(opt_TokenName) | CMDBIT(opt_Binary)
+                           | CMDBIT(opt_Type) },
+ { /* cmd_List        */  'L', "list", CMDNoArg, 0, PR_FALSE, 0, 
+                           CMDBIT(opt_Ascii) | CMDBIT(opt_ProfileDir) 
+                           | CMDBIT(opt_TokenName) | CMDBIT(opt_Binary)
+                           | CMDBIT(opt_Nickname) | CMDBIT(opt_Type) },
+ { /* cmd_Version     */  'Y', "version", CMDNoArg, 0, PR_FALSE, 0, 0 }
+};
+
+static cmdCommandLineOpt pkiutil_options[] =
+{
+ { /* opt_Help        */  '?', "help",     CMDNoArg,   0, PR_FALSE },
+ { /* opt_Ascii       */  'a', "ascii",    CMDNoArg,   0, PR_FALSE },
+ { /* opt_ProfileDir  */  'd', "dbdir",    CMDArgReq,  0, PR_FALSE },
+ { /* opt_TokenName   */  'h', "token",    CMDArgReq,  0, PR_FALSE },
+ { /* opt_InputFile   */  'i', "infile",   CMDArgReq,  0, PR_FALSE },
+ { /* opt_Nickname    */  'n', "nickname", CMDArgReq,  0, PR_FALSE },
+ { /* opt_OutputFile  */  'o', "outfile",  CMDArgReq,  0, PR_FALSE },
+ { /* opt_Binary      */  'r', "raw",      CMDNoArg,   0, PR_FALSE },
+ { /* opt_Trust       */  't', "trust",    CMDArgReq,  0, PR_FALSE },
+ { /* opt_Type        */   0 , "type",     CMDArgReq,  0, PR_FALSE }
+};
+
+void pkiutil_usage(cmdPrintState *ps, 
+                   int num, PRBool cmd, PRBool header, PRBool footer)
+{
+#define pusg CMD_PrintUsageString
+    if (header) {
+	pusg(ps, "utility for managing PKCS#11 objects (certs and keys)\n");
+    } else if (footer) {
+	/*
+	printf("certificate trust can be:\n");
+	printf(" p - valid peer, P - trusted peer (implies p)\n");
+	printf(" c - valid CA\n");
+	printf("  T - trusted CA to issue client certs (implies c)\n");
+	printf("  C - trusted CA to issue server certs (implies c)\n");
+	printf(" u - user cert\n");
+	printf(" w - send warning\n");
+	*/
+    } else if (cmd) {
+	switch(num) {
+	case cmd_Add:     
+	    pusg(ps, "Add an object to the token"); break;
+	case cmd_Dump:
+	    pusg(ps, "Dump a single object"); break;
+	case cmd_List:    
+	    pusg(ps, "List objects on the token (-n for single object)"); break;
+	case cmd_Version: 
+	    pusg(ps, "Report version"); break;
+	default:
+	    pusg(ps, "Unrecognized command"); break;
+	}
+    } else {
+	switch(num) {
+	case opt_Ascii:      
+	    pusg(ps, "Use ascii (base-64 encoded) mode for I/O"); break;
+	case opt_ProfileDir:    
+	    pusg(ps, "Directory containing security databases (def: \".\")"); 
+	    break;
+	case opt_TokenName:  
+	    pusg(ps, "Name of PKCS#11 token to use (def: internal)"); break;
+	case opt_InputFile:  
+	    pusg(ps, "File for input (def: stdin)"); break;
+	case opt_Nickname:   
+	    pusg(ps, "Nickname of object"); break;
+	case opt_OutputFile: 
+	    pusg(ps, "File for output (def: stdout)"); break;
+	case opt_Binary:    
+	    pusg(ps, "Use raw (binary der-encoded) mode for I/O"); break;
+	case opt_Trust:      
+	    pusg(ps, "Trust level for certificate"); break;
+	case opt_Help: break;
+	default:
+	    pusg(ps, "Unrecognized option");
+	}
+    }
+}
+
+int 
+main(int argc, char **argv)
+{
+    PRFileDesc     *infile        = NULL;
+    PRFileDesc     *outfile       = NULL;
+    char           *profiledir       = "./";
+#if 0
+    secuPWData      pwdata        = { PW_NONE, 0 };
+#endif
+    int             objclass      = 3; /* ANY */
+    NSSTrustDomain *root_cert_td  = NULL;
+    char           *rootpath      = NULL;
+    char            builtin_name[]= "libnssckbi.so"; /* temporary hardcode */
+    PRStatus        rv            = PR_SUCCESS;
+
+    int cmdToRun;
+    cmdCommand pkiutil;
+    pkiutil.ncmd = pkiutil_num_commands;
+    pkiutil.nopt = pkiutil_num_options;
+    pkiutil.cmd = pkiutil_commands;
+    pkiutil.opt = pkiutil_options;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    cmdToRun = CMD_ParseCommandLine(argc, argv, progName, &pkiutil);
+
+#if 0
+    { int i, nc;
+    for (i=0; i<pkiutil.ncmd; i++)
+	printf("%s: %s <%s>\n", pkiutil.cmd[i].s, 
+	                        (pkiutil.cmd[i].on) ? "on" : "off",
+				pkiutil.cmd[i].arg);
+    for (i=0; i<pkiutil.nopt; i++)
+	printf("%s: %s <%s>\n", pkiutil.opt[i].s, 
+	                        (pkiutil.opt[i].on) ? "on" : "off",
+				pkiutil.opt[i].arg);
+    }
+#endif
+
+    if (pkiutil.opt[opt_Help].on)
+	CMD_LongUsage(progName, &pkiutil, pkiutil_usage);
+
+    if (cmdToRun < 0)
+	CMD_Usage(progName, &pkiutil);
+
+    /* -d */
+    if (pkiutil.opt[opt_ProfileDir].on) {
+	profiledir = strdup(pkiutil.opt[opt_ProfileDir].arg);
+    }
+
+    /* -i */
+    if (pkiutil.opt[opt_InputFile].on) {
+	char *fn = pkiutil.opt[opt_InputFile].arg;
+	infile = PR_Open(fn, PR_RDONLY, 0660);
+    } else {
+	infile = PR_STDIN;
+    }
+
+    /* -o */
+    if (pkiutil.opt[opt_OutputFile].on) {
+	char *fn = pkiutil.opt[opt_OutputFile].arg;
+	outfile = PR_Open(fn, PR_WRONLY | PR_CREATE_FILE, 0660);
+    } else {
+	outfile = PR_STDOUT;
+    }
+
+    /* --type can be found on many options */
+    if (pkiutil.opt[opt_Type].on)
+	objclass = get_object_class(pkiutil.opt[opt_Type].arg);
+    else if (cmdToRun == cmd_Dump && pkiutil.cmd[cmd_Dump].arg)
+	objclass = get_object_class(pkiutil.cmd[cmd_Dump].arg);
+    else if (cmdToRun == cmd_List && pkiutil.cmd[cmd_List].arg)
+	objclass = get_object_class(pkiutil.cmd[cmd_List].arg);
+    else if (cmdToRun == cmd_Add && pkiutil.cmd[cmd_Add].arg)
+	objclass = get_object_class(pkiutil.cmd[cmd_Add].arg);
+    if (objclass < 0)
+	goto done;
+
+    /* --print is an alias for --list --nickname */
+    if (cmdToRun == cmd_Dump) cmdToRun = cmd_List;
+
+    /* if list has raw | ascii must have -n.  can't have both raw and ascii */
+    if (pkiutil.opt[opt_Binary].on || pkiutil.opt[opt_Ascii].on) {
+	if (cmdToRun == cmd_List && !pkiutil.opt[opt_Nickname].on) {
+	    fprintf(stderr, "%s: specify a object to output with -n\n", 
+	                     progName);
+	    CMD_LongUsage(progName, &pkiutil, pkiutil_usage);
+	}
+    }
+
+    /* initialize */
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    /* NSS_InitReadWrite(profiledir); */
+    NSS_NoDB_Init(NULL);
+
+    /* Display version info and exit */
+    if (cmdToRun == cmd_Version) {
+	printf("%s\nNSS Version %s\n", PKIUTIL_VERSION_STRING, NSS_VERSION);
+	goto done;
+    }
+
+    /* XXX okay - bootstrap stan by loading the root cert module for testing */
+    root_cert_td = NSSTrustDomain_Create(NULL, NULL, NULL, NULL);
+    {
+	int rootpathlen = strlen(profiledir) + strlen(builtin_name) + 1;
+	rootpath = (char *)malloc(rootpathlen);
+	memcpy(rootpath, profiledir, strlen(profiledir));
+	memcpy(rootpath + strlen(profiledir), 
+               builtin_name, strlen(builtin_name));
+	rootpath[rootpathlen - 1] = '\0';
+    }
+    NSSTrustDomain_LoadModule(root_cert_td, "Builtin Root Module", rootpath, 
+                              NULL, NULL);
+
+    printf("\n");
+    if (pkiutil.opt[opt_Nickname].on) {
+	int i;
+	NSSCertificate **certs;
+	NSSCertificate *cert;
+	certs = NSSTrustDomain_FindCertificatesByNickname(root_cert_td,
+			pkiutil.opt[opt_Nickname].arg, NULL, 0, NULL);
+	i = 0;
+	while ((cert = certs[i++]) != NULL) {
+	    printf("Found cert:\n");
+	    print_cert_callback(cert, NULL);
+	}
+    } else {
+        NSSTrustDomain_TraverseCertificates(root_cert_td, print_cert_callback, 0);
+    }
+
+    NSSTrustDomain_Destroy(root_cert_td);
+
+    /* List token objects */
+    if (cmdToRun == cmd_List)  {
+#if 0
+	rv = list_token_objects(slot, objclass, 
+	                        pkiutil.opt[opt_Nickname].arg,
+	                        pkiutil.opt[opt_Binary].on,
+	                        pkiutil.opt[opt_Ascii].on,
+	                        outfile, &pwdata);
+#endif
+	goto done;
+    }
+
+#if 0
+    /* Import an object into the token. */
+    if (cmdToRun == cmd_Add) {
+	rv = add_object_to_token(slot, object);
+	goto done;
+    }
+#endif
+
+done:
+    if (NSS_Shutdown() != SECSuccess) {
+	exit(1);
+    }
+
+    return rv;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/pkiutil/platlibs.mk
@@ -0,0 +1,57 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+EXTRA_LIBS += \
+	$(DIST)/lib/libcmdutil.$(LIB_SUFFIX) \
+	$(NULL)
+
+ifeq ($(OS_ARCH), AIX) 
+EXTRA_SHARED_LIBS += -brtl 
+endif
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib/ \
+	-lnsspki3 \
+	-lnss3 \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+
--- a/security/nss/cmd/shlibsign/sign.sh
+++ b/security/nss/cmd/shlibsign/sign.sh
@@ -45,12 +45,14 @@ OpenVMS)
     SHLIB_PATH=${1}/lib:${4}:$SHLIB_PATH
     export SHLIB_PATH
     LD_LIBRARY_PATH=${1}/lib:${4}:$LD_LIBRARY_PATH
     export LD_LIBRARY_PATH
     DYLD_LIBRARY_PATH=${1}/lib:${4}:$DYLD_LIBRARY_PATH
     export DYLD_LIBRARY_PATH
     LIBRARY_PATH=${1}/lib:${4}:$LIBRARY_PATH
     export LIBRARY_PATH
+    ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+    export ADDON_PATH
     echo ${2}/shlibsign -v -i ${5}
     ${2}/shlibsign -v -i ${5}
     ;;
 esac
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/sslstrength/Makefile
@@ -0,0 +1,86 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+ifeq (,$(filter-out WINNT WIN95 WIN16,$(OS_TARGET)))  # omits WINCE
+ifndef BUILD_OPT
+LDFLAGS   +=  /subsystem:console /profile /debug /machine:I386 /incremental:no
+OS_CFLAGS += -D_CONSOLE
+endif
+endif
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#include ../platlibs.mk
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/sslstrength/manifest.mn
@@ -0,0 +1,54 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+EXPORTS = 
+
+CSRCS = sslstrength.c	\
+	$(NULL)
+
+PROGRAM =  sslstrength
+
+REQUIRES = dbm seccmd
+
+DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\"
+
+PACKAGE_FILES = sslstrength
+
+ARCHIVE_NAME = sslstrength
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/sslstrength/sslstr.cgi
@@ -0,0 +1,300 @@
+#!/usr/bin/perl
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+use CGI qw(:standard);
+
+
+
+# Replace this will the full path to the sslstrength executable.
+$sslstrength = "./sslstrength";
+
+
+# Replace this with the name of this CGI.
+
+$sslcgi = "sslstr.cgi";
+
+
+$query = new CGI;
+
+print header;
+
+print "<HTML><HEAD>
+<SCRIPT language='javascript'>
+
+function doexport(form) {
+    form.ssl2ciphers.options[0].selected=0;
+    form.ssl2ciphers.options[1].selected=0;
+    form.ssl2ciphers.options[2].selected=0;
+    form.ssl2ciphers.options[3].selected=0;
+    form.ssl2ciphers.options[4].selected=1;
+    form.ssl2ciphers.options[5].selected=1;
+
+    form.ssl3ciphers.options[0].selected=1;
+    form.ssl3ciphers.options[1].selected=1;
+    form.ssl3ciphers.options[2].selected=0;
+    form.ssl3ciphers.options[3].selected=1;
+    form.ssl3ciphers.options[4].selected=1;
+    form.ssl3ciphers.options[5].selected=1;
+    form.ssl3ciphers.options[6].selected=0;
+    form.ssl3ciphers.options[7].selected=0;
+
+
+}
+
+function dodomestic(form) {
+    form.ssl2ciphers.options[0].selected=1;
+    form.ssl2ciphers.options[1].selected=1;
+    form.ssl2ciphers.options[2].selected=1;
+    form.ssl2ciphers.options[3].selected=1;
+    form.ssl2ciphers.options[4].selected=1;
+    form.ssl2ciphers.options[5].selected=1;
+
+    form.ssl3ciphers.options[0].selected=1;
+    form.ssl3ciphers.options[1].selected=1;
+    form.ssl3ciphers.options[2].selected=1;
+    form.ssl3ciphers.options[3].selected=1;
+    form.ssl3ciphers.options[4].selected=1;
+    form.ssl3ciphers.options[5].selected=1;
+    form.ssl3ciphers.options[6].selected=1;
+    form.ssl3ciphers.options[7].selected=1;
+
+}
+
+function doclearssl2(form) {
+    form.ssl2ciphers.options[0].selected=0;
+    form.ssl2ciphers.options[1].selected=0;
+    form.ssl2ciphers.options[2].selected=0;
+    form.ssl2ciphers.options[3].selected=0;
+    form.ssl2ciphers.options[4].selected=0;
+    form.ssl2ciphers.options[5].selected=0;
+}
+
+
+function doclearssl3(form) {
+    form.ssl3ciphers.options[0].selected=0;
+    form.ssl3ciphers.options[1].selected=0;
+    form.ssl3ciphers.options[2].selected=0;
+    form.ssl3ciphers.options[3].selected=0;
+    form.ssl3ciphers.options[4].selected=0;
+    form.ssl3ciphers.options[5].selected=0;
+    form.ssl3ciphers.options[6].selected=0;
+    form.ssl3ciphers.options[7].selected=0;
+
+}
+
+function dohost(form,hostname) {
+    form.host.value=hostname;
+    }
+
+
+
+</SCRIPT>
+<TITLE>\n";
+print "SSLStrength\n";
+print "</TITLE></HEAD>\n";
+
+print "<h1>SSLStrength</h1>\n";
+
+if ($query->param('dotest')) {
+    print "Output from sslstrength: \n";
+    print "<pre>\n";
+
+    $cs = "";
+    
+    @ssl2ciphers = $query->param('ssl2ciphers');
+    for $cipher (@ssl2ciphers) {
+	if ($cipher eq "SSL_EN_RC2_128_WITH_MD5")              { $cs .= "a"; }
+	if ($cipher eq "SSL_EN_RC2_128_CBC_WITH_MD5")          { $cs .= "b"; }
+	if ($cipher eq "SSL_EN_DES_192_EDE3_CBC_WITH_MD5")     { $cs .= "c"; }
+	if ($cipher eq "SSL_EN_DES_64_CBC_WITH_MD5")           { $cs .= "d"; }
+	if ($cipher eq "SSL_EN_RC4_128_EXPORT40_WITH_MD5")     { $cs .= "e"; }
+	if ($cipher eq "SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5") { $cs .= "f"; }
+    }
+
+    @ssl3ciphers = $query->param('ssl3ciphers');
+    for $cipher (@ssl3ciphers) {
+	if ($cipher eq "SSL_RSA_WITH_RC4_128_MD5")           { $cs .= "i"; }
+	if ($cipher eq "SSL_RSA_WITH_3DES_EDE_CBC_SHA")      { $cs .= "j"; }
+	if ($cipher eq "SSL_RSA_WITH_DES_CBC_SHA")           { $cs .= "k"; }
+	if ($cipher eq "SSL_RSA_EXPORT_WITH_RC4_40_MD5")     { $cs .= "l"; }
+	if ($cipher eq "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5") { $cs .= "m"; }
+	if ($cipher eq "SSL_RSA_WITH_NULL_MD5")              { $cs .= "o"; }
+	if ($cipher eq "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA") { $cs .= "p"; }
+	if ($cipher eq "SSL_RSA_FIPS_WITH_DES_CBC_SHA")      { $cs .= "q"; }
+    }
+
+    $hs = $query->param('host');
+    if ($hs eq "") {
+	print "</pre>You must specify a host to connect to.<br><br>\n";
+	exit(0);
+    }
+
+    $ps = $query->param('policy');
+    
+    $cmdstring = "$sslstrength $hs policy=$ps ciphers=$cs";
+
+    print "running sslstrength:\n";
+    print "$cmdstring\n";
+
+    $r = open(SSLS, "$cmdstring |");
+    if ($r == 0) {
+	print "<pre>There was a problem starting $cmdstring<br><br>\n";
+	exit(0);
+    }
+    while (<SSLS>) {
+	print "$_";
+    }
+    close(SSLS);
+
+
+    print "</pre>\n";
+   
+}
+
+else {
+print "<FORM method=post action=$sslcgi>\n";
+print "<hr>
+<h2>Host Name</h2>
+<TABLE BORDER=0 CELLPADDING=20>
+<TR>
+<TD>
+Type hostname here:<br>
+<input type=text name=host size=30>&nbsp;<br><br>
+<TD>
+ <b>Or click these buttons to test some well-known servers</b><br>
+ <TABLE BORDER=0>
+ <TR>
+ <TD>
+ Export servers:
+ <TD>
+ <input type=button value='F-Tech' onclick=dohost(this.form,'strongbox.ftech.net')>
+ </TR>
+ <TR>
+ <TD>
+ Domestic servers:
+ <TD>
+ <input type=button value='Wells Fargo' onclick=dohost(this.form,'banking.wellsfargo.com')>
+ </TR>
+ <TR>
+ <TD>
+ Step-Up Servers
+ <TD>
+ <input type=button value='Barclaycard' onclick=dohost(this.form,'enigma.barclaycard.co.uk')>
+ <input type=button value='BBVnet' onclick=dohost(this.form,'www.bbvnet.com')>&nbsp;
+ <input type=button value='BHIF' onclick=dohost(this.form,'empresas.bhif.cl')>&nbsp;
+ </TR>
+ </TABLE>
+</TR>
+</TABLE>
+<br>
+<hr>
+<br>
+<h2>Encryption policy</h2>
+<input type=radio name=policy VALUE=export            onclick=doexport(this.form)>&nbsp;
+Export<br>
+<input type=radio name=policy VALUE=domestic CHECKED  onclick=dodomestic(this.form)>&nbsp;
+Domestic<br>
+<br>
+<hr>
+<br>
+<h2>Cipher Selection</h2>
+(use ctrl to multi-select)<br>
+<table>
+<tr>
+<td>SSL 2 Ciphers
+<td>
+<SELECT NAME=ssl2ciphers SIZE=6 MULTIPLE align=bottom>
+<OPTION SELECTED>SSL_EN_RC4_128_WITH_MD5
+<OPTION SELECTED>SSL_EN_RC2_128_CBC_WITH_MD5
+<OPTION SELECTED>SSL_EN_DES_192_EDE3_CBC_WITH_MD5
+<OPTION SELECTED>SSL_EN_DES_64_CBC_WITH_MD5
+<OPTION SELECTED>SSL_EN_RC4_128_EXPORT40_WITH_MD5
+<OPTION SELECTED>SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5
+</SELECT>
+<input type=button Value='Clear all' onclick = 'doclearssl2(this.form)'>
+</tr>
+<tr>
+<td>SSL3 Ciphers
+<td>
+<SELECT NAME=ssl3ciphers SIZE=8 MULTIPLE>
+<OPTION SELECTED>SSL_RSA_WITH_RC4_128_MD5
+<OPTION SELECTED>SSL_RSA_WITH_3DES_EDE_CBC_SHA
+<OPTION SELECTED>SSL_RSA_WITH_DES_CBC_SHA
+<OPTION SELECTED>SSL_RSA_EXPORT_WITH_RC4_40_MD5
+<OPTION SELECTED>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
+<OPTION SELECTED>SSL_RSA_WITH_NULL_MD5
+<OPTION SELECTED>SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
+<OPTION SELECTED>SSL_RSA_FIPS_WITH_DES_CBC_SHA
+</SELECT>
+<input type=button value='Clear all' onclick = 'doclearssl3(this.form)'>
+
+<TD>
+<input type=submit name=dotest value='Run SSLStrength'>
+</tr>
+</table>
+<input type=hidden name=dotest>
+<br>
+<br>
+</form>
+\n";
+
+}
+
+
+exit(0);
+
+
+__END__
+
+ id    CipherName                                     Domestic     Export      
+ a     SSL_EN_RC4_128_WITH_MD5              (ssl2)    Yes          No          
+ b     SSL_EN_RC2_128_CBC_WITH_MD5          (ssl2)    Yes          No          
+ c     SSL_EN_DES_192_EDE3_CBC_WITH_MD5     (ssl2)    Yes          No          
+ d     SSL_EN_DES_64_CBC_WITH_MD5           (ssl2)    Yes          No          
+ e     SSL_EN_RC4_128_EXPORT40_WITH_MD5     (ssl2)    Yes          Yes         
+ f     SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2)    Yes          Yes         
+ i     SSL_RSA_WITH_RC4_128_MD5             (ssl3)    Yes          Step-up only
+ j     SSL_RSA_WITH_3DES_EDE_CBC_SHA        (ssl3)    Yes          Step-up only
+ k     SSL_RSA_WITH_DES_CBC_SHA             (ssl3)    Yes          No          
+ l     SSL_RSA_EXPORT_WITH_RC4_40_MD5       (ssl3)    Yes          Yes         
+ m     SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5   (ssl3)    Yes          Yes         
+ o     SSL_RSA_WITH_NULL_MD5                (ssl3)    Yes          Yes         
+
+
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/sslstrength/sslstrength.c
@@ -0,0 +1,625 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef SSLTELNET
+#include <termios.h>
+#endif
+
+/* Portable layer header files */
+#include "prinit.h"
+#include "prprf.h"
+#include "prsystem.h"
+#include "prmem.h"
+#include "plstr.h"
+#include "prnetdb.h"
+#include "prinrval.h"
+
+#include "secutil.h"
+
+/* Security library files */
+#include "cert.h"
+#include "ssl.h"
+#include "sslproto.h"
+#include "secmod.h"
+#include "nss.h"
+
+/* define this if you want telnet capability! */
+
+/* #define SSLTELNET 1 */
+
+PRInt32 debug;
+
+#ifdef DEBUG_stevep
+#define dbmsg(x) if (verbose) PR_fprintf(PR_STDOUT,x);
+#else
+#define dbmsg(x) ;
+#endif
+
+
+/* Set SSL Policy to Domestic (strong=1) or Export (strong=0) */
+
+#define ALLOW(x) SSL_CipherPolicySet(x,SSL_ALLOWED); SSL_CipherPrefSetDefault(x,1);
+#define DISALLOW(x) SSL_CipherPolicySet(x,SSL_NOT_ALLOWED); SSL_CipherPrefSetDefault(x,0);
+#define MAYBEALLOW(x) SSL_CipherPolicySet(x,SSL_RESTRICTED); SSL_CipherPrefSetDefault(x,1);
+
+struct CipherPolicy {
+  char number;
+  long id;
+  char *name;
+  PRInt32 pref;
+  PRInt32 domestic;
+  PRInt32 export;
+};
+
+struct CipherPolicy ciphers[] = {
+  { 'a',SSL_EN_RC4_128_WITH_MD5,              "SSL_EN_RC4_128_WITH_MD5              (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED },
+  { 'b',SSL_EN_RC2_128_CBC_WITH_MD5,          "SSL_EN_RC2_128_CBC_WITH_MD5          (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED },  
+  { 'c',SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     "SSL_EN_DES_192_EDE3_CBC_WITH_MD5     (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED },
+  { 'd',SSL_EN_DES_64_CBC_WITH_MD5,           "SSL_EN_DES_64_CBC_WITH_MD5           (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED },
+  { 'e',SSL_EN_RC4_128_EXPORT40_WITH_MD5,     "SSL_EN_RC4_128_EXPORT40_WITH_MD5     (ssl2)",1, SSL_ALLOWED,SSL_ALLOWED },
+  { 'f',SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_ALLOWED },
+#ifdef FORTEZZA
+  { 'g',SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA",1,SSL_ALLOWED,SSL_NOT_ALLOWED },
+  { 'h',SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, "SSL_FORTEZZA_DMS_WITH_RC4_128_SHA",1,          SSL_ALLOWED,SSL_NOT_ALLOWED },
+#endif
+  { 'i',SSL_RSA_WITH_RC4_128_MD5,             "SSL_RSA_WITH_RC4_128_MD5             (ssl3)",1, SSL_ALLOWED,SSL_RESTRICTED },
+  { 'j',SSL_RSA_WITH_3DES_EDE_CBC_SHA,        "SSL_RSA_WITH_3DES_EDE_CBC_SHA        (ssl3)",1, SSL_ALLOWED,SSL_RESTRICTED },
+  { 'k',SSL_RSA_WITH_DES_CBC_SHA,             "SSL_RSA_WITH_DES_CBC_SHA             (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED },
+  { 'l',SSL_RSA_EXPORT_WITH_RC4_40_MD5,       "SSL_RSA_EXPORT_WITH_RC4_40_MD5       (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED },
+  { 'm',SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,   "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5   (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED },
+#ifdef FORTEZZA
+  { 'n',SSL_FORTEZZA_DMS_WITH_NULL_SHA, "SSL_FORTEZZA_DMS_WITH_NULL_SHA",1, SSL_ALLOWED,SSL_NOT_ALLOWED },
+#endif
+  { 'o',SSL_RSA_WITH_NULL_MD5,                "SSL_RSA_WITH_NULL_MD5                (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED },
+  { 'p',SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,   "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA   (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED },
+  { 'q',SSL_RSA_FIPS_WITH_DES_CBC_SHA,        "SSL_RSA_FIPS_WITH_DES_CBC_SHA        (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }
+
+};
+
+void PrintErrString(char *progName,char *msg) {
+  
+  PRErrorCode e = PORT_GetError();
+  char *s=NULL;
+
+
+  if ((e >= PR_NSPR_ERROR_BASE) && (e < PR_MAX_ERROR)) {
+    
+    if (e == PR_DIRECTORY_LOOKUP_ERROR) 
+      s = PL_strdup("Hostname Lookup Failed");
+    else if (e == PR_NETWORK_UNREACHABLE_ERROR)
+      s = PL_strdup("Network Unreachable");
+    else if (e == PR_CONNECT_TIMEOUT_ERROR)
+      s = PL_strdup("Connection Timed Out");
+    else s = PR_smprintf("%d",e);
+
+    if (!s) return;
+  }
+  else {
+    s = PL_strdup(SECU_ErrorString(e));
+  }
+    
+  PR_fprintf(PR_STDOUT,"%s: ",progName);
+  if (s) {
+    if (*s) 
+      PR_fprintf(PR_STDOUT, "%s\n", s);
+    else
+      PR_fprintf(PR_STDOUT, "\n");
+    
+    PR_Free(s);
+  }
+  
+}
+
+void PrintCiphers(int onlyenabled) {
+  int ciphercount,i;
+  
+  if (onlyenabled) {
+    PR_fprintf(PR_STDOUT,"Your Cipher preference:\n");
+  }
+
+  ciphercount = sizeof(ciphers)/sizeof(struct CipherPolicy);
+    PR_fprintf(PR_STDOUT,
+	       " %s    %-45s  %-12s %-12s\n","id","CipherName","Domestic","Export");
+
+  for (i=0;i<ciphercount;i++) {
+    if ( (onlyenabled ==0) || ((onlyenabled==1)&&(ciphers[i].pref))) {
+      PR_fprintf(PR_STDOUT,
+		 " %c     %-45s  %-12s %-12s\n",ciphers[i].number,ciphers[i].name,
+		 (ciphers[i].domestic==SSL_ALLOWED)?"Yes":
+		 ( (ciphers[i].domestic==SSL_NOT_ALLOWED)?"No":"Step-up only"),
+		 (ciphers[i].export==SSL_ALLOWED)?"Yes":
+		 ( (ciphers[i].export==SSL_NOT_ALLOWED)?"No":"Step-up only"));
+	}
+  }
+}
+
+
+void SetPolicy(char *c,int policy) {  /* policy==1 : domestic,   policy==0, export */
+  int i,j,cpolicy;
+  /* first, enable all relevant ciphers according to policy */
+  for (j=0;j<(sizeof(ciphers)/sizeof(struct CipherPolicy));j++) {
+    SSL_CipherPolicySet(ciphers[j].id,policy?ciphers[j].domestic:ciphers[j].export);
+    SSL_CipherPrefSetDefault(ciphers[j].id, PR_FALSE);
+    ciphers[j].pref =0;
+  }
+  
+
+  for (i=0;i<(int)PL_strlen(c);i++) {
+    for (j=0;j<(sizeof(ciphers)/sizeof(struct CipherPolicy));j++) {
+      if (ciphers[j].number == c[i]) {
+	cpolicy = policy?ciphers[j].domestic:ciphers[j].export;
+	if (cpolicy == SSL_NOT_ALLOWED) {
+	  PR_fprintf(PR_STDOUT, "You're trying to enable a cipher (%c:%s) outside of your policy. ignored\n",
+		     c[i],ciphers[j].name);
+	}
+	else {
+	  ciphers[j].pref=1;
+	  SSL_CipherPrefSetDefault(ciphers[j].id, PR_TRUE);
+	}
+      }
+    }
+  }
+}
+
+
+int MyAuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checksig, PRBool isserver) {
+  return SECSuccess;
+}
+
+
+void Usage() {
+#ifdef SSLTELNET
+    PR_fprintf(PR_STDOUT,"SSLTelnet ");
+#else
+    PR_fprintf(PR_STDOUT,"SSLStrength (No telnet functionality) ");
+#endif
+    PR_fprintf(PR_STDOUT,"Version 1.5\n");
+ 
+    PR_fprintf(PR_STDOUT,"Usage:\n   sslstrength hostname[:port] [ciphers=xyz] [certdir=x] [debug] [verbose] "
+#ifdef SSLTELNET
+"[telnet]|[servertype]|[querystring=<string>] "
+#endif
+"[policy=export|domestic]\n   sslstrength ciphers\n");
+}
+
+
+PRInt32 debug = 0;
+PRInt32 verbose = 0;
+
+PRInt32 main(PRInt32 argc,char **argv, char **envp)
+{
+
+  
+  /* defaults for command line arguments */
+  char *hostnamearg=NULL;
+  char *portnumarg=NULL;
+  char *sslversionarg=NULL;
+  char *keylenarg=NULL;
+  char *certdir=NULL;
+  char *hostname;
+  char *nickname=NULL;
+  char *progname=NULL;
+  /*  struct sockaddr_in addr; */
+  PRNetAddr addr;
+
+  int ss_on;
+  char *ss_cipher;
+  int ss_keysize;
+  int ss_secretsize;
+  char *ss_issuer;
+  char *ss_subject;
+  int policy=1;
+  char *set_ssl_policy=NULL;
+  int print_ciphers=0;
+  
+  char buf[10];
+  char netdbbuf[PR_NETDB_BUF_SIZE];
+  PRHostEnt hp;
+  PRStatus r;
+  PRNetAddr na;
+  SECStatus rv;
+  int portnum=443;   /* default https: port */
+  PRFileDesc *s,*fd;
+  
+  CERTCertDBHandle *handle;
+  CERTCertificate *c;
+  PRInt32 i;
+#ifdef SSLTELNET
+  struct termios tmp_tc;
+  char cb;
+  int prev_lflag,prev_oflag,prev_iflag;
+  int t_fin,t_fout;
+  int servertype=0, telnet=0;
+  char *querystring=NULL;
+#endif
+
+  debug = 0;
+
+  progname = (char *)PL_strrchr(argv[0], '/');
+  progname = progname ? progname+1 : argv[0];
+
+  /* Read in command line args */
+  if (argc == 1) {
+    Usage();
+    return(0);
+  }
+  
+  if (! PL_strcmp("ciphers",argv[1])) {
+    PrintCiphers(0);
+    exit(0);
+  }
+
+  hostname = argv[1];
+
+  if (!PL_strcmp(hostname , "usage") || !PL_strcmp(hostname, "-help") ) {
+    Usage();
+    exit(0);
+    }
+
+  if ((portnumarg = PL_strchr(hostname,':'))) {
+    *portnumarg = 0;
+    portnumarg = &portnumarg[1];
+  }
+  
+  if (portnumarg) {
+    if (*portnumarg == 0) {
+      PR_fprintf(PR_STDOUT,"malformed port number supplied\n");
+      return(1);
+    }
+    portnum = atoi(portnumarg);
+  }
+  
+  for (i = 2  ; i < argc; i++)
+    {
+      if (!PL_strncmp(argv[i] , "sslversion=",11) )
+	sslversionarg=&(argv[i][11]);
+      else if (!PL_strncmp(argv[i], "certdir=",8) )
+	certdir = &(argv[i][8]);
+      else if (!PL_strncmp(argv[i], "ciphers=",8) )
+	{
+	  set_ssl_policy=&(argv[i][8]);
+	}
+      else if (!PL_strncmp(argv[i], "policy=",7) ) {
+	if (!PL_strcmp(&(argv[i][7]),"domestic")) policy=1;
+	else if (!PL_strcmp(&(argv[i][7]),"export")) policy=0;
+	else {
+	  PR_fprintf(PR_STDOUT,"sslstrength: invalid argument. policy must be one of (domestic,export)\n");
+	}
+      }
+      else if (!PL_strcmp(argv[i] , "debug") )
+	debug = 1;
+#ifdef SSLTELNET
+      else if (!PL_strcmp(argv[i] , "telnet") )
+	telnet = 1;
+      else if (!PL_strcmp(argv[i] , "servertype") )
+	servertype = 1;
+      else if (!PL_strncmp(argv[i] , "querystring=",11) )
+	querystring = &argv[i][12];
+#endif
+      else if (!PL_strcmp(argv[i] , "verbose") )
+	verbose = 1;
+    }
+  
+#ifdef SSLTELNET
+  if (telnet && (servertype || querystring)) {
+    PR_fprintf(PR_STDOUT,"You can't use telnet and (server or querystring) options at the same time\n");
+    exit(1);
+  }
+#endif
+
+  PR_fprintf(PR_STDOUT,"Using %s policy\n",policy?"domestic":"export");
+  
+  /* allow you to set env var SSLDIR to set the cert directory */
+  if (! certdir) certdir = SECU_DefaultSSLDir();  
+
+  /* if we don't have one still, initialize with no databases */
+  if (!certdir) {
+    rv = NSS_NoDB_Init(NULL);
+
+    (void) SECMOD_AddNewModule("Builtins", DLL_PREFIX"nssckbi."DLL_SUFFIX,0,0);
+  } else {
+    rv = NSS_Init(certdir);
+    SECU_ConfigDirectory(certdir);
+  }
+  
+  /* Lookup host */
+  r = PR_GetHostByName(hostname,netdbbuf,PR_NETDB_BUF_SIZE,&hp);
+  
+  if (r) {
+    PrintErrString(progname,"Host Name lookup failed");
+    return(1);
+  }
+  
+  /* should the third field really be 0? */
+
+  PR_EnumerateHostEnt(0,&hp,0,&na);
+  PR_InitializeNetAddr(PR_IpAddrNull,portnum,&na);
+
+  PR_fprintf(PR_STDOUT,"Connecting to %s:%d\n",hostname, portnum);
+  
+  /* Create socket */
+
+  fd = PR_NewTCPSocket();
+  if (fd == NULL) {
+    PrintErrString(progname, "error creating socket");
+    return -1;
+  }
+
+  s = SSL_ImportFD(NULL,fd);
+  if (s == NULL) {
+    PrintErrString(progname, "error creating socket");
+    return -1;
+  }
+  
+  dbmsg("10: About to enable security\n");
+  
+  rv = SSL_OptionSet(s, SSL_SECURITY, PR_TRUE);
+  if (rv < 0) {
+    PrintErrString(progname, "error enabling socket");
+    return -1;
+  }
+  
+  if (set_ssl_policy) {
+    SetPolicy(set_ssl_policy,policy);
+  }
+  else {
+    PR_fprintf(PR_STDOUT,"Using all ciphersuites usually found in client\n");
+    if (policy) {
+      SetPolicy("abcdefghijklmnopqrst",policy);
+    }
+    else {
+      SetPolicy("efghijlmo",policy);
+    }
+  }
+
+  PrintCiphers(1);
+
+  rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
+  if (rv < 0) {
+    PrintErrString(progname, "error enabling client handshake");
+    return -1;
+  }
+  
+  dbmsg("30: About to set AuthCertificateHook\n");
+  
+  
+  SSL_AuthCertificateHook(s, MyAuthCertificateHook, (void *)handle);
+  /* SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle); */
+  /* SSL_GetClientAuthDataHook(s, GetClientAuthDataHook, (void *)nickname);*/
+  
+  
+  dbmsg("40: About to SSLConnect\n");
+  
+  /* Try to connect to the server */
+  /* now SSL_Connect takes new arguments. */
+  
+  
+  r = PR_Connect(s, &na, PR_TicksPerSecond()*5);
+  if (r < 0) {
+    PrintErrString(progname, "unable to connect");
+    return -1;
+  }
+  
+  rv = SSL_ForceHandshake(s);
+  
+  if (rv) {
+    PrintErrString(progname,"SSL Handshake failed. ");
+    exit(1);
+  }
+
+  rv = SSL_SecurityStatus(s, &ss_on, &ss_cipher,
+			  &ss_keysize, &ss_secretsize,
+			  &ss_issuer, &ss_subject);
+
+  
+  dbmsg("60:  done with security status, about to print\n");
+  
+  c = SSL_PeerCertificate(s);
+  if (!c) PR_fprintf(PR_STDOUT,"Couldn't retrieve peers Certificate\n");
+  PR_fprintf(PR_STDOUT,"SSL Connection Status\n",rv);
+  
+  PR_fprintf(PR_STDOUT,"   Cipher:          %s\n",ss_cipher);
+  PR_fprintf(PR_STDOUT,"   Key Size:        %d\n",ss_keysize);
+  PR_fprintf(PR_STDOUT,"   Secret Key Size: %d\n",ss_secretsize);
+  PR_fprintf(PR_STDOUT,"   Issuer:          %s\n",ss_issuer);
+  PR_fprintf(PR_STDOUT,"   Subject:         %s\n",ss_subject);
+
+  PR_fprintf(PR_STDOUT,"   Valid:           from %s to %s\n",
+	     c==NULL?"???":DER_TimeChoiceDayToAscii(&c->validity.notBefore),
+	     c==NULL?"???":DER_TimeChoiceDayToAscii(&c->validity.notAfter));
+
+#ifdef SSLTELNET
+
+ 
+
+
+  if (servertype || querystring) {
+    char buffer[1024];
+    char ch;
+    char qs[] = "HEAD / HTTP/1.0";
+
+
+
+
+    if (!querystring) querystring = qs;
+    PR_fprintf(PR_STDOUT,"\nServer query mode\n>>Sending:\n%s\n",querystring);
+
+    PR_fprintf(PR_STDOUT,"\n*** Server said:\n");
+    ch = querystring[PL_strlen(querystring)-1];
+    if (ch == '"' || ch == '\'') {
+      PR_fprintf(PR_STDOUT,"Warning: I'm not smart enough to cope with quotes mid-string like that\n");
+    }
+    
+    rv = PR_Write(s,querystring,PL_strlen(querystring));
+    if ((rv < 1) ) {
+      PR_fprintf(PR_STDOUT,"Oh dear - couldn't send servertype query\n");
+      goto closedown;
+    }
+
+    rv = PR_Write(s,"\r\n\r\n",4);
+    rv = PR_Read(s,buffer,1024);
+    if ((rv < 1) ) {
+      PR_fprintf(PR_STDOUT,"Oh dear - couldn't read server repsonse\n");
+      goto closedown;
+    }
+      PR_Write(PR_STDOUT,buffer,rv);
+  }
+
+    
+  if (telnet) {
+
+    PR_fprintf(PR_STDOUT,"---------------------------\n"
+	       "telnet mode. CTRL-C to exit\n"
+	       "---------------------------\n");
+    
+
+
+    /* fudge terminal attributes */
+    t_fin = PR_FileDesc2NativeHandle(PR_STDIN);
+    t_fout = PR_FileDesc2NativeHandle(PR_STDOUT);
+    
+    tcgetattr(t_fin,&tmp_tc);
+    prev_lflag = tmp_tc.c_lflag;
+    prev_oflag = tmp_tc.c_oflag;
+    prev_iflag = tmp_tc.c_iflag;
+    tmp_tc.c_lflag &= ~ECHO;
+    /*    tmp_tc.c_oflag &= ~ONLCR; */
+    tmp_tc.c_lflag &= ~ICANON;
+    tmp_tc.c_iflag &= ~ICRNL;
+    tmp_tc.c_cflag |= CS8;
+    tmp_tc.c_cc[VMIN] = 1;
+    tmp_tc.c_cc[VTIME] = 0;
+    
+    tcsetattr(t_fin, TCSANOW, &tmp_tc);
+    /*   ioctl(tin, FIONBIO, (char *)&onoff); 
+	 ioctl(tout, FIONBIO, (char *)&onoff);*/
+    
+    
+    {
+      PRPollDesc pds[2];
+      char buffer[1024];
+      int amt,amtwritten;
+      char *x;
+      
+      /* STDIN */
+      pds[0].fd = PR_STDIN;
+      pds[0].in_flags = PR_POLL_READ;
+      pds[1].fd = s;
+      pds[1].in_flags = PR_POLL_READ | PR_POLL_EXCEPT;
+      
+      while (1) {
+	int nfds;
+
+	nfds = PR_Poll(pds,2,PR_SecondsToInterval(2));
+	if (nfds == 0) continue;
+
+	/** read input from keyboard*/
+	/*  note: this is very inefficient if reading from a file */
+	
+	if (pds[0].out_flags & PR_POLL_READ) {
+	  amt = PR_Read(PR_STDIN,&buffer,1);
+	  /*	PR_fprintf(PR_STDOUT,"fd[0]:%d=%d\r\n",amt,buffer[0]); */
+	  if (amt == 0) {
+	    PR_fprintf(PR_STDOUT,"\n");
+	    goto loser;
+	  }
+	  
+	  if (buffer[0] == '\r') {
+	    buffer[0] = '\r';
+	    buffer[1] = '\n';
+	    amt = 2;
+	  }
+	  rv = PR_Write(PR_STDOUT,buffer,amt);
+	  
+	  
+	  rv = PR_Write(s,buffer,amt);
+	  if (rv == -1) {
+	    PR_fprintf(PR_STDOUT,"Error writing to socket: %d\n",PR_GetError());
+	  }
+	}
+	
+	/***/
+	
+	
+	/***/
+	if (pds[1].out_flags & PR_POLL_EXCEPT) {
+	  PR_fprintf(PR_STDOUT,"\r\nServer closed connection\r\n");
+	  goto loser;
+	}
+	if (pds[1].out_flags & PR_POLL_READ) {
+	  amt = PR_Read(s,&buffer,1024);
+	  
+	  if (amt == 0) {
+	    PR_fprintf(PR_STDOUT,"\r\nServer closed connection\r\n");
+	    goto loser;
+	  }
+	  rv = PR_Write(PR_STDOUT,buffer,amt);
+	}
+	/***/
+	
+      }
+    }
+  loser:
+    
+    /* set terminal back to normal */
+    tcgetattr(t_fin,&tmp_tc);
+    
+    tmp_tc.c_lflag = prev_lflag;
+    tmp_tc.c_oflag = prev_oflag;
+    tmp_tc.c_iflag = prev_iflag;
+    tcsetattr(t_fin, TCSANOW, &tmp_tc);
+    
+    /*   ioctl(tin, FIONBIO, (char *)&onoff);
+	 ioctl(tout, FIONBIO, (char *)&onoff); */
+  }
+
+#endif
+  /* SSLTELNET */
+
+ closedown:
+
+  PR_Close(s);
+
+  if (NSS_Shutdown() != SECSuccess) {
+    exit(1);
+  }
+
+  return(0);
+
+} /* main */
+
+/*EOF*/
+
new file mode 100755
--- /dev/null
+++ b/security/nss/cmd/sslstrength/sslwrap
@@ -0,0 +1,185 @@
+#!/usr/bin/perl
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+@profiles = (
+#            "host:port"	"policy"	"ciphers"  	"exp-cipher"	"expkeysize"
+
+	     [ "cfu:443",	"export",	"efijlmo",	"RC4-40",	"40" ],
+	     [ "hbombsgi:448",	"export",	"efijlmo",	"RC4-40",	"40" ],
+	     [ "hbombsgi:448",	"domestic",	"abcdefijklmo",	"RC4",	        "128" ],
+	     [ "gandalf:5666",	"domestic",	"abcdefijklmo",	"RC4",	        "128" ],
+	     [ "gandalf:5666",	"export",	"efijlmo",	"RC4",	        "128" ],
+	     [ "gandalf:5666",	"domestic",	"j",	        "3DES-EDE-CBC", "168" ],
+	     [ "gandalf:5666",	"domestic",	"k",	        "DES-CBC",      "56" ],
+	     [ "gandalf:5666",	"export",	"l",	        "RC4-40",       "40" ],
+	     [ "gandalf:5666",	"export",	"efijlmo",	"RC4",	        "128" ],
+	     [ "hbombcfu:443",	"export",	"efijlmo",	"RC4",	        "128" ],
+	     
+	     );
+
+$file = &filename;
+
+open(HTML, ">$file.htm") || die"Cannot open html output file\n";
+
+$mutversion = "";
+$platform = $ARGV[0];
+
+
+print HTML 
+"<HTML><HEAD>
+<TITLE>ssl/sslstrength: Version: $mutversion Platform: $platform Run date mm/dd/yy</TITLE></HEAD><BODY>\n";
+
+print HTML 
+"<TABLE BORDER=1><TR>
+<TD><B>Test Case Number</B></TD>
+<TD><B>Program</B></TD>
+<TD><B>Description of Test Case</B></TD>
+<TD><B>Start date/time<B></TD>
+<TD><B>End date/time<B></TD>  
+<TD><B>PASS/FAIL</B></TD> 
+</TR>\n";
+
+$countpass =0;
+$countfail =0;
+
+
+$testnum =0;
+for $profile (@profiles) {
+    $testnum ++;
+    ($host, $policy, $ciphers, $expcipher, $expkeysize) = @$profile;
+    
+    $cmd = "./sslstrength $host policy=$policy ciphers=$ciphers";
+
+    $starttime = &datestring." ".&timestring;
+    print STDERR "$cmd\n";
+    open(PIPE, "$cmd|") || die "Cannot start sslstrength\n";
+
+    $cipher = "";
+    $keysize = "";
+    while (<PIPE>) {
+	chop;
+	if (/^   Cipher: *(.*)/) {
+	    $cipher = $1;
+	}
+	if (/^   Secret Key Size: (.*)/) {
+	    $keysize = $1;
+	}
+    }
+    close(PIPE);
+    $endtime = &datestring." ".&timestring;
+
+    if (( $? != 0) || ($cipher ne $expcipher) || ($keysize ne $expkeysize)) {
+	$countfail ++;	
+	$passed =0;	
+    }
+    else {
+	$countpass ++;
+	$passed =1;
+    }
+
+print HTML
+"<TR>
+<TD><B>$testnum</B></TD>
+<TD></TD>
+<TD>$cmd</TD>
+<TD>$starttime</TD>
+<TD>$endtime</TD>
+<TD><B>".($passed ? "PASS" : "<FONT COLOR=red>FAIL: return code = 
+c=$cipher, ec=$expcipher, s=$keysize, es=$expkeysize.</FONT>")."
+</B></TD>
+</TR>\n";
+   
+}
+
+print HTML "</table>\n";
+
+close(HTML);
+
+open (SUM, ">$file.sum") ||die "couldn't open summary file for writing\n";
+
+print SUM <<EOM;
+[Status]
+mut=SSL
+mutversion=1.0
+platform=$platform
+pass=$countpass
+fail=$countfail
+knownFail=0
+malformed=0
+EOM
+
+    close(SUM);
+
+
+
+sub timestring
+{
+
+    my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime(time);
+    my $string;
+
+    $string = sprintf "%2d:%02d:%02d",$hour, $min, $sec;
+    return $string;
+}
+
+sub datestring
+{
+
+    my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime(time);
+    my $string;
+
+    $string = sprintf "%d/%d/%2d",$mon+1, $mday+1, $year;
+    return $string;
+}
+
+sub filename
+{
+
+    my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime(time);
+    my $string;
+
+    $string = sprintf "%04d%02d%02d",$year+1900, $mon+1, $mday;
+    return $string;
+}
+
+
+
+
+
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/swfort/Makefile
@@ -0,0 +1,113 @@
+#! gmake
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+
+# 	$(NULL)
+
+
+INCLUDES += \
+	-I$(DIST)/../public/security \
+	-I$(DIST)/../private/security \
+	-I$(DEPTH)/security/lib/cert \
+	-I$(DEPTH)/security/lib/key \
+	-I$(DEPTH)/security/lib/util  \
+	-I./include \
+	$(NULL)
+
+
+# For the time being, sec stuff is export only
+# US_FLAGS = -DEXPORT_VERSION -DUS_VERSION
+
+US_FLAGS = -DEXPORT_VERSION
+EXPORT_FLAGS = -DEXPORT_VERSION
+
+BASE_LIBS = \
+	$(DIST)/lib/libdbm.$(LIB_SUFFIX) \
+	$(DIST)/lib/libxp.$(LIB_SUFFIX) \
+	$(DIST)/lib/libnspr.$(LIB_SUFFIX) \
+	$(NULL)
+
+#	$(DIST)/lib/libpurenspr.$(LIB_SUFFIX) \
+
+#There are a circular dependancies in security/lib, and we deal with it by 
+# double linking some libraries
+SEC_LIBS = \
+	$(DIST)/lib/libsecnav.$(LIB_SUFFIX) \
+        $(DIST)/lib/libssl.$(LIB_SUFFIX) \
+        $(DIST)/lib/libpkcs7.$(LIB_SUFFIX) \
+        $(DIST)/lib/libcert.$(LIB_SUFFIX) \
+        $(DIST)/lib/libkey.$(LIB_SUFFIX) \
+	$(DIST)/lib/libsecmod.$(LIB_SUFFIX) \
+        $(DIST)/lib/libcrypto.$(LIB_SUFFIX) \
+        $(DIST)/lib/libsecutil.$(LIB_SUFFIX) \
+        $(DIST)/lib/libssl.$(LIB_SUFFIX) \
+        $(DIST)/lib/libpkcs7.$(LIB_SUFFIX) \
+        $(DIST)/lib/libcert.$(LIB_SUFFIX) \
+        $(DIST)/lib/libkey.$(LIB_SUFFIX) \
+	$(DIST)/lib/libsecmod.$(LIB_SUFFIX) \
+        $(DIST)/lib/libcrypto.$(LIB_SUFFIX) \
+        $(DIST)/lib/libsecutil.$(LIB_SUFFIX) \
+        $(DIST)/lib/libhash.$(LIB_SUFFIX) \
+	$(NULL)
+
+MYLIB	= lib/$(OBJDIR)/libsectool.$(LIB_SUFFIX)
+
+US_LIBS	= $(MYLIB) $(SEC_LIBS) $(BASE_LIBS) $(MYLIB) $(BASE_LIBS)
+EX_LIBS	= $(MYLIB) $(SEC_LIBS) $(BASE_LIBS) $(MYLIB) $(BASE_LIBS) 
+
+REQUIRES = libxp nspr security
+
+CSRCS	= $(EXEC_SRCS) $(BI_SRCS)
+
+OBJS	= $(CSRCS:.c=.o) $(BI_SRCS:.c=-us.o) $(BI_SRCS:.c=-ex.o)
+
+PROGS		= $(addprefix $(OBJDIR)/, $(EXEC_SRCS:.c=$(BIN_SUFFIX)))
+US_PROGS 	= $(addprefix $(OBJDIR)/, $(BI_SRCS:.c=-us$(BIN_SUFFIX)))
+EX_PROGS	= $(addprefix $(OBJDIR)/, $(BI_SRCS:.c=-ex$(BIN_SUFFIX)))
+
+
+NON_DIRS = $(PROGS) $(US_PROGS) $(EX_PROGS)
+TARGETS = $(NON_DIRS)
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+symbols::
+	@echo "TARGETS	= $(TARGETS)"
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/swfort/instinit/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../../platrules.mk
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/swfort/instinit/instinit.c
@@ -0,0 +1,424 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include <stdio.h>
+
+#include "prio.h"
+#include "seccomon.h"
+#include "swforti.h"
+#include "cert.h"
+#include "pk11func.h"
+#include "nss.h"
+#include "secutil.h"
+
+#define CERTDB_VALID_CA        (1<<3)
+#define CERTDB_TRUSTED_CA      (1<<4) /* trusted for issuing server certs */
+
+void secmod_GetInternalModule(SECMODModule *module);
+void sec_SetCheckKRLState(int i);
+
+#define STEP 16
+void
+printItem(SECItem *key) {
+ int i;
+ unsigned char *block;
+ int len;
+ for (block=key->data,len=key->len; len > 0; len -= STEP,block += STEP) {
+     for(i=0; i < STEP && i < len; i++) printf(" %02x ",block[i]);
+     printf("\n");
+ }
+ printf("\n");
+}
+
+void
+dump(unsigned char *block, int len) {
+ int i;
+ for (; len > 0; len -= STEP,block += STEP) {
+     for(i=0; i < STEP && i < len; i++) printf(" %02x ",block[i]);
+     printf("\n");
+ }
+ printf("\n");
+}
+
+
+/*
+ * We need to move this to security/cmd .. so we can use the password
+ * prompting infrastructure.
+ */
+char *GetUserInput(char * prompt) 
+{
+    char phrase[200];
+
+	    fprintf(stderr, "%s", prompt);
+            fflush (stderr);
+
+	fgets ((char*) phrase, sizeof(phrase), stdin);
+
+	/* stomp on newline */
+	phrase[PORT_Strlen((char*)phrase)-1] = 0;
+
+	/* Validate password */
+	return (char*) PORT_Strdup((char*)phrase);
+}
+
+void ClearPass(char *pass) {
+    PORT_Memset(pass,0,strlen(pass));
+    PORT_Free(pass);
+}
+
+char *
+formatDERIssuer(FORTSWFile *file,SECItem *derIssuer)
+{
+    CERTName name;
+    SECStatus rv;
+
+    PORT_Memset(&name,0,sizeof(name));;
+    rv = SEC_ASN1DecodeItem(file->arena,&name,CERT_NameTemplate,derIssuer);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+    return CERT_NameToAscii(&name);
+}
+
+#define NETSCAPE_INIT_FILE "nsswft.swf"
+
+char *getDefaultTarget(void)
+{
+    char *fname = NULL;
+    char *home = NULL;
+    static char unix_home[512];
+
+    /* first try to get it from the environment */
+    fname = getenv("SW_FORTEZZA_FILE");
+    if (fname != NULL) {
+	return PORT_Strdup(fname);
+    }
+
+#ifdef XP_UNIX
+    home = getenv("HOME");
+    if (home) {
+	strncpy(unix_home,home, sizeof(unix_home)-sizeof("/.netscape/"NETSCAPE_INIT_FILE));
+	strcat(unix_home,"/.netscape/"NETSCAPE_INIT_FILE);
+	return unix_home;
+    }
+#endif
+#ifdef XP_WIN
+    home = getenv("windir");
+    if (home) {
+	strncpy(unix_home,home, sizeof(unix_home)-sizeof("\\"NETSCAPE_INIT_FILE));
+	strcat(unix_home,"\\"NETSCAPE_INIT_FILE);
+	return unix_home;
+    }
+#endif
+    return (NETSCAPE_INIT_FILE);
+}
+
+void
+usage(char *prog) {
+   fprintf(stderr,"usage: %s [-v][-f][-t transport_pass][-u user_pass][-o output_file] source_file\n",prog);
+   exit(1);
+}
+	
+int main(int argc, char ** argv)
+{
+
+    FORTSignedSWFile * swfile;
+    int size;
+    SECItem file;
+    char *progname = *argv++;
+    char *filename = NULL;
+    char *outname = NULL;
+    char *cp;
+    int verbose = 0;
+    int force = 0;
+    CERTCertDBHandle *certhandle = NULL;
+    CERTCertificate *cert;
+    CERTCertTrust *trust;
+    char * pass;
+    SECStatus rv;
+    int i;
+    int64 now; /* XXXX */
+    char *issuer;
+    char *transport_pass = NULL;
+    char *user_pass = NULL;
+    SECItem *outItem = NULL;
+    PRFileDesc *fd;
+    PRFileInfo info;
+    PRStatus prv;
+
+
+
+   
+    /* put better argument parsing here */
+    while ((cp = *argv++) != NULL) {
+	if (*cp == '-') {
+	    while (*++cp) {
+		switch (*cp) {
+		/* verbose mode */
+		case 'v':
+		    verbose++;
+		    break;
+		/* explicitly set the target */
+		case 'o':
+		    outname = *argv++;
+		    break;
+		case 'f':
+		/* skip errors in signatures without prompts */
+		    force++;
+		    break;
+		case 't':
+		/* provide password on command line */
+		    transport_pass = *argv++;
+		    break;
+		case 'u':
+		/* provide user password on command line */
+		    user_pass = *argv++;
+		    break;
+		default:
+		    usage(progname);
+		    break;
+		}
+	    }
+	} else if (filename) {
+	    usage(progname);
+	} else {
+	    filename = cp;
+	}
+    }
+
+    if (filename == NULL) usage(progname);
+    if (outname == NULL) outname = getDefaultTarget();
+
+
+    now = PR_Now();
+    /* read the file in */ 
+    fd = PR_Open(filename,PR_RDONLY,0);
+    if (fd == NULL) { 
+	fprintf(stderr,"%s: couldn't open file \"%s\".\n",progname,filename); 
+	exit(1);
+    }
+
+    prv = PR_GetOpenFileInfo(fd,&info);
+    if (prv != PR_SUCCESS) {
+	fprintf(stderr,"%s: couldn't get info on file \"%s\".\n",
+							progname,filename); 
+	exit(1);
+    }
+
+    size = info.size;
+
+    file.data = malloc(size);
+    file.len = size;
+
+    file.len = PR_Read(fd,file.data,file.len);
+    if (file.len < 0) { 
+	fprintf(stderr,"%s: couldn't read file \"%s\".\n",progname, filename); 
+	exit(1);
+    }
+
+    PR_Close(fd);
+
+    /* Parse the file */
+    swfile = FORT_GetSWFile(&file);
+    if (swfile == NULL) {
+	fprintf(stderr,
+	   "%s: File \"%s\" not a valid FORTEZZA initialization file.\n",
+		progname,filename);
+	exit(1);
+    }
+
+    issuer = formatDERIssuer(&swfile->file,&swfile->file.derIssuer);
+    if (issuer == NULL) {
+	issuer = "<Invalid Issuer DER>";
+    }
+
+    if (verbose) {
+	printf("Processing file %s ....\n",filename);
+	printf("  Version %ld\n",DER_GetInteger(&swfile->file.version));
+	printf("  Issuer: %s\n",issuer);
+	printf("  Serial Number: ");
+	for (i=0; i < (int)swfile->file.serialID.len; i++) {
+	    printf(" %02x",swfile->file.serialID.data[i]);
+	}
+	printf("\n");
+    }
+
+
+    /* Check the Initalization phrase and save Kinit */
+    if (!transport_pass) {
+    	pass = SECU_GetPasswordString(NULL,"Enter the Initialization Memphrase:");
+	transport_pass = pass;
+    }
+    rv = FORT_CheckInitPhrase(swfile,transport_pass);
+    if (rv != SECSuccess) {
+	fprintf(stderr,
+		"%s: Invalid Initialization Memphrase for file \"%s\".\n",
+		progname,filename);
+	exit(1);
+    }
+
+    /* Check the user or init phrase and save Ks, use Kinit to unwrap the
+     * remaining data. */
+    if (!user_pass) {
+    	pass = SECU_GetPasswordString(NULL,"Enter the User Memphrase or the User PIN:");
+	user_pass = pass;
+    }
+    rv = FORT_CheckUserPhrase(swfile,user_pass);
+    if (rv != SECSuccess) {
+	fprintf(stderr,"%s: Invalid User Memphrase or PIN for file \"%s\".\n",
+		progname,filename);
+	exit(1);
+    }
+
+    NSS_NoDB_Init(NULL);
+    sec_SetCheckKRLState(1);
+    certhandle = CERT_GetDefaultCertDB();
+
+    /* now dump the certs into the temparary data base */
+    for (i=0; swfile->file.slotEntries[i]; i++) {
+	int trusted = 0;
+    	SECItem *derCert = FORT_GetDERCert(swfile,
+			swfile->file.slotEntries[i]->certIndex);
+
+	if (derCert == NULL) {
+	    if (verbose) {
+	       printf(" Cert %02d: %s \"%s\" \n",
+		swfile->file.slotEntries[i]->certIndex,
+			"untrusted", "Couldn't decrypt Cert");
+	    }
+	    continue;
+	}
+	cert = CERT_NewTempCertificate(certhandle, derCert, NULL,
+							PR_FALSE, PR_TRUE);
+	if (cert == NULL) {
+	    if (verbose) {
+	       printf(" Cert %02d: %s \"%s\" \n",
+		swfile->file.slotEntries[i]->certIndex,
+			"untrusted", "Couldn't decode Cert");
+	    }
+	    continue;
+	}
+	if (swfile->file.slotEntries[i]->trusted.data[0]) {
+	    /* Add TRUST */
+	    trust = PORT_ArenaAlloc(cert->arena,sizeof(CERTCertTrust));
+	    if (trust != NULL) {
+	        trust->sslFlags = CERTDB_VALID_CA|CERTDB_TRUSTED_CA;
+	        trust->emailFlags = CERTDB_VALID_CA|CERTDB_TRUSTED_CA;
+	        trust->objectSigningFlags = CERTDB_VALID_CA|CERTDB_TRUSTED_CA;
+	        cert->trust = trust;
+		trusted++;
+	    }
+	}
+	if (verbose) {
+	    printf(" Cert %02d: %s \"%s\" \n",
+		swfile->file.slotEntries[i]->certIndex,
+		trusted?" trusted ":"untrusted",
+			CERT_NameToAscii(&cert->subject));
+	}
+    }
+
+    fflush(stdout);
+
+
+    cert = CERT_FindCertByName(certhandle,&swfile->file.derIssuer);
+    if (cert == NULL) {
+	fprintf(stderr,"%s: Couldn't find signer certificate \"%s\".\n",
+		progname,issuer);
+	rv = SECFailure;
+	goto noverify;
+    }
+    rv = CERT_VerifySignedData(&swfile->signatureWrap,cert, now, NULL);
+    if (rv != SECSuccess) {
+	fprintf(stderr,
+	  "%s: Couldn't verify the signature on file \"%s\" with certificate \"%s\".\n",
+		progname,filename,issuer);
+	goto noverify;
+    }
+    rv = CERT_VerifyCert(certhandle, cert, PR_TRUE, certUsageSSLServer,
+								now ,NULL,NULL);
+    /* not an normal cert, see if it's a CA? */
+    if (rv != SECSuccess) {
+	rv = CERT_VerifyCert(certhandle, cert, PR_TRUE, certUsageAnyCA,
+								now ,NULL,NULL);
+    }
+    if (rv != SECSuccess) {
+	fprintf(stderr,"%s: Couldn't verify the signer certificate \"%s\".\n",
+		progname,issuer);
+	goto noverify;
+    }
+
+noverify:
+    if (rv != SECSuccess) {
+	if (!force) {
+	    pass = GetUserInput(
+	       "Signature verify failed, continue without verification? ");
+	    if (!(pass && ((*pass == 'Y') || (*pass == 'y')))) {
+		exit(1);
+            }
+	}
+    }
+
+
+    /* now write out the modified init file for future use */
+    outItem = FORT_PutSWFile(swfile);
+    if (outItem == NULL) {
+	fprintf(stderr,"%s: Couldn't format target init file.\n",
+		progname);
+	goto noverify;
+    }
+
+    if (verbose) {
+	printf("writing modified file out to \"%s\".\n",outname);
+    }
+
+    /* now write it out */
+    fd = PR_Open(outname,PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE,0700);
+    if (fd == NULL) { 
+	fprintf(stderr,"%s: couldn't open file \"%s\".\n",progname,outname); 
+	exit(1);
+    }
+
+    file.len = PR_Write(fd,outItem->data,outItem->len);
+    if (file.len < 0) { 
+	fprintf(stderr,"%s: couldn't read file \"%s\".\n",progname, filename); 
+	exit(1);
+    }
+
+    PR_Close(fd);
+    
+    exit(0);
+    return (0);
+}
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/swfort/instinit/manifest.mn
@@ -0,0 +1,50 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../..
+
+DEFINES += -DNSPR20
+
+MODULE = nss
+
+CSRCS = instinit.c
+
+REQUIRES = nspr dbm seccmd
+
+PROGRAM = instinit
+# PROGRAM = ./$(OBJDIR)/selfserv.exe
+
+USE_STATIC_LIBS = 1
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/swfort/manifest.mn
@@ -0,0 +1,42 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH	= ../../..
+
+REQUIRES = nss seccmd dbm
+
+
+DIRS = instinit newuser
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/swfort/newuser/Makefile
@@ -0,0 +1,87 @@
+#! gmake
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+ctmp := $(shell $(MAKE) -C ../../../lib/fortcrypt --no-print-directory cilib_name)
+ifeq ($(ctmp), $(patsubst /%,/,$(ctmp)))
+  CILIB := ../../../lib/fortcrypt/$(ctmp)
+else
+  CILIB := $(ctmp)
+endif
+
+EXTRA_LIBS += $(CILIB) 
+
+include ../../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../../platrules.mk
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/swfort/newuser/manifest.mn
@@ -0,0 +1,49 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../..
+
+DEFINES += -DNSPR20
+
+MODULE = nss
+
+CSRCS = newuser.c mktst.c
+
+REQUIRES = nspr dbm seccmd
+
+PROGRAM = newuser
+
+USE_STATIC_LIBS = 1
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/swfort/newuser/mktst.c
@@ -0,0 +1,257 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include <stdio.h>
+
+#include "prio.h"
+#include "swforti.h"
+#include "maci.h"
+#include "secder.h"
+#include "blapi.h"
+
+void
+printkey(char *s, unsigned char *block) {
+ int i;
+ printf("%s \n  0x",s);
+ for(i=0; i < 10; i++) printf("%02x",block[i]);
+ printf("\n");
+}
+
+void
+printblock(char *s, unsigned char *block) {
+ int i;
+ printf("%s \n  0x",s);
+ for(i=0; i < 8; i++) printf("%02x",block[i]);
+ printf("\n  0x");
+ for(i=8; i < 16; i++) printf("%02x",block[i]);
+ printf("\n");
+}
+
+
+static char *leafbits="THIS IS NOT LEAF";
+
+static void
+encryptCertEntry(fortProtectedData *pdata,FORTSkipjackKeyPtr Ks,
+						unsigned char *data,int len)
+{
+    unsigned char *dataout;
+    int enc_len;
+	/* XXX Make length */