fixup commit for branch 'GECKO181_20070822_RELBRANCH' GECKO181_20070822_RELBRANCH
authorcvs2hg
Sat, 16 Jun 2007 05:12:03 +0000
branchGECKO181_20070822_RELBRANCH
changeset 7889 72059ac2640d497c1ca736fb75898ba6cf703601
parent 6338 d5ef185710a56c56c0ff7df8acb94bddf6623de5
child 13721 fe598fc5aad9a78e928df47e8980cc7acb6e165e
push idunknown
push userunknown
push dateunknown
fixup commit for branch 'GECKO181_20070822_RELBRANCH'
dbm/Makefile.in
dbm/include/Makefile.in
dbm/include/Makefile.win
dbm/include/cdefs.h
dbm/include/extern.h
dbm/include/hash.h
dbm/include/hsearch.h
dbm/include/mcom_db.h
dbm/include/mpool.h
dbm/include/ncompat.h
dbm/include/ndbm.h
dbm/include/page.h
dbm/include/queue.h
dbm/include/search.h
dbm/src/Makefile.in
dbm/src/Makefile.win
dbm/src/db.c
dbm/src/h_bigkey.c
dbm/src/h_func.c
dbm/src/h_log2.c
dbm/src/h_page.c
dbm/src/hash.c
dbm/src/hash_buf.c
dbm/src/hsearch.c
dbm/src/memmove.c
dbm/src/mktemp.c
dbm/src/ndbm.c
dbm/src/strerror.c
dbm/tests/Makefile.in
dbm/tests/lots.c
security/coreconf/Darwin.mk
security/coreconf/FreeBSD.mk
security/coreconf/Linux.mk
security/coreconf/Linux2.6.mk
security/coreconf/OS2.mk
security/coreconf/SunOS5.11.mk
security/coreconf/SunOS5.11_i86pc.mk
security/coreconf/WIN32.mk
security/coreconf/config.mk
security/coreconf/jdk.mk
security/coreconf/location.mk
security/coreconf/rules.mk
security/dbm/Makefile
security/dbm/config/config.mk
security/dbm/include/Makefile
security/dbm/include/manifest.mn
security/dbm/manifest.mn
security/dbm/src/Makefile
security/dbm/src/config.mk
security/dbm/src/dirent.c
security/dbm/src/dirent.h
security/dbm/src/manifest.mn
security/dbm/tests/Makefile
security/nss/Makefile
security/nss/cmd/Makefile
security/nss/cmd/SSLsample/NSPRerrs.h
security/nss/cmd/SSLsample/SECerrs.h
security/nss/cmd/SSLsample/SSLerrs.h
security/nss/cmd/SSLsample/client.mn
security/nss/cmd/SSLsample/server.mn
security/nss/cmd/bltest/blapitest.c
security/nss/cmd/certutil/certutil.c
security/nss/cmd/crlutil/crlgen.c
security/nss/cmd/crlutil/crlutil.c
security/nss/cmd/dbck/Makefile
security/nss/cmd/dbck/dbck.c
security/nss/cmd/dbck/dbrecover.c
security/nss/cmd/dbck/manifest.mn
security/nss/cmd/dbtest/Makefile
security/nss/cmd/fipstest/Makefile
security/nss/cmd/fipstest/dsa.sh
security/nss/cmd/fipstest/ecdsa.sh
security/nss/cmd/fipstest/fipstest.c
security/nss/cmd/fipstest/hmac.sh
security/nss/cmd/fipstest/rng.sh
security/nss/cmd/fipstest/rsa.sh
security/nss/cmd/fipstest/sha.sh
security/nss/cmd/fipstest/tdea.sh
security/nss/cmd/lib/SECerrs.h
security/nss/cmd/lib/SSLerrs.h
security/nss/cmd/lib/manifest.mn
security/nss/cmd/lib/secpwd.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/lib/secutil.h
security/nss/cmd/modutil/modutil.c
security/nss/cmd/modutil/pk11.c
security/nss/cmd/modutil/specification.html
security/nss/cmd/pk11mode/Makefile
security/nss/cmd/pk11mode/manifest.mn
security/nss/cmd/pk11mode/pk11mode.c
security/nss/cmd/pk12util/pk12util.c
security/nss/cmd/platlibs.mk
security/nss/cmd/pp/pp.c
security/nss/cmd/rsaperf/Makefile
security/nss/cmd/selfserv/selfserv.c
security/nss/cmd/shlibsign/Makefile
security/nss/cmd/shlibsign/sign.sh
security/nss/cmd/ssltap/ssltap.c
security/nss/cmd/strsclnt/strsclnt.c
security/nss/cmd/tstclnt/Makefile
security/nss/cmd/tstclnt/tstclnt.c
security/nss/cmd/vfychain/Makefile
security/nss/cmd/vfyserv/Makefile
security/nss/cmd/vfyserv/vfyserv.c
security/nss/cmd/vfyserv/vfyutil.c
security/nss/lib/base/arena.c
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/crl.c
security/nss/lib/certdb/stanpcertdb.c
security/nss/lib/certdb/xauthkid.c
security/nss/lib/certhigh/certhigh.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/manifest.mn
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocsp.h
security/nss/lib/certhigh/ocspi.h
security/nss/lib/certhigh/ocspt.h
security/nss/lib/ckfw/builtins/Makefile
security/nss/lib/ckfw/builtins/binst.c
security/nss/lib/ckfw/builtins/certdata.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/constants.c
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/ckfw/builtins/nssckbi.rc
security/nss/lib/ckfw/capi/nsscapi.rc
security/nss/lib/ckfw/dbm/Makefile
security/nss/lib/ckfw/dbm/anchor.c
security/nss/lib/ckfw/dbm/ckdbm.h
security/nss/lib/ckfw/dbm/config.mk
security/nss/lib/ckfw/dbm/db.c
security/nss/lib/ckfw/dbm/find.c
security/nss/lib/ckfw/dbm/instance.c
security/nss/lib/ckfw/dbm/manifest.mn
security/nss/lib/ckfw/dbm/object.c
security/nss/lib/ckfw/dbm/session.c
security/nss/lib/ckfw/dbm/slot.c
security/nss/lib/ckfw/dbm/token.c
security/nss/lib/ckfw/find.c
security/nss/lib/ckfw/session.c
security/nss/lib/ckfw/wrap.c
security/nss/lib/crmf/challcli.c
security/nss/lib/crmf/crmf.h
security/nss/lib/crmf/crmfcont.c
security/nss/lib/crmf/crmfit.h
security/nss/lib/crmf/crmfpop.c
security/nss/lib/crmf/crmfreq.c
security/nss/lib/crmf/crmftmpl.c
security/nss/lib/crmf/respcmn.c
security/nss/lib/crmf/servget.c
security/nss/lib/cryptohi/cryptohi.h
security/nss/lib/cryptohi/keyhi.h
security/nss/lib/cryptohi/seckey.c
security/nss/lib/cryptohi/secsign.c
security/nss/lib/cryptohi/secvfy.c
security/nss/lib/freebl/GF2m_ecl.c
security/nss/lib/freebl/GF2m_ecl.h
security/nss/lib/freebl/GFp_ecl.c
security/nss/lib/freebl/GFp_ecl.h
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/arcfour-amd64-gas.s
security/nss/lib/freebl/blapi.h
security/nss/lib/freebl/config.mk
security/nss/lib/freebl/des.c
security/nss/lib/freebl/ec.c
security/nss/lib/freebl/ecl/Makefile
security/nss/lib/freebl/ecl/ec2_aff.c
security/nss/lib/freebl/ecl/ecl-curve.h
security/nss/lib/freebl/ecl/ecl-priv.h
security/nss/lib/freebl/ecl/ecl.c
security/nss/lib/freebl/ecl/ecl_curve.c
security/nss/lib/freebl/ecl/ecl_gf.c
security/nss/lib/freebl/ecl/ecl_mult.c
security/nss/lib/freebl/ecl/ecp_192.c
security/nss/lib/freebl/ecl/ecp_224.c
security/nss/lib/freebl/ecl/ecp_256.c
security/nss/lib/freebl/ecl/ecp_384.c
security/nss/lib/freebl/ecl/ecp_521.c
security/nss/lib/freebl/ecl/tests/ec2_test.c
security/nss/lib/freebl/ecl/tests/ecp_test.c
security/nss/lib/freebl/freebl.rc
security/nss/lib/freebl/ldvector.c
security/nss/lib/freebl/loader.c
security/nss/lib/freebl/loader.h
security/nss/lib/freebl/manifest.mn
security/nss/lib/freebl/mpi/Makefile
security/nss/lib/freebl/mpi/mp_gf2m.c
security/nss/lib/freebl/mpi/mpi.c
security/nss/lib/freebl/mpi/mpi_amd64_gas.s
security/nss/lib/freebl/mpi/mpi_sparc.c
security/nss/lib/freebl/mpi/mpi_x86.asm
security/nss/lib/freebl/mpi/mpi_x86_asm.c
security/nss/lib/freebl/mpi/mpmontg.c
security/nss/lib/freebl/mpi/mpprime.c
security/nss/lib/freebl/mpi/target.mk
security/nss/lib/freebl/mpi/tests/mptest-7.c
security/nss/lib/freebl/mpi/tests/mptest-8.c
security/nss/lib/freebl/nss.h
security/nss/lib/freebl/os2_rand.c
security/nss/lib/freebl/pqg.c
security/nss/lib/freebl/prng_fips1861.c
security/nss/lib/freebl/secrng.h
security/nss/lib/freebl/sha256.h
security/nss/lib/freebl/sha512.c
security/nss/lib/freebl/unix_rand.c
security/nss/lib/freebl/win_rand.c
security/nss/lib/nss/config.mk
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/nss/nss.rc
security/nss/lib/nss/nssinit.c
security/nss/lib/pk11wrap/Makefile
security/nss/lib/pk11wrap/pk11akey.c
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11cxt.c
security/nss/lib/pk11wrap/pk11err.c
security/nss/lib/pk11wrap/pk11kea.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/pk11wrap/pk11nobj.c
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11pbe.c
security/nss/lib/pk11wrap/pk11pk12.c
security/nss/lib/pk11wrap/pk11pqg.c
security/nss/lib/pk11wrap/pk11priv.h
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pk11wrap/pk11skey.c
security/nss/lib/pk11wrap/pk11slot.c
security/nss/lib/pk11wrap/secmod.h
security/nss/lib/pkcs12/p12d.c
security/nss/lib/pkcs7/p7decode.c
security/nss/lib/pki/certificate.c
security/nss/lib/pki/cryptocontext.c
security/nss/lib/pki/nsspki.h
security/nss/lib/pki/pki3hack.c
security/nss/lib/pki/pkibase.c
security/nss/lib/pki/pkim.h
security/nss/lib/pki/pkistore.c
security/nss/lib/pki/pkistore.h
security/nss/lib/pki/pkit.h
security/nss/lib/pki/tdcache.c
security/nss/lib/pki/trustdomain.c
security/nss/lib/smime/cmscipher.c
security/nss/lib/smime/cmsencode.c
security/nss/lib/smime/cmsrecinfo.c
security/nss/lib/smime/cmsreclist.c
security/nss/lib/smime/cmssiginfo.c
security/nss/lib/smime/cmsutil.c
security/nss/lib/smime/smime.rc
security/nss/lib/smime/smimeutil.c
security/nss/lib/softoken/config.mk
security/nss/lib/softoken/dbinit.c
security/nss/lib/softoken/dbmshim.c
security/nss/lib/softoken/ecdecode.c
security/nss/lib/softoken/fipsaudt.c
security/nss/lib/softoken/fipstest.c
security/nss/lib/softoken/fipstokn.c
security/nss/lib/softoken/keydb.c
security/nss/lib/softoken/lowcert.c
security/nss/lib/softoken/lowkey.c
security/nss/lib/softoken/lowpbe.c
security/nss/lib/softoken/manifest.mn
security/nss/lib/softoken/nss.h
security/nss/lib/softoken/pcert.h
security/nss/lib/softoken/pcertdb.c
security/nss/lib/softoken/pcertt.h
security/nss/lib/softoken/pk11db.c
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/pkcs11i.h
security/nss/lib/softoken/pkcs11u.c
security/nss/lib/softoken/rsawrapr.c
security/nss/lib/softoken/softoken.h
security/nss/lib/softoken/softokn.rc
security/nss/lib/softoken/softoknt.h
security/nss/lib/ssl/derive.c
security/nss/lib/ssl/emulate.c
security/nss/lib/ssl/manifest.mn
security/nss/lib/ssl/ssl.def
security/nss/lib/ssl/ssl.rc
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/ssl3prot.h
security/nss/lib/ssl/sslauth.c
security/nss/lib/ssl/sslcon.c
security/nss/lib/ssl/ssldef.c
security/nss/lib/ssl/sslenum.c
security/nss/lib/ssl/sslerr.h
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslinfo.c
security/nss/lib/ssl/sslmutex.c
security/nss/lib/ssl/sslproto.h
security/nss/lib/ssl/sslsecur.c
security/nss/lib/ssl/sslsnce.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/derenc.c
security/nss/lib/util/secasn1d.c
security/nss/lib/util/secasn1e.c
security/nss/lib/util/secdig.c
security/nss/lib/util/secerr.h
security/nss/lib/util/secitem.h
security/nss/lib/util/secoid.c
security/nss/lib/util/secoidt.h
security/nss/lib/util/secport.c
security/nss/lib/util/secport.h
security/nss/manifest.mn
security/nss/pkg/linux/Makefile
security/nss/pkg/solaris/Makefile-devl.com
security/nss/pkg/solaris/Makefile-tlsu.com
security/nss/pkg/solaris/Makefile.com
security/nss/tests/all.sh
security/nss/tests/cert/cert.sh
security/nss/tests/cert/certext.txt
security/nss/tests/cert/eccert.sh
security/nss/tests/cipher/cipher.sh
security/nss/tests/common/init.sh
security/nss/tests/dbtests/dbtests.sh
security/nss/tests/fips/fips.sh
security/nss/tests/fixtests.sh
security/nss/tests/perf/perf.sh
security/nss/tests/pkcs11/netscape/trivial/configure.in
security/nss/tests/smime/ecsmime.sh
security/nss/tests/smime/smime.sh
security/nss/tests/ssl/ecssl.sh
security/nss/tests/ssl/ecsslauth.txt
security/nss/tests/ssl/ecsslcov.txt
security/nss/tests/ssl/ecsslstress.txt
security/nss/tests/ssl/ssl.sh
security/nss/tests/ssl/sslauth.txt
security/nss/tests/ssl/sslcov.txt
security/nss/tests/ssl/sslstress.txt
security/nss/tests/tools/ectools.sh
security/nss/tests/tools/tools.sh
--- a/dbm/Makefile.in
+++ b/dbm/Makefile.in
@@ -1,44 +1,28 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
+# Contributor(s): 
 #
-# ***** END LICENSE BLOCK *****
 
 DEPTH		= ..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
 
 include $(DEPTH)/config/autoconf.mk
 
--- a/dbm/include/Makefile.in
+++ b/dbm/include/Makefile.in
@@ -1,44 +1,28 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
+# Contributor(s): 
 #
-# ***** END LICENSE BLOCK *****
 
 DEPTH		= ../..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
 
 include $(DEPTH)/config/autoconf.mk
 
--- a/dbm/include/Makefile.win
+++ b/dbm/include/Makefile.win
@@ -1,43 +1,26 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# Contributor(s): 
 
 
 #//------------------------------------------------------------------------
 #//
 #// Makefile to build the cert library
 #//
 #//------------------------------------------------------------------------
 
--- a/dbm/include/cdefs.h
+++ b/dbm/include/cdefs.h
@@ -1,26 +1,65 @@
 /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: NPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Netscape Public License
+ * Version 1.1 (the "License"); you may not use this file except in
+ * compliance with the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/NPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is 
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the NPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the NPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
 /*
  * Copyright (c) 1991, 1993
  *	The Regents of the University of California.  All rights reserved.
  *
  * This code is derived from software contributed to Berkeley by
  * Berkeley Software Design, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. ***REMOVED*** - see 
- *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/extern.h
+++ b/dbm/include/extern.h
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/hash.h
+++ b/dbm/include/hash.h
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/hsearch.h
+++ b/dbm/include/hsearch.h
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/mcom_db.h
+++ b/dbm/include/mcom_db.h
@@ -1,23 +1,62 @@
 /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: NPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Netscape Public License
+ * Version 1.1 (the "License"); you may not use this file except in
+ * compliance with the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/NPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is 
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the NPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the NPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
 /*- 
  * Copyright (c) 1990, 1993, 1994
  *	The Regents of the University of California.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. ***REMOVED*** - see 
- *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/mpool.h
+++ b/dbm/include/mpool.h
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/ncompat.h
+++ b/dbm/include/ncompat.h
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/ndbm.h
+++ b/dbm/include/ndbm.h
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/page.h
+++ b/dbm/include/page.h
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/queue.h
+++ b/dbm/include/queue.h
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/include/search.h
+++ b/dbm/include/search.h
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/Makefile.in
+++ b/dbm/src/Makefile.in
@@ -1,44 +1,28 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
+# Contributor(s): 
 #
-# ***** END LICENSE BLOCK *****
 
 DEPTH		= ../..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
 
 include $(DEPTH)/config/autoconf.mk
 
--- a/dbm/src/Makefile.win
+++ b/dbm/src/Makefile.win
@@ -1,43 +1,26 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# Contributor(s): 
 
 
 #//------------------------------------------------------------------------
 #//
 #// Makefile to build the cert library
 #//
 #//------------------------------------------------------------------------
 
--- a/dbm/src/db.c
+++ b/dbm/src/db.c
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/h_bigkey.c
+++ b/dbm/src/h_bigkey.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/h_func.c
+++ b/dbm/src/h_func.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/h_log2.c
+++ b/dbm/src/h_log2.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/h_page.c
+++ b/dbm/src/h_page.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/hash.c
+++ b/dbm/src/hash.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/hash_buf.c
+++ b/dbm/src/hash_buf.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/hsearch.c
+++ b/dbm/src/hsearch.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/memmove.c
+++ b/dbm/src/memmove.c
@@ -9,20 +9,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/mktemp.c
+++ b/dbm/src/mktemp.c
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/ndbm.c
+++ b/dbm/src/ndbm.c
@@ -8,20 +8,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/src/strerror.c
+++ b/dbm/src/strerror.c
@@ -5,20 +5,18 @@
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
+ * 3. ***REMOVED*** - see 
+ *    ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
--- a/dbm/tests/Makefile.in
+++ b/dbm/tests/Makefile.in
@@ -1,44 +1,28 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
 #
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
 #
 # The Original Code is mozilla.org code.
 #
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
 #
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
+# Contributor(s): 
 #
-# ***** END LICENSE BLOCK *****
 
 DEPTH		= ../..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
 
 include $(DEPTH)/config/autoconf.mk
 
--- a/dbm/tests/lots.c
+++ b/dbm/tests/lots.c
@@ -1,42 +1,43 @@
 /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ * Version: NPL 1.1/GPL 2.0/LGPL 2.1
  *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
+ * The contents of this file are subject to the Netscape Public License
+ * Version 1.1 (the "License"); you may not use this file except in
+ * compliance with the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/NPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  * for the specific language governing rights and limitations under the
  * License.
  *
  * The Original Code is mozilla.org code.
  *
- * The Initial Developer of the Original Code is
+ * The Initial Developer of the Original Code is 
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 1998
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *
+ *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
+ * use your version of this file under the terms of the NPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
+ * the terms of any one of the NPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /* use sequental numbers printed to strings
  * to store lots and lots of entries in the
  * database.
  *
  * Start with 100 entries, put them and then
--- a/security/coreconf/Darwin.mk
+++ b/security/coreconf/Darwin.mk
@@ -38,54 +38,58 @@
 include $(CORE_DEPTH)/coreconf/UNIX.mk
 
 DEFAULT_COMPILER = cc
 
 CC		= cc
 CCC		= c++
 RANLIB		= ranlib
 
-ifeq (86,$(findstring 86,$(OS_TEST)))
+ifndef CPU_ARCH
+# When cross-compiling, CPU_ARCH should already be defined as the target
+# architecture, set to powerpc or i386.
+CPU_ARCH	:= $(shell uname -p)
+endif
+
+ifeq (,$(filter-out i%86,$(CPU_ARCH)))
 OS_REL_CFLAGS	= -Di386
-CPU_ARCH	= i386
 else
 OS_REL_CFLAGS	= -Dppc
-CPU_ARCH	= ppc
 endif
 
 ifneq (,$(MACOS_SDK_DIR))
     GCC_VERSION_FULL := $(shell $(CC) -v 2>&1 | grep "gcc version" | sed -e "s/^.*gcc version[  ]*//" | awk '{ print $$1 }')
     GCC_VERSION_MAJOR := $(shell echo $(GCC_VERSION_FULL) | awk -F. '{ print $$1 }')
     GCC_VERSION_MINOR := $(shell echo $(GCC_VERSION_FULL) | awk -F. '{ print $$2 }')
     GCC_VERSION = $(GCC_VERSION_MAJOR).$(GCC_VERSION_MINOR)
 
     ifeq (,$(filter-out 2 3,$(GCC_VERSION_MAJOR)))
         # GCC <= 3
         DARWIN_SDK_FRAMEWORKS = -F$(MACOS_SDK_DIR)/System/Library/Frameworks
         ifneq (,$(shell find $(MACOS_SDK_DIR)/Library/Frameworks -maxdepth 0))
             DARWIN_SDK_FRAMEWORKS += -F$(MACOS_SDK_DIR)/Library/Frameworks
         endif
         DARWIN_SDK_CFLAGS = -nostdinc -isystem $(MACOS_SDK_DIR)/usr/include/gcc/darwin/$(GCC_VERSION) -isystem $(MACOS_SDK_DIR)/usr/include $(DARWIN_SDK_FRAMEWORKS)
         DARWIN_SDK_LDFLAGS = -L$(MACOS_SDK_DIR)/usr/lib/gcc/darwin -L$(MACOS_SDK_DIR)/usr/lib/gcc/darwin/$(GCC_VERSION_FULL) -L$(MACOS_SDK_DIR)/usr/lib
-        DARWIN_SDK_DSOFLAGS = $(DARWIN_SDK_LDFLAGS) $(DARWIN_SDK_FRAMEWORKS)
+        DARWIN_SDK_SHLIBFLAGS = $(DARWIN_SDK_LDFLAGS) $(DARWIN_SDK_FRAMEWORKS)
         NEXT_ROOT = $(MACOS_SDK_DIR)
         export NEXT_ROOT
     else
         # GCC >= 4
         DARWIN_SDK_CFLAGS = -isysroot $(MACOS_SDK_DIR)
         ifneq (4.0.0,$(GCC_VERSION_FULL))
             # gcc > 4.0.0 passes -syslibroot to ld based on -isysroot.
             # Don't add -isysroot to DARWIN_SDK_LDFLAGS, because the programs
             # that are linked with those flags also get DARWIN_SDK_CFLAGS.
-            DARWIN_SDK_DSOFLAGS = -isysroot $(MACOS_SDK_DIR)
+            DARWIN_SDK_SHLIBFLAGS = -isysroot $(MACOS_SDK_DIR)
         else
             # gcc 4.0.0 doesn't pass -syslibroot to ld, it needs to be
             # explicit.
             DARWIN_SDK_LDFLAGS = -Wl,-syslibroot,$(MACOS_SDK_DIR)
-            DARWIN_SDK_DSOFLAGS = $(DARWIN_SDK_LDFLAGS)
+            DARWIN_SDK_SHLIBFLAGS = $(DARWIN_SDK_LDFLAGS)
         endif
     endif
 
     LDFLAGS += $(DARWIN_SDK_LDFLAGS)
 endif
 
 # "Commons" are tentative definitions in a global scope, like this:
 #     int x;
@@ -102,16 +106,16 @@ OS_CFLAGS	= $(DSO_CFLAGS) $(OS_REL_CFLAG
 ifdef BUILD_OPT
 OPTIMIZER	= -O2
 endif
 
 ARCH		= darwin
 
 DSO_CFLAGS	= -fPIC
 # May override this with -bundle to create a loadable module.
-DSO_LDOPTS	= -dynamiclib -compatibility_version 1 -current_version 1 -install_name @executable_path/$(notdir $@) -headerpad_max_install_names $(DARWIN_SDK_DSOFLAGS)
+DSO_LDOPTS	= -dynamiclib -compatibility_version 1 -current_version 1 -install_name @executable_path/$(notdir $@) -headerpad_max_install_names
 
-MKSHLIB		= $(CC) -arch $(CPU_ARCH) $(DSO_LDOPTS)
+MKSHLIB		= $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
 DLL_SUFFIX	= dylib
 PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
                 sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@
 
 G++INCLUDES	= -I/usr/include/g++
--- a/security/coreconf/FreeBSD.mk
+++ b/security/coreconf/FreeBSD.mk
@@ -70,16 +70,16 @@ MOZ_OBJFORMAT		:= $(shell test -x /usr/b
 ifeq ($(MOZ_OBJFORMAT),elf)
 DLL_SUFFIX		= so
 else
 DLL_SUFFIX		= so.1.0
 endif
 
 MKSHLIB			= $(CC) $(DSO_LDOPTS)
 ifdef MAPFILE
-# Add LD options to restrict exported symbols to those in the map file
+	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
-# Change PROCESS to put the mapfile in the correct format for this platform
-PROCESS_MAP_FILE = cp $< $@
+PROCESS_MAP_FILE = grep -v ';-' $< | \
+        sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
 G++INCLUDES		= -I/usr/include/g++
 
 INCLUDES		+= -I/usr/X11R6/include
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -160,17 +160,17 @@ OS_LIBS			= $(OS_PTHREAD) -ldl -lc
 
 ifdef USE_PTHREADS
 	DEFINES		+= -D_REENTRANT
 endif
 
 ARCH			= linux
 
 DSO_CFLAGS		= -fPIC
-DSO_LDOPTS		= -shared $(ARCHFLAG) -z defs
+DSO_LDOPTS		= -shared $(ARCHFLAG)
 DSO_LDFLAGS		=
 LDFLAGS			+= $(ARCHFLAG)
 
 # INCLUDES += -I/usr/include -Y/usr/include/linux
 G++INCLUDES		= -I/usr/include/g++
 
 #
 # Always set CPU_TAG on Linux, OpenVMS, WINCE.
--- a/security/coreconf/Linux2.6.mk
+++ b/security/coreconf/Linux2.6.mk
@@ -32,16 +32,18 @@
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 include $(CORE_DEPTH)/coreconf/Linux.mk
 
+DSO_LDOPTS      += -Wl,-z,defs
+
 OS_REL_CFLAGS   += -DLINUX2_1
 MKSHLIB         = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
 
 ifdef MAPFILE
 	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';-' $< | \
         sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
--- a/security/coreconf/OS2.mk
+++ b/security/coreconf/OS2.mk
@@ -73,28 +73,32 @@ AR_FLAGS                =
 RANLIB 			= @echo OS2 RANLIB
 BSDECHO 		= @echo OS2 BSDECHO
 IMPLIB			= emximp -o
 FILTER			= emxexp -o
 
 # GCC for OS/2 currently predefines these, but we don't want them
 DEFINES 		+= -Uunix -U__unix -U__unix__
 
-DEFINES			+= -DTCPV40HDRS
+DEFINES			+= -DXP_OS2_EMX -DTCPV40HDRS
+
+ifeq ($(MOZ_OS2_HIGH_MEMORY),1)
+HIGHMEM_LDFLAG          = -Zhigh-mem
+endif
 
 ifndef NO_SHARED_LIB
 WRAP_MALLOC_LIB         = 
 WRAP_MALLOC_CFLAGS      = 
 DSO_CFLAGS              = 
 DSO_PIC_CFLAGS          = 
 MKSHLIB                 = $(CXX) $(CXXFLAGS) $(DSO_LDOPTS) -o $@
 MKCSHLIB                = $(CC) $(CFLAGS) $(DSO_LDOPTS) -o $@
 MKSHLIB_FORCE_ALL       = 
 MKSHLIB_UNFORCE_ALL     = 
-DSO_LDOPTS              = -Zomf -Zdll -Zmap
+DSO_LDOPTS              = -Zomf -Zdll -Zmap $(HIGHMEM_LDFLAG)
 SHLIB_LDSTARTFILE	= 
 SHLIB_LDENDFILE		= 
 ifdef MAPFILE
 MKSHLIB += $(MAPFILE)
 endif
 PROCESS_MAP_FILE = \
 	echo LIBRARY $(LIBRARY_NAME)$(LIBRARY_VERSION) INITINSTANCE TERMINSTANCE > $@; \
 	echo PROTMODE >> $@; \
@@ -107,26 +111,26 @@ PROCESS_MAP_FILE = \
 
 endif   #NO_SHARED_LIB
 
 OS_CFLAGS          = -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Zomf -DDEBUG -DTRACING -g
 
 ifdef BUILD_OPT
 OPTIMIZER		= -O2 -s
 DEFINES 		+= -UDEBUG -U_DEBUG -DNDEBUG
-DLLFLAGS		= -DLL -OUT:$@ -MAP:$(@:.dll=.map)
-EXEFLAGS    		= -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE
+DLLFLAGS		= -DLL -OUT:$@ -MAP:$(@:.dll=.map) $(HIGHMEM_LDFLAG)
+EXEFLAGS    		= -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE $(HIGHMEM_LDFLAG)
 OBJDIR_TAG 		= _OPT
 else
 #OPTIMIZER		= -O+ -Oi
 DEFINES 		+= -DDEBUG -D_DEBUG -DDEBUGPRINTS     #HCT Need += to avoid overidding manifest.mn 
-DLLFLAGS		= -DEBUG -DLL -OUT:$@ -MAP:$(@:.dll=.map)
-EXEFLAGS    		= -DEBUG -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE
+DLLFLAGS		= -DEBUG -DLL -OUT:$@ -MAP:$(@:.dll=.map) $(HIGHMEM_LDFLAG)
+EXEFLAGS    		= -DEBUG -PMTYPE:VIO -OUT:$@ -MAP:$(@:.exe=.map) -nologo -NOE $(HIGHMEM_LDFLAG)
 OBJDIR_TAG 		= _DBG
-LDFLAGS 		= -DEBUG 
+LDFLAGS 		= -DEBUG $(HIGHMEM_LDFLAG)
 endif   # BUILD_OPT
 
 else    # XP_OS2_VACPP
 
 # Override suffix in suffix.mk
 OBJ_SUFFIX  = .obj
 ASM_SUFFIX  = .asm
 
@@ -235,18 +239,16 @@ else
 		INSTALL += -L `pwd`
 	else
 		# install using relative symbolic links
 		INSTALL  = $(NSINSTALL)
 		INSTALL += -R
 	endif
 endif
 
-DEFINES += -DXP_OS2
-
 define MAKE_OBJDIR
 if test ! -d $(@D); then rm -rf $(@D); $(NSINSTALL) -D $(@D); fi
 endef
 
 #
 # override the definition of DLL_PREFIX in prefix.mk
 #
 
new file mode 100644
--- /dev/null
+++ b/security/coreconf/SunOS5.11.mk
@@ -0,0 +1,46 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+SOL_CFLAGS += -D_SVID_GETTOD
+
+include $(CORE_DEPTH)/coreconf/SunOS5.mk
+
+ifeq ($(OS_RELEASE),5.11)
+	OS_DEFINES += -DSOLARIS2_11
+endif
+
+OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
new file mode 100644
--- /dev/null
+++ b/security/coreconf/SunOS5.11_i86pc.mk
@@ -0,0 +1,53 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+SOL_CFLAGS	= -D_SVID_GETTOD
+
+include $(CORE_DEPTH)/coreconf/SunOS5.mk
+
+ifeq ($(USE_64),1)
+    CPU_ARCH		= x86_64
+else
+    CPU_ARCH		= x86
+    OS_DEFINES		+= -Di386
+endif
+
+ifeq ($(OS_RELEASE),5.11_i86pc)
+	OS_DEFINES += -DSOLARIS2_11
+endif
+
+OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc
--- a/security/coreconf/WIN32.mk
+++ b/security/coreconf/WIN32.mk
@@ -56,16 +56,17 @@ else
 	CC           = cl
 	CCC          = cl
 	LINK         = link
 	AR           = lib
 	AR          += -NOLOGO -OUT:"$@"
 	RANLIB       = echo
 	BSDECHO      = echo
 	RC           = rc.exe
+	MT           = mt.exe
 endif
 
 ifdef BUILD_TREE
 NSINSTALL_DIR  = $(BUILD_TREE)/nss
 else
 NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
 endif
 NSINSTALL      = nsinstall
@@ -84,17 +85,20 @@ XP_DEFINE   += -DXP_PC
 ifdef NS_USE_GCC
 LIB_SUFFIX   = a
 else
 LIB_SUFFIX   = lib
 endif
 DLL_SUFFIX   = dll
 
 ifdef NS_USE_GCC
-    OS_CFLAGS += -mno-cygwin -mms-bitfields
+    # The -mnop-fun-dllimport flag allows us to avoid a drawback of
+    # the dllimport attribute that a pointer to a function marked as
+    # dllimport cannot be used as as a constant address.
+    OS_CFLAGS += -mno-cygwin -mms-bitfields -mnop-fun-dllimport
     _GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
     DLLFLAGS  += -mno-cygwin -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
     ifdef BUILD_OPT
 	OPTIMIZER  += -O2
 	DEFINES    += -UDEBUG -U_DEBUG -DNDEBUG
 	#
 	# Add symbolic information for a profiler
 	#
@@ -121,16 +125,17 @@ else # !NS_USE_GCC
 	ifdef MOZ_PROFILE
 		OPTIMIZER += -Z7
 	endif
 	ifdef MOZ_DEBUG_SYMBOLS
 		OPTIMIZER += -Zi
 	endif
 	ifneq (,$(MOZ_PROFILE)$(MOZ_DEBUG_SYMBOLS))
 		DLLFLAGS += -DEBUG -OPT:REF
+		LDFLAGS += -DEBUG -OPT:REF
 	endif
     else
 	#
 	# Define USE_DEBUG_RTL if you want to use the debug runtime library
 	# (RTL) in the debug build
 	#
 	ifdef USE_DEBUG_RTL
 		OS_CFLAGS += -MDd
@@ -140,19 +145,24 @@ else # !NS_USE_GCC
 	OPTIMIZER  += -Od -Z7
 	#OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
 	NULLSTRING :=
 	SPACE      := $(NULLSTRING) # end of the line
 	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
 	USERNAME   := $(subst -,_,$(USERNAME))
 	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
 	DLLFLAGS   += -DEBUG -OUT:"$@"
+	LDFLAGS    += -DEBUG 
+ifndef MOZ_DEBUG_SYMBOLS
+	LDFLAGS    += -PDB:NONE 
+endif
 	# Purify requires /FIXED:NO when linking EXEs.
-	LDFLAGS    += -DEBUG -PDB:NONE /FIXED:NO
+	LDFLAGS    += /FIXED:NO
     endif
+#   DEFINES += -D_CRT_SECURE_NO_WARNINGS
 endif # NS_USE_GCC
 
 DEFINES += -DWIN32
 ifdef MAPFILE
 ifndef NS_USE_GCC
 DLLFLAGS += -DEF:$(MAPFILE)
 endif
 endif
--- a/security/coreconf/config.mk
+++ b/security/coreconf/config.mk
@@ -165,8 +165,19 @@ include $(CORE_DEPTH)/coreconf/ruleset.m
 endif
 
 #######################################################################
 # [15.0] Dependencies.
 #######################################################################
 
 -include $(MKDEPENDENCIES)
 
+#######################################################################
+# [16.0] Global environ ment defines
+#######################################################################
+
+ifdef NSS_ENABLE_ECC
+DEFINES += -DNSS_ENABLE_ECC
+endif
+
+ifdef NSS_ECC_MORE_THAN_SUITE_B
+DEFINES += -DNSS_ECC_MORE_THAN_SUITE_B
+endif
--- a/security/coreconf/jdk.mk
+++ b/security/coreconf/jdk.mk
@@ -179,16 +179,41 @@ ifeq ($(OS_ARCH), Linux)
 
 	INCLUDES += -I$(JAVA_HOME)/include
 	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
 
 	# no JIT option available on this platform
 	JDK_JIT_OPT =
 endif
 
+# set [Mac OS X] platforms
+ifeq ($(OS_ARCH), Darwin)
+	JAVA_CLASSES = $(JAVA_HOME)/../Classes/classes.jar
+
+	ifeq ($(JRE_HOME),)
+		JRE_HOME = $(JAVA_HOME)
+		JRE_CLASSES = $(JAVA_CLASSES)
+	else
+		ifeq ($(JRE_CLASSES),)
+			JRE_CLASSES = $(JRE_HOME)/../Classes/classes.jar
+		endif
+	endif
+
+	PATH_SEPARATOR = :
+
+	# (2) specify "header" information
+	JAVA_ARCH = darwin
+
+	INCLUDES += -I$(JAVA_HOME)/include
+	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
+
+	# no JIT option available on this platform
+	JDK_JIT_OPT =
+endif
+
 # set [IBM AIX] platforms
 ifeq ($(OS_ARCH), AIX)
 	JAVA_CLASSES = $(JAVA_HOME)/jre/lib/rt.jar
 
 	ifeq ($(JRE_HOME),)
 		JRE_HOME = $(JAVA_HOME)
 		JRE_CLASSES = $(JAVA_CLASSES)
 	else
--- a/security/coreconf/location.mk
+++ b/security/coreconf/location.mk
@@ -70,9 +70,17 @@ GARBAGE += $(DEPENDENCIES) core $(wildca
 ifdef NSPR_INCLUDE_DIR
     INCLUDES += -I$(NSPR_INCLUDE_DIR)
 endif
 
 ifndef NSPR_LIB_DIR
     NSPR_LIB_DIR = $(DIST)/lib
 endif
 
+ifdef NSS_INCLUDE_DIR
+    INCLUDES += -I$(NSS_INCLUDE_DIR)
+endif
+                                                                                
+ifndef NSS_LIB_DIR
+    NSS_LIB_DIR = $(DIST)/lib
+endif
+
 MK_LOCATION = included
--- a/security/coreconf/rules.mk
+++ b/security/coreconf/rules.mk
@@ -109,22 +109,32 @@ release_classes::
 	+$(LOOP_OVER_DIRS)
 
 libs program install:: $(TARGETS)
 ifdef LIBRARY
 	$(INSTALL) -m 664 $(LIBRARY) $(SOURCE_LIB_DIR)
 endif
 ifdef SHARED_LIBRARY
 	$(INSTALL) -m 775 $(SHARED_LIBRARY) $(SOURCE_LIB_DIR)
+ifdef MOZ_DEBUG_SYMBOLS
+ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
+	$(INSTALL) -m 644 $(SHARED_LIBRARY:$(DLL_SUFFIX)=pdb) $(SOURCE_LIB_DIR)
+endif
+endif
 endif
 ifdef IMPORT_LIBRARY
 	$(INSTALL) -m 775 $(IMPORT_LIBRARY) $(SOURCE_LIB_DIR)
 endif
 ifdef PROGRAM
 	$(INSTALL) -m 775 $(PROGRAM) $(SOURCE_BIN_DIR)
+ifdef MOZ_DEBUG_SYMBOLS
+ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
+	$(INSTALL) -m 644 $(PROGRAM:$(PROG_SUFFIX)=.pdb) $(SOURCE_BIN_DIR)
+endif
+endif
 endif
 ifdef PROGRAMS
 	$(INSTALL) -m 775 $(PROGRAMS) $(SOURCE_BIN_DIR)
 endif
 	+$(LOOP_OVER_DIRS)
 
 tests::
 	+$(LOOP_OVER_DIRS)
@@ -270,16 +280,22 @@ ifdef XP_OS2_VACPP
 EXTRA_SHARED_LIBS := $(filter-out -L%,$(EXTRA_SHARED_LIBS))
 EXTRA_SHARED_LIBS := $(patsubst -l%,$(DIST)/lib/%.$(LIB_SUFFIX),$(EXTRA_SHARED_LIBS))
 endif
 
 $(PROGRAM): $(OBJS) $(EXTRA_LIBS)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
+ifdef MT
+	if test -f $@.manifest; then \
+		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
+		rm -f $@.manifest; \
+	fi
+endif	# MSVC with manifest tool
 else
 ifdef XP_OS2_VACPP
 	$(MKPROG) -Fe$@ $(CFLAGS) $(OBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 else
 	$(MKPROG) -o $@ $(CFLAGS) $(OBJS) $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 endif
 endif
 
@@ -324,16 +340,22 @@ ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
 	$(LD) $(XCFLAGS) -o $@ $(OBJS) -bE:$(OBJDIR)/lib$(LIBRARY_NAME)_syms \
 	-bM:SRE -bnoentry $(OS_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS)
 else
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 ifdef NS_USE_GCC
 	$(LINK_DLL) $(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES)
 else
 	$(LINK_DLL) -MAP $(DLLBASE) $(subst /,\\,$(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES))
+ifdef MT
+	if test -f $@.manifest; then \
+		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;2; \
+		rm -f $@.manifest; \
+	fi
+endif	# MSVC with manifest tool
 endif
 else
 ifdef XP_OS2_VACPP
 	$(MKSHLIB) $(DLLFLAGS) $(LDFLAGS) $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 else
 	$(MKSHLIB) -o $@ $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 endif
 	chmod +x $@
@@ -362,67 +384,76 @@ endif
 	$(PROCESS_MAP_FILE)
 
 
 $(OBJDIR)/$(PROG_PREFIX)%$(PROG_SUFFIX): $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $< -Fe$@ -link \
 	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
+ifdef MT
+	if test -f $@.manifest; then \
+		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
+		rm -f $@.manifest; \
+	fi
+endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $< \
 	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 endif
 
 WCCFLAGS1 := $(subst /,\\,$(CFLAGS))
 WCCFLAGS2 := $(subst -I,-i=,$(WCCFLAGS1))
 WCCFLAGS3 := $(subst -D,-d,$(WCCFLAGS2))
 
 # Translate source filenames to absolute paths. This is required for
 # debuggers under Windows & OS/2 to find source files automatically
 
 ifeq (,$(filter-out OS2 AIX,$(OS_TARGET)))
+# OS/2 and AIX
 NEED_ABSOLUTE_PATH := 1
 PWD := $(shell pwd)
-endif
 
+else
+# Windows
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 NEED_ABSOLUTE_PATH := 1
 PWD := $(shell pwd)
 ifeq (,$(findstring ;,$(PATH)))
 ifndef USE_MSYS
 PWD := $(subst \,/,$(shell cygpath -w $(PWD)))
 endif
 endif
+
+else
+# everything else
+PWD := $(shell pwd)
+endif
 endif
 
-ifdef NEED_ABSOLUTE_PATH
-abspath = $(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD)/$(1)))
-else
-abspath = $(1)
-endif
+core_abspath = $(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD)/$(1)))
 
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
 	@$(MAKE_OBJDIR)
 ifdef USE_NT_C_SYNTAX
-	$(CC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+	$(CC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 ifdef NEED_ABSOLUTE_PATH
-	$(CC) -o $@ -c $(CFLAGS) $(call abspath,$<)
+	$(CC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 	$(CC) -o $@ -c $(CFLAGS) $<
 endif
 endif
 
 $(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
 ifdef USE_NT_C_SYNTAX
-	$(CC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+	$(CC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 ifdef NEED_ABSOLUTE_PATH
-	$(CC) -o $@ -c $(CFLAGS) $(call abspath,$<)
+	$(CC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 	$(CC) -o $@ -c $(CFLAGS) $<
 endif
 endif
 
 ifndef XP_OS2_VACPP
 ifneq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.s
@@ -441,20 +472,20 @@ endif
 
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.S
 	@$(MAKE_OBJDIR)
 	$(AS) -o $@ $(ASFLAGS) -c $<
 
 $(OBJDIR)/$(PROG_PREFIX)%: %.cpp
 	@$(MAKE_OBJDIR)
 ifdef USE_NT_C_SYNTAX
-	$(CCC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+	$(CCC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 ifdef NEED_ABSOLUTE_PATH
-	$(CCC) -o $@ -c $(CFLAGS) $(call abspath,$<)
+	$(CCC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 	$(CCC) -o $@ -c $(CFLAGS) $<
 endif
 endif
 
 #
 # Please keep the next two rules in sync.
 #
@@ -465,20 +496,20 @@ endif
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cpp
 	@$(MAKE_OBJDIR)
 ifdef STRICT_CPLUSPLUS_SUFFIX
 	echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc
 	$(CCC) -o $@ -c $(CFLAGS) $(OBJDIR)/t_$*.cc
 	rm -f $(OBJDIR)/t_$*.cc
 else
 ifdef USE_NT_C_SYNTAX
-	$(CCC) -Fo$@ -c $(CFLAGS) $(call abspath,$<)
+	$(CCC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 ifdef NEED_ABSOLUTE_PATH
-	$(CCC) -o $@ -c $(CFLAGS) $(call abspath,$<)
+	$(CCC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
 else
 	$(CCC) -o $@ -c $(CFLAGS) $<
 endif
 endif
 endif #STRICT_CPLUSPLUS_SUFFIX
 
 %.i: %.cpp
 	$(CCC) -C -E $(CFLAGS) $< > $@
@@ -865,18 +896,17 @@ endif
 
 
 ################################################################################
 
 -include $(DEPENDENCIES)
 
 ifneq (,$(filter-out OpenVMS OS2 WIN%,$(OS_TARGET)))
 # Can't use sed because of its 4000-char line length limit, so resort to perl
-.DEFAULT:
-	@perl -e '                                                            \
+PERL_DEPENDENCIES_PROGRAM =                                                   \
 	    open(MD, "< $(DEPENDENCIES)");                                    \
 	    while (<MD>) {                                                    \
 		if (m@ \.*/*$< @) {                                           \
 		    $$found = 1;                                              \
 		    last;                                                     \
 		}                                                             \
 	    }                                                                 \
 	    if ($$found) {                                                    \
@@ -893,17 +923,20 @@ ifneq (,$(filter-out OpenVMS OS2 WIN%,$(
 		}                                                             \
 		close(TMD);                                                   \
 		if (!rename($$tmpname, "$(DEPENDENCIES)")) {                  \
 		    unlink(($$tmpname));                                      \
 		}                                                             \
 	    } elsif ("$<" ne "$(DEPENDENCIES)") {                             \
 		print "$(MAKE): *** No rule to make target $<.  Stop.\n";     \
 		exit(1);                                                      \
-	    }'
+	    }
+
+.DEFAULT:
+	@perl -e '$(PERL_DEPENDENCIES_PROGRAM)'
 endif
 
 #############################################################################
 # X dependency system
 #############################################################################
 
 ifdef MKDEPENDENCIES
 
deleted file mode 100644
--- a/security/dbm/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-coreconf_hack:
-	cd ../coreconf; gmake
-	gmake import
-
-RelEng_bld: coreconf_hack
-	gmake
deleted file mode 100644
--- a/security/dbm/config/config.mk
+++ /dev/null
@@ -1,67 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# These macros are defined by mozilla's configure script.
-# We define them manually here.
-#
-
-DEFINES += -DSTDC_HEADERS -DHAVE_STRERROR
-
-#
-# Most platforms have snprintf, so it's simpler to list the exceptions.
-#
-HAVE_SNPRINTF = 1
-#
-# OSF1 V4.0D doesn't have snprintf but V5.0A does.
-#
-ifeq ($(OS_TARGET)$(OS_RELEASE),OSF1V4.0D)
-HAVE_SNPRINTF =
-endif
-ifdef HAVE_SNPRINTF
-DEFINES += -DHAVE_SNPRINTF
-endif
-
-ifeq (,$(filter-out IRIX Linux,$(OS_TARGET)))
-DEFINES += -DHAVE_SYS_CDEFS_H
-endif
-
-ifeq (,$(filter-out DGUX NCR ReliantUNIX SCO_SV SCOOS UNIXWARE,$(OS_TARGET)))
-DEFINES += -DHAVE_SYS_BYTEORDER_H
-endif
-
-#
-# None of the platforms that we are interested in need to
-# define HAVE_MEMORY_H.
-#
deleted file mode 100644
--- a/security/dbm/include/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/dbm/include/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../..
-
-VPATH  = $(CORE_DEPTH)/../dbm/include
-
-MODULE = dbm
-
-EXPORTS =	nsres.h   \
-		cdefs.h   \
-		mcom_db.h \
-		ncompat.h \
-		winfile.h \
-		$(NULL)
-
-PRIVATE_EXPORTS =	hsearch.h \
-			page.h    \
-			extern.h  \
-			ndbm.h    \
-			queue.h   \
-			hash.h    \
-			mpool.h   \
-			search.h  \
-			$(NULL)
-
deleted file mode 100644
--- a/security/dbm/manifest.mn
+++ /dev/null
@@ -1,45 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ..
-
-MODULE = dbm
-
-IMPORTS = nspr20/v4.4.1
-
-RELEASE = dbm
-
-DIRS =  include \
-        src     \
-	$(NULL)
deleted file mode 100644
--- a/security/dbm/src/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(CORE_DEPTH)/dbm/config/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/dbm/src/config.mk
+++ /dev/null
@@ -1,63 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-DEFINES += -DMEMMOVE -D__DBINTERFACE_PRIVATE $(SECURITY_FLAG)
-
-INCLUDES += -I$(CORE_DEPTH)/../dbm/include
-
-#
-#  Currently, override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
-ifdef SHARED_LIBRARY
-	ifeq (,$(filter-out WINNT WIN95 WINCE,$(OS_TARGET))) # list omits WIN16
-		DLLBASE=/BASE:0x30000000
-		RES=$(OBJDIR)/dbm.res
-		RESNAME=../include/dbm.rc
-	endif
-	ifeq ($(DLL_SUFFIX),dll)
-		DEFINES += -D_DLL
-	endif
-endif
-
-ifeq ($(OS_TARGET),AIX)
-	OS_LIBS += -lc_r
-endif
deleted file mode 100644
--- a/security/dbm/src/dirent.c
+++ /dev/null
@@ -1,348 +0,0 @@
-#ifdef OS2
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-#include <dirent.h>
-#include <errno.h>
-
-/*#ifndef __EMX__ 
-#include <libx.h>
-#endif */
-
-#define INCL_DOSFILEMGR
-#define INCL_DOSERRORS
-#include <os2.h>
-
-#if OS2 >= 2
-# define FFBUF	FILEFINDBUF3
-# define Word	ULONG
-  /*
-   * LS20 recommends a request count of 100, but according to the
-   * APAR text it does not lead to missing files, just to funny
-   * numbers of returned entries.
-   *
-   * LS30 HPFS386 requires a count greater than 2, or some files
-   * are missing (those starting with a character less that '.').
-   *
-   * Novell looses entries which overflow the buffer. In previous
-   * versions of dirent2, this could have lead to missing files
-   * when the average length of 100 directory entries was 40 bytes
-   * or more (quite unlikely for files on a Novell server).
-   *
-   * Conclusion: Make sure that the entries all fit into the buffer
-   * and that the buffer is large enough for more than 2 entries
-   * (each entry is at most 300 bytes long). And ignore the LS20
-   * effect.
-   */
-# define Count	25
-# define BufSz	(25 * (sizeof(FILEFINDBUF3)+1))
-#else
-# define FFBUF	FILEFINDBUF
-# define Word	USHORT
-# define BufSz	1024
-# define Count	3
-#endif
-
-#if defined(__IBMC__) || defined(__IBMCPP__)
-  #define error(rc) _doserrno = rc, errno = EOS2ERR
-#elif defined(MICROSOFT)
-  #define error(rc) _doserrno = rc, errno = 255
-#else
-  #define error(rc) errno = 255
-#endif
-
-struct _dirdescr {
-	HDIR		handle;		/* DosFindFirst handle */
-	char		fstype;		/* filesystem type */
-	Word		count;		/* valid entries in <ffbuf> */
-	long		number;		/* absolute number of next entry */
-	int		index;		/* relative number of next entry */
-	FFBUF *		next;		/* pointer to next entry */
-	char		name[MAXPATHLEN+3]; /* directory name */
-	unsigned	attrmask;	/* attribute mask for seekdir */
-	struct dirent	entry;		/* buffer for directory entry */
-	BYTE		ffbuf[BufSz];
-};
-
-/*
- * Return first char of filesystem type, or 0 if unknown.
- */
-static char
-getFSType(const char *path)
-{
-	static char cache[1+26];
-	char drive[3], info[512];
-	Word unit, infolen;
-	char r;
-
-	if (isalpha(path[0]) && path[1] == ':') {
-		unit = toupper(path[0]) - '@';
-		path += 2;
-	} else {
-		ULONG driveMap;
-#if OS2 >= 2
-		if (DosQueryCurrentDisk(&unit, &driveMap))
-#else
-		if (DosQCurDisk(&unit, &driveMap))
-#endif
-			return 0;
-	}
-
-	if ((path[0] == '\\' || path[0] == '/')
-	 && (path[1] == '\\' || path[1] == '/'))
-		return 0;
-
-	if (cache [unit])
-		return cache [unit];
-
-	drive[0] = '@' + unit;
-	drive[1] = ':';
-	drive[2] = '\0';
-	infolen = sizeof info;
-#if OS2 >= 2
-	if (DosQueryFSAttach(drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen))
-		return 0;
-	if (infolen >= sizeof(FSQBUFFER2)) {
-		FSQBUFFER2 *p = (FSQBUFFER2 *)info;
-		r = p->szFSDName[p->cbName];
-	} else
-#else
-	if (DosQFSAttach((PSZ)drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen, 0))
-		return 0;
-	if (infolen >= 9) {
-		char *p = info + sizeof(USHORT);
-		p += sizeof(USHORT) + *(USHORT *)p + 1 + sizeof(USHORT);
-		r = *p;
-	} else
-#endif
-		r = 0;
-	return cache [unit] = r;
-}
-
-char *
-abs_path(const char *name, char *buffer, int len)
-{
-	char buf[4];
-	if (isalpha(name[0]) && name[1] == ':' && name[2] == '\0') {
-		buf[0] = name[0];
-		buf[1] = name[1];
-		buf[2] = '.';
-		buf[3] = '\0';
-		name = buf;
-	}
-#if OS2 >= 2
-	if (DosQueryPathInfo((PSZ)name, FIL_QUERYFULLNAME, buffer, len))
-#else
-	if (DosQPathInfo((PSZ)name, FIL_QUERYFULLNAME, (PBYTE)buffer, len, 0L))
-#endif
-		return NULL;
-	return buffer;
-}
-
-DIR *
-openxdir(const char *path, unsigned att_mask)
-{
-	DIR *dir;
-	char name[MAXPATHLEN+3];
-	Word rc;
-
-	dir = malloc(sizeof(DIR));
-	if (dir == NULL) {
-		errno = ENOMEM;
-		return NULL;
-	}
-
-	strncpy(name, path, MAXPATHLEN);
-	name[MAXPATHLEN] = '\0';
-	switch (name[strlen(name)-1]) {
-	default:
-		strcat(name, "\\");
-	case '\\':
-	case '/':
-	case ':':
-		;
-	}
-	strcat(name, ".");
-	if (!abs_path(name, dir->name, MAXPATHLEN+1))
-		strcpy(dir->name, name);
-	if (dir->name[strlen(dir->name)-1] == '\\')
-		strcat(dir->name, "*");
-	else
-		strcat(dir->name, "\\*");
-
-	dir->fstype = getFSType(dir->name);
-	dir->attrmask = att_mask | A_DIR;
-
-	dir->handle = HDIR_CREATE;
-	dir->count = 100;
-#if OS2 >= 2
-	rc = DosFindFirst(dir->name, &dir->handle, dir->attrmask,
-		dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD);
-#else
-	rc = DosFindFirst((PSZ)dir->name, &dir->handle, dir->attrmask,
-		(PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0);
-#endif
-	switch (rc) {
-	default:
-		free(dir);
-		error(rc);
-		return NULL;
-	case NO_ERROR:
-	case ERROR_NO_MORE_FILES:
-		;
-	}
-
-	dir->number = 0;
-	dir->index = 0;
-	dir->next = (FFBUF *)dir->ffbuf;
-
-	return (DIR *)dir;
-}
-
-DIR *
-opendir(const char *pathname)
-{
-	return openxdir(pathname, 0);
-}
-
-struct dirent *
-readdir(DIR *dir)
-{
-	static int dummy_ino = 2;
-
-	if (dir->index == dir->count) {
-		Word rc;
-		dir->count = 100;
-#if OS2 >= 2
-		rc = DosFindNext(dir->handle, dir->ffbuf,
-			sizeof dir->ffbuf, &dir->count);
-#else
-		rc = DosFindNext(dir->handle, (PFILEFINDBUF)dir->ffbuf,
-			sizeof dir->ffbuf, &dir->count);
-#endif
-		if (rc) {
-			error(rc);
-			return NULL;
-		}
-
-		dir->index = 0;
-		dir->next = (FFBUF *)dir->ffbuf;
-	}
-
-	if (dir->index == dir->count)
-		return NULL;
-
-	memcpy(dir->entry.d_name, dir->next->achName, dir->next->cchName);
-	dir->entry.d_name[dir->next->cchName] = '\0';
-	dir->entry.d_ino = dummy_ino++;
-	dir->entry.d_reclen = dir->next->cchName;
-	dir->entry.d_namlen = dir->next->cchName;
-	dir->entry.d_size = dir->next->cbFile;
-	dir->entry.d_attribute = dir->next->attrFile;
-	dir->entry.d_time = *(USHORT *)&dir->next->ftimeLastWrite;
-	dir->entry.d_date = *(USHORT *)&dir->next->fdateLastWrite;
-
-	switch (dir->fstype) {
-	case 'F': /* FAT */
-	case 'C': /* CDFS */
-		if (dir->next->attrFile & FILE_DIRECTORY)
-			strupr(dir->entry.d_name);
-		else
-			strlwr(dir->entry.d_name);
-	}
-
-#if OS2 >= 2
-	dir->next = (FFBUF *)((BYTE *)dir->next + dir->next->oNextEntryOffset);
-#else
-	dir->next = (FFBUF *)((BYTE *)dir->next->achName + dir->next->cchName + 1);
-#endif
-	++dir->number;
-	++dir->index;
-
-	return &dir->entry;
-}
-
-long
-telldir(DIR *dir)
-{
-	return dir->number;
-}
-
-void
-seekdir(DIR *dir, long off)
-{
-	if (dir->number > off) {
-		char name[MAXPATHLEN+2];
-		Word rc;
-
-		DosFindClose(dir->handle);
-
-		strcpy(name, dir->name);
-		strcat(name, "*");
-
-		dir->handle = HDIR_CREATE;
-		dir->count = 32767;
-#if OS2 >= 2
-		rc = DosFindFirst(name, &dir->handle, dir->attrmask,
-			dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD);
-#else
-		rc = DosFindFirst((PSZ)name, &dir->handle, dir->attrmask,
-			(PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0);
-#endif
-		switch (rc) {
-		default:
-			error(rc);
-			return;
-		case NO_ERROR:
-		case ERROR_NO_MORE_FILES:
-			;
-		}
-
-		dir->number = 0;
-		dir->index = 0;
-		dir->next = (FFBUF *)dir->ffbuf;
-	}
-
-	while (dir->number < off && readdir(dir))
-		;
-}
-
-void
-closedir(DIR *dir)
-{
-	DosFindClose(dir->handle);
-	free(dir);
-}
-
-/*****************************************************************************/
-
-#ifdef TEST
-
-main(int argc, char **argv)
-{
-	int i;
-	DIR *dir;
-	struct dirent *ep;
-
-	for (i = 1; i < argc; ++i) {
-		dir = opendir(argv[i]);
-		if (!dir)
-			continue;
-		while (ep = readdir(dir))
-			if (strchr("\\/:", argv[i] [strlen(argv[i]) - 1]))
-				printf("%s%s\n", argv[i], ep->d_name);
-			else
-				printf("%s/%s\n", argv[i], ep->d_name);
-		closedir(dir);
-	}
-
-	return 0;
-}
-
-#endif
-
-#endif /* OS2 */
-
deleted file mode 100644
--- a/security/dbm/src/dirent.h
+++ /dev/null
@@ -1,97 +0,0 @@
-#ifndef __DIRENT_H__
-#define __DIRENT_H__
-/*
- * @(#)msd_dir.h 1.4 87/11/06   Public Domain.
- *
- *  A public domain implementation of BSD directory routines for
- *  MS-DOS.  Written by Michael Rendell ({uunet,utai}michael@garfield),
- *  August 1897
- *
- *  Extended by Peter Lim (lim@mullian.oz) to overcome some MS DOS quirks
- *  and returns 2 more pieces of information - file size & attribute.
- *  Plus a little reshuffling of some #define's positions    December 1987
- *
- *  Some modifications by Martin Junius                      02-14-89
- *
- *	AK900712
- *	AK910410	abs_path - make absolute path
- *
- */
-
-#ifdef __EMX__
-#include <sys/param.h>
-#else
-#if defined(__IBMC__) || defined(__IBMCPP__) || defined(XP_W32_MSVC)
-#include <stdio.h>
-#ifdef MAXPATHLEN
-	#undef MAXPATHLEN
-#endif
-#define MAXPATHLEN (FILENAME_MAX*4)
-#define MAXNAMLEN FILENAME_MAX
-
-#else
-#include <param.h>
-#endif
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* attribute stuff */
-#ifndef A_RONLY
-# define A_RONLY   0x01
-# define A_HIDDEN  0x02
-# define A_SYSTEM  0x04
-# define A_LABEL   0x08
-# define A_DIR     0x10
-# define A_ARCHIVE 0x20
-#endif
-
-struct dirent {
-#if defined(OS2) || defined(WIN32)        /* use the layout of EMX to avoid trouble */
-    int            d_ino;                 /* Dummy */
-    int            d_reclen;		  /* Dummy, same as d_namlen */
-    int            d_namlen;              /* length of name */
-    char           d_name[MAXNAMLEN + 1];
-    unsigned long  d_size;
-    unsigned short d_attribute;           /* attributes (see above) */
-    unsigned short d_time;                /* modification time */
-    unsigned short d_date;                /* modification date */
-#else
-    char	   d_name[MAXNAMLEN + 1]; /* garentee null termination */
-    char	   d_attribute;		  /* .. extension .. */
-    unsigned long  d_size;		  /* .. extension .. */
-#endif
-};
-
-typedef struct _dirdescr DIR;
-/* the structs do not have to be defined here */
-
-extern DIR		*opendir(const char *);
-extern DIR		*openxdir(const char *, unsigned);
-extern struct dirent	*readdir(DIR *);
-extern void		seekdir(DIR *, long);
-extern long		telldir(DIR *);
-extern void 		closedir(DIR *);
-#define			rewinddir(dirp) seekdir(dirp, 0L)
-
-extern char *		abs_path(const char *name, char *buffer, int len);
-
-#ifndef S_IFMT
-#define S_IFMT ( S_IFDIR | S_IFREG )
-#endif
-
-#ifndef S_ISDIR
-#define S_ISDIR( m )                    (((m) & S_IFMT) == S_IFDIR)
-#endif
-
-#ifndef S_ISREG
-#define S_ISREG( m )                    (((m) & S_IFMT) == S_IFREG)
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
deleted file mode 100644
--- a/security/dbm/src/manifest.mn
+++ /dev/null
@@ -1,61 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../..
-
-VPATH  = $(CORE_DEPTH)/../dbm/src
-
-MODULE = dbm
-
-#
-# memmove.c, snprintf.c, and strerror.c are not in CSRCS because
-# the Standard C Library has memmove and strerror and DBM is not
-# using snprintf.
-#
-
-CSRCS = db.c	   \
-	h_bigkey.c \
-	h_func.c   \
-	h_log2.c   \
-	h_page.c   \
-	hash.c	   \
-	hash_buf.c \
-	hsearch.c  \
-	mktemp.c   \
-	ndbm.c	   \
-	nsres.c	   \
-	dirent.c	   \
-	$(NULL)
-
-LIBRARY_NAME = dbm
deleted file mode 100644
--- a/security/dbm/tests/Makefile
+++ /dev/null
@@ -1,69 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-DEPTH		= ../..
-CORE_DEPTH	= ../..
-
-VPATH		= $(CORE_DEPTH)/../dbm/tests
-
-MODULE		= dbm
-
-CSRCS		= lots.c
-
-PROGRAM		= lots
-
-include $(DEPTH)/coreconf/config.mk
-
-include $(DEPTH)/dbm/config/config.mk
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET))) 
-LIBDBM		= ../src/$(PLATFORM)/dbm$(STATIC_LIB_SUFFIX)
-else
-LIBDBM		= ../src/$(PLATFORM)/libdbm$(STATIC_LIB_SUFFIX)
-endif
-
-INCLUDES	+= -I$(CORE_DEPTH)/../dbm/include
-
-LDFLAGS		= $(LDOPTS) $(LIBDBM)
-
-include $(DEPTH)/coreconf/rules.mk
-
-lots.pure: lots
-	purify $(CC) -o lots.pure $(CFLAGS) $(OBJS) $(MYLIBS)
-
-crash: crash.o $(MYLIBS)
-	$(CC) -o crash $(CFLAGS) $^
-
-crash.pure: crash.o $(MYLIBS)
-	purify $(CC) -o crash.pure $(CFLAGS) $^
-
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@@ -75,19 +75,24 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
 nss_build_all: build_coreconf build_nspr build_dbm all
 
+nss_clean_all: clobber_coreconf clobber_nspr clobber_dbm clobber
+
 build_coreconf:
 	cd $(CORE_DEPTH)/coreconf ;  $(MAKE)
 
+clobber_coreconf:
+	cd $(CORE_DEPTH)/coreconf ;  $(MAKE) clobber
+
 NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)/config.status
 NSPR_CONFIGURE = $(CORE_DEPTH)/../nsprpub/configure
 
 #
 # Translate coreconf build options to NSPR configure options.
 #
 
 ifdef BUILD_OPT
@@ -133,20 +138,24 @@ endif
 	$(NSPR_COMPILERS) sh ../configure \
 	$(NSPR_CONFIGURE_OPTS) \
 	--with-dist-prefix='$(NSPR_PREFIX)' \
 	--with-dist-includedir='$(NSPR_PREFIX)/include'
 
 build_nspr: $(NSPR_CONFIG_STATUS)
 	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE)
 
+clobber_nspr: $(NSPR_CONFIG_STATUS)
+	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE) clobber
+
 build_dbm:
 	cd $(CORE_DEPTH)/dbm ; $(MAKE) export libs
 
-	
+clobber_dbm:
+	cd $(CORE_DEPTH)/dbm ; $(MAKE) clobber
 
 moz_import::
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 	$(NSINSTALL) -D $(DIST)/include/nspr
 	cp $(DIST)/../include/nspr/*.h $(DIST)/include/nspr
 	cp $(DIST)/../include/* $(DIST)/include
 ifdef BUILD_OPT
 	cp $(DIST)/../WIN32_O.OBJ/lib/* $(DIST)/lib
--- a/security/nss/cmd/Makefile
+++ b/security/nss/cmd/Makefile
@@ -41,150 +41,17 @@ DEPTH = ../..
 
 include manifest.mn
 include $(CORE_DEPTH)/coreconf/config.mk
 
 ifndef USE_SYSTEM_ZLIB
 ZLIB_SRCDIR = zlib  # Add the zlib directory to DIRS.
 endif
 
-# These sources were once in this directory, but now are gone.
-MISSING_SOURCES = \
-	addcert.c \
-	berparse.c \
-	cert.c	\
-	key.c	\
-	key_rand.c \
-	keygen.c \
-	sec_fe.c \
-	sec_read.c \
-	secarb.c \
-	secutil.c \
-	$(NULL)
-
-# we don't build these any more, but the sources are still here
-OBSOLETE = \
-	berdec.c \
-	berdump.c \
-	cypher.c \
-	dumpcert.c \
-	listcerts.c \
-	mkdongle.c \
-	p12exprt.c \
-	p12imprt.c \
-	rc4.c \
-	sign.c \
-	unwrap.c \
-	vector.c \
-	verify.c \
-	wrap.c \
-	$(NULL)
-
-# the base files for the executables
-# hey -- keep these alphabetical, please
-EXEC_SRCS = \
-	$(NULL)
-
-# files that generate two separate objects and executables
-# BI_SRCS	= \
-# 	keyutil.c \
-# 	p7env.c \
-# 	tstclnt.c \
-# 	$(NULL)
-
-#	-I$(CORE_DEPTH)/security/lib/cert \
-#	-I$(CORE_DEPTH)/security/lib/key \
-#	-I$(CORE_DEPTH)/security/lib/util  \
-
 INCLUDES += \
 	-I$(DIST)/../public/security \
 	-I./include \
 	$(NULL)
 
-TBD_DIRS = rsh rshd rdist ssld
-
-# For the time being, sec stuff is export only
-# US_FLAGS = -DEXPORT_VERSION -DUS_VERSION
-
-US_FLAGS = -DEXPORT_VERSION
-EXPORT_FLAGS = -DEXPORT_VERSION
-
-BASE_LIBS = \
-	$(DIST)/lib/libdbm.$(LIB_SUFFIX) \
-	$(DIST)/lib/libxp.$(LIB_SUFFIX) \
-	$(DIST)/lib/libnspr.$(LIB_SUFFIX) \
-	$(NULL)
-
-#	$(DIST)/lib/libpurenspr.$(LIB_SUFFIX) \
-
-#There is a circular dependancy in security/lib, and here is a gross fix
-SEC_LIBS = \
-	$(DIST)/lib/libsecnav.$(LIB_SUFFIX) \
-        $(DIST)/lib/libssl.$(LIB_SUFFIX) \
-        $(DIST)/lib/libpkcs7.$(LIB_SUFFIX) \
-        $(DIST)/lib/libcert.$(LIB_SUFFIX) \
-        $(DIST)/lib/libkey.$(LIB_SUFFIX) \
-	$(DIST)/lib/libsecmod.$(LIB_SUFFIX) \
-        $(DIST)/lib/libcrypto.$(LIB_SUFFIX) \
-        $(DIST)/lib/libsecutil.$(LIB_SUFFIX) \
-        $(DIST)/lib/libssl.$(LIB_SUFFIX) \
-        $(DIST)/lib/libpkcs7.$(LIB_SUFFIX) \
-        $(DIST)/lib/libcert.$(LIB_SUFFIX) \
-        $(DIST)/lib/libkey.$(LIB_SUFFIX) \
-	$(DIST)/lib/libsecmod.$(LIB_SUFFIX) \
-        $(DIST)/lib/libcrypto.$(LIB_SUFFIX) \
-        $(DIST)/lib/libsecutil.$(LIB_SUFFIX) \
-        $(DIST)/lib/libhash.$(LIB_SUFFIX) \
-	$(NULL)
-
-MYLIB	= lib/$(OBJDIR)/libsectool.$(LIB_SUFFIX)
-
-US_LIBS	= $(MYLIB) $(SEC_LIBS) $(BASE_LIBS) $(MYLIB) $(BASE_LIBS)
-EX_LIBS	= $(MYLIB) $(SEC_LIBS) $(BASE_LIBS) $(MYLIB) $(BASE_LIBS) 
-
-REQUIRES = libxp nspr security
-
-CSRCS	= $(EXEC_SRCS) $(BI_SRCS)
-
-OBJS	= $(CSRCS:.c=.o) $(BI_SRCS:.c=-us.o) $(BI_SRCS:.c=-ex.o)
-
-PROGS		= $(addprefix $(OBJDIR)/, $(EXEC_SRCS:.c=$(BIN_SUFFIX)))
-US_PROGS 	= $(addprefix $(OBJDIR)/, $(BI_SRCS:.c=-us$(BIN_SUFFIX)))
-EX_PROGS	= $(addprefix $(OBJDIR)/, $(BI_SRCS:.c=-ex$(BIN_SUFFIX)))
-
-
-NON_DIRS = $(PROGS) $(US_PROGS) $(EX_PROGS)
-TARGETS = $(NON_DIRS)
-
 include $(CORE_DEPTH)/coreconf/rules.mk
 
-
-ifneq ($(OS_TARGET),OS2)
-$(OBJDIR)/%-us.o: %.c
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $(US_FLAGS) -c $*.c
-
-$(OBJDIR)/%-ex.o: %.c
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $(EXPORT_FLAGS) -c $*.c
-
-$(OBJDIR)/%.o: %.c
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $(EXPORT_FLAGS) -c $*.c
-
-$(US_PROGS):$(OBJDIR)/%-us: $(OBJDIR)/%-us.o $(US_LIBS)
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $(OBJDIR)/$*-us.o $(LDFLAGS) $(US_LIBS) $(OS_LIBS)
-
-$(EX_PROGS):$(OBJDIR)/%-ex: $(OBJDIR)/%-ex.o $(EX_LIBS)
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $(OBJDIR)/$*-ex.o $(LDFLAGS) $(EX_LIBS) $(OS_LIBS)
-
-$(PROGS):$(OBJDIR)/%: $(OBJDIR)/%.o $(EX_LIBS)
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $@ $@.o $(LDFLAGS) $(EX_LIBS) $(OS_LIBS)
-
-#install:: $(TARGETS)
-#	$(INSTALL) $(TARGETS) $(DIST)/bin
-endif
-
 symbols::
 	@echo "TARGETS	= $(TARGETS)"
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/NSPRerrs.h
+++ /dev/null
@@ -1,136 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* General NSPR 2.0 errors */
-/* Caller must #include "prerror.h" */
-
-ER2( PR_OUT_OF_MEMORY_ERROR, 	"Memory allocation attempt failed." )
-ER2( PR_BAD_DESCRIPTOR_ERROR, 	"Invalid file descriptor." )
-ER2( PR_WOULD_BLOCK_ERROR, 	"The operation would have blocked." )
-ER2( PR_ACCESS_FAULT_ERROR, 	"Invalid memory address argument." )
-ER2( PR_INVALID_METHOD_ERROR, 	"Invalid function for file type." )
-ER2( PR_ILLEGAL_ACCESS_ERROR, 	"Invalid memory address argument." )
-ER2( PR_UNKNOWN_ERROR, 		"Some unknown error has occurred." )
-ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." )
-ER2( PR_NOT_IMPLEMENTED_ERROR, 	"function not implemented." )
-ER2( PR_IO_ERROR, 		"I/O function error." )
-ER2( PR_IO_TIMEOUT_ERROR, 	"I/O operation timed out." )
-ER2( PR_IO_PENDING_ERROR, 	"I/O operation on busy file descriptor." )
-ER2( PR_DIRECTORY_OPEN_ERROR, 	"The directory could not be opened." )
-ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." )
-ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." )
-ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." )
-ER2( PR_IS_CONNECTED_ERROR, 	"Already connected." )
-ER2( PR_BAD_ADDRESS_ERROR, 	"Network address is invalid." )
-ER2( PR_ADDRESS_IN_USE_ERROR, 	"Local Network address is in use." )
-ER2( PR_CONNECT_REFUSED_ERROR, 	"Connection refused by peer." )
-ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." )
-ER2( PR_CONNECT_TIMEOUT_ERROR, 	"Connection attempt timed out." )
-ER2( PR_NOT_CONNECTED_ERROR, 	"Network file descriptor is not connected." )
-ER2( PR_LOAD_LIBRARY_ERROR, 	"Failure to load dynamic library." )
-ER2( PR_UNLOAD_LIBRARY_ERROR, 	"Failure to unload dynamic library." )
-ER2( PR_FIND_SYMBOL_ERROR, 	
-"Symbol not found in any of the loaded dynamic libraries." )
-ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." )
-ER2( PR_DIRECTORY_LOOKUP_ERROR, 	
-"A directory lookup on a network address has failed." )
-ER2( PR_TPD_RANGE_ERROR, 		
-"Attempt to access a TPD key that is out of range." )
-ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." )
-ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." )
-ER2( PR_NOT_SOCKET_ERROR, 	
-"Network operation attempted on non-network file descriptor." )
-ER2( PR_NOT_TCP_SOCKET_ERROR, 	
-"TCP-specific function attempted on a non-TCP file descriptor." )
-ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." )
-ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." )
-ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, 
-"The requested operation is not supported by the platform." )
-ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, 
-"The host operating system does not support the protocol requested." )
-ER2( PR_REMOTE_FILE_ERROR, 	"Access to the remote file has been severed." )
-ER2( PR_BUFFER_OVERFLOW_ERROR, 	
-"The value requested is too large to be stored in the data buffer provided." )
-ER2( PR_CONNECT_RESET_ERROR, 	"TCP connection reset by peer." )
-ER2( PR_RANGE_ERROR, 		"Unused." )
-ER2( PR_DEADLOCK_ERROR, 	"The operation would have deadlocked." )
-ER2( PR_FILE_IS_LOCKED_ERROR, 	"The file is already locked." )
-ER2( PR_FILE_TOO_BIG_ERROR, 	
-"Write would result in file larger than the system allows." )
-ER2( PR_NO_DEVICE_SPACE_ERROR, 	"The device for storing the file is full." )
-ER2( PR_PIPE_ERROR, 		"Unused." )
-ER2( PR_NO_SEEK_DEVICE_ERROR, 	"Unused." )
-ER2( PR_IS_DIRECTORY_ERROR, 	
-"Cannot perform a normal file operation on a directory." )
-ER2( PR_LOOP_ERROR, 		"Symbolic link loop." )
-ER2( PR_NAME_TOO_LONG_ERROR, 	"File name is too long." )
-ER2( PR_FILE_NOT_FOUND_ERROR, 	"File not found." )
-ER2( PR_NOT_DIRECTORY_ERROR, 	
-"Cannot perform directory operation on a normal file." )
-ER2( PR_READ_ONLY_FILESYSTEM_ERROR, 
-"Cannot write to a read-only file system." )
-ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, 
-"Cannot delete a directory that is not empty." )
-ER2( PR_FILESYSTEM_MOUNTED_ERROR, 
-"Cannot delete or rename a file object while the file system is busy." )
-ER2( PR_NOT_SAME_DEVICE_ERROR, 	
-"Cannot rename a file to a file system on another device." )
-ER2( PR_DIRECTORY_CORRUPTED_ERROR, 
-"The directory object in the file system is corrupted." )
-ER2( PR_FILE_EXISTS_ERROR, 	
-"Cannot create or rename a filename that already exists." )
-ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, 
-"Directory is full.  No additional filenames may be added." )
-ER2( PR_INVALID_DEVICE_STATE_ERROR, 
-"The required device was in an invalid state." )
-ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." )
-ER2( PR_NO_MORE_FILES_ERROR, 	"No more entries in the directory." )
-ER2( PR_END_OF_FILE_ERROR, 	"Encountered end of file." )
-ER2( PR_FILE_SEEK_ERROR, 	"Seek error." )
-ER2( PR_FILE_IS_BUSY_ERROR, 	"The file is busy." )
-ER2( PR_IN_PROGRESS_ERROR,
-"Operation is still in progress (probably a non-blocking connect)." )
-ER2( PR_ALREADY_INITIATED_ERROR,
-"Operation has already been initiated (probably a non-blocking connect)." )
-
-#ifdef PR_GROUP_EMPTY_ERROR
-ER2( PR_GROUP_EMPTY_ERROR, 	"The wait group is empty." )
-#endif
-
-#ifdef PR_INVALID_STATE_ERROR
-ER2( PR_INVALID_STATE_ERROR, 	"Object state improper for request." )
-#endif
-
-ER2( PR_MAX_ERROR, 		"Placeholder for the end of the list" )
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/SECerrs.h
+++ /dev/null
@@ -1,444 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* General security error codes  */
-/* Caller must #include "secerr.h" */
-
-ER3(SEC_ERROR_IO,				SEC_ERROR_BASE + 0,
-"An I/O error occurred during security authorization.")
-
-ER3(SEC_ERROR_LIBRARY_FAILURE,			SEC_ERROR_BASE + 1,
-"security library failure.")
-
-ER3(SEC_ERROR_BAD_DATA,				SEC_ERROR_BASE + 2,
-"security library: received bad data.")
-
-ER3(SEC_ERROR_OUTPUT_LEN,			SEC_ERROR_BASE + 3,
-"security library: output length error.")
-
-ER3(SEC_ERROR_INPUT_LEN,			SEC_ERROR_BASE + 4,
-"security library has experienced an input length error.")
-
-ER3(SEC_ERROR_INVALID_ARGS,			SEC_ERROR_BASE + 5,
-"security library: invalid arguments.")
-
-ER3(SEC_ERROR_INVALID_ALGORITHM,		SEC_ERROR_BASE + 6,
-"security library: invalid algorithm.")
-
-ER3(SEC_ERROR_INVALID_AVA,			SEC_ERROR_BASE + 7,
-"security library: invalid AVA.")
-
-ER3(SEC_ERROR_INVALID_TIME,			SEC_ERROR_BASE + 8,
-"Improperly formatted time string.")
-
-ER3(SEC_ERROR_BAD_DER,				SEC_ERROR_BASE + 9,
-"security library: improperly formatted DER-encoded message.")
-
-ER3(SEC_ERROR_BAD_SIGNATURE,			SEC_ERROR_BASE + 10,
-"Peer's certificate has an invalid signature.")
-
-ER3(SEC_ERROR_EXPIRED_CERTIFICATE,		SEC_ERROR_BASE + 11,
-"Peer's Certificate has expired.")
-
-ER3(SEC_ERROR_REVOKED_CERTIFICATE,		SEC_ERROR_BASE + 12,
-"Peer's Certificate has been revoked.")
-
-ER3(SEC_ERROR_UNKNOWN_ISSUER,			SEC_ERROR_BASE + 13,
-"Peer's Certificate issuer is not recognized.")
-
-ER3(SEC_ERROR_BAD_KEY,				SEC_ERROR_BASE + 14,
-"Peer's public key is invalid.")
-
-ER3(SEC_ERROR_BAD_PASSWORD,			SEC_ERROR_BASE + 15,
-"The security password entered is incorrect.")
-
-ER3(SEC_ERROR_RETRY_PASSWORD,			SEC_ERROR_BASE + 16,
-"New password entered incorrectly.  Please try again.")
-
-ER3(SEC_ERROR_NO_NODELOCK,			SEC_ERROR_BASE + 17,
-"security library: no nodelock.")
-
-ER3(SEC_ERROR_BAD_DATABASE,			SEC_ERROR_BASE + 18,
-"security library: bad database.")
-
-ER3(SEC_ERROR_NO_MEMORY,			SEC_ERROR_BASE + 19,
-"security library: memory allocation failure.")
-
-ER3(SEC_ERROR_UNTRUSTED_ISSUER,			SEC_ERROR_BASE + 20,
-"Peer's certificate issuer has been marked as not trusted by the user.")
-
-ER3(SEC_ERROR_UNTRUSTED_CERT,			SEC_ERROR_BASE + 21,
-"Peer's certificate has been marked as not trusted by the user.")
-
-ER3(SEC_ERROR_DUPLICATE_CERT,			(SEC_ERROR_BASE + 22),
-"Certificate already exists in your database.")
-
-ER3(SEC_ERROR_DUPLICATE_CERT_NAME,		(SEC_ERROR_BASE + 23),
-"Downloaded certificate's name duplicates one already in your database.")
-
-ER3(SEC_ERROR_ADDING_CERT,			(SEC_ERROR_BASE + 24),
-"Error adding certificate to database.")
-
-ER3(SEC_ERROR_FILING_KEY,			(SEC_ERROR_BASE + 25),
-"Error refiling the key for this certificate.")
-
-ER3(SEC_ERROR_NO_KEY,				(SEC_ERROR_BASE + 26),
-"The private key for this certificate cannot be found in key database")
-
-ER3(SEC_ERROR_CERT_VALID,			(SEC_ERROR_BASE + 27),
-"This certificate is valid.")
-
-ER3(SEC_ERROR_CERT_NOT_VALID,			(SEC_ERROR_BASE + 28),
-"This certificate is not valid.")
-
-ER3(SEC_ERROR_CERT_NO_RESPONSE,			(SEC_ERROR_BASE + 29),
-"Cert Library: No Response")
-
-ER3(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE,	(SEC_ERROR_BASE + 30),
-"The certificate issuer's certificate has expired.  Check your system date and time.")
-
-ER3(SEC_ERROR_CRL_EXPIRED,			(SEC_ERROR_BASE + 31),
-"The CRL for the certificate's issuer has expired.  Update it or check your system data and time.")
-
-ER3(SEC_ERROR_CRL_BAD_SIGNATURE,		(SEC_ERROR_BASE + 32),
-"The CRL for the certificate's issuer has an invalid signature.")
-
-ER3(SEC_ERROR_CRL_INVALID,			(SEC_ERROR_BASE + 33),
-"New CRL has an invalid format.")
-
-ER3(SEC_ERROR_EXTENSION_VALUE_INVALID,		(SEC_ERROR_BASE + 34),
-"Certificate extension value is invalid.")
-
-ER3(SEC_ERROR_EXTENSION_NOT_FOUND,		(SEC_ERROR_BASE + 35),
-"Certificate extension not found.")
-
-ER3(SEC_ERROR_CA_CERT_INVALID,			(SEC_ERROR_BASE + 36),
-"Issuer certificate is invalid.")
-   
-ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID,	(SEC_ERROR_BASE + 37),
-"Certificate path length constraint is invalid.")
-
-ER3(SEC_ERROR_CERT_USAGES_INVALID,		(SEC_ERROR_BASE + 38),
-"Certificate usages field is invalid.")
-
-ER3(SEC_INTERNAL_ONLY,				(SEC_ERROR_BASE + 39),
-"**Internal ONLY module**")
-
-ER3(SEC_ERROR_INVALID_KEY,			(SEC_ERROR_BASE + 40),
-"The key does not support the requested operation.")
-
-ER3(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION,	(SEC_ERROR_BASE + 41),
-"Certificate contains unknown critical extension.")
-
-ER3(SEC_ERROR_OLD_CRL,				(SEC_ERROR_BASE + 42),
-"New CRL is not later than the current one.")
-
-ER3(SEC_ERROR_NO_EMAIL_CERT,			(SEC_ERROR_BASE + 43),
-"Not encrypted or signed: you do not yet have an email certificate.")
-
-ER3(SEC_ERROR_NO_RECIPIENT_CERTS_QUERY,		(SEC_ERROR_BASE + 44),
-"Not encrypted: you do not have certificates for each of the recipients.")
-
-ER3(SEC_ERROR_NOT_A_RECIPIENT,			(SEC_ERROR_BASE + 45),
-"Cannot decrypt: you are not a recipient, or matching certificate and \
-private key not found.")
-
-ER3(SEC_ERROR_PKCS7_KEYALG_MISMATCH,		(SEC_ERROR_BASE + 46),
-"Cannot decrypt: key encryption algorithm does not match your certificate.")
-
-ER3(SEC_ERROR_PKCS7_BAD_SIGNATURE,		(SEC_ERROR_BASE + 47),
-"Signature verification failed: no signer found, too many signers found, \
-or improper or corrupted data.")
-
-ER3(SEC_ERROR_UNSUPPORTED_KEYALG,		(SEC_ERROR_BASE + 48),
-"Unsupported or unknown key algorithm.")
-
-ER3(SEC_ERROR_DECRYPTION_DISALLOWED,		(SEC_ERROR_BASE + 49),
-"Cannot decrypt: encrypted using a disallowed algorithm or key size.")
-
-
-/* Fortezza Alerts */
-ER3(XP_SEC_FORTEZZA_BAD_CARD,			(SEC_ERROR_BASE + 50),
-"Fortezza card has not been properly initialized.  \
-Please remove it and return it to your issuer.")
-
-ER3(XP_SEC_FORTEZZA_NO_CARD,			(SEC_ERROR_BASE + 51),
-"No Fortezza cards Found")
-
-ER3(XP_SEC_FORTEZZA_NONE_SELECTED,		(SEC_ERROR_BASE + 52),
-"No Fortezza card selected")
-
-ER3(XP_SEC_FORTEZZA_MORE_INFO,			(SEC_ERROR_BASE + 53),
-"Please select a personality to get more info on")
-
-ER3(XP_SEC_FORTEZZA_PERSON_NOT_FOUND,		(SEC_ERROR_BASE + 54),
-"Personality not found")
-
-ER3(XP_SEC_FORTEZZA_NO_MORE_INFO,		(SEC_ERROR_BASE + 55),
-"No more information on that Personality")
-
-ER3(XP_SEC_FORTEZZA_BAD_PIN,			(SEC_ERROR_BASE + 56),
-"Invalid Pin")
-
-ER3(XP_SEC_FORTEZZA_PERSON_ERROR,		(SEC_ERROR_BASE + 57),
-"Couldn't initialize Fortezza personalities.")
-/* end fortezza alerts. */
-
-ER3(SEC_ERROR_NO_KRL,				(SEC_ERROR_BASE + 58),
-"No KRL for this site's certificate has been found.")
-
-ER3(SEC_ERROR_KRL_EXPIRED,			(SEC_ERROR_BASE + 59),
-"The KRL for this site's certificate has expired.")
-
-ER3(SEC_ERROR_KRL_BAD_SIGNATURE,		(SEC_ERROR_BASE + 60),
-"The KRL for this site's certificate has an invalid signature.")
-
-ER3(SEC_ERROR_REVOKED_KEY,			(SEC_ERROR_BASE + 61),
-"The key for this site's certificate has been revoked.")
-
-ER3(SEC_ERROR_KRL_INVALID,			(SEC_ERROR_BASE + 62),
-"New KRL has an invalid format.")
-
-ER3(SEC_ERROR_NEED_RANDOM,			(SEC_ERROR_BASE + 63),
-"security library: need random data.")
-
-ER3(SEC_ERROR_NO_MODULE,			(SEC_ERROR_BASE + 64),
-"security library: no security module can perform the requested operation.")
-
-ER3(SEC_ERROR_NO_TOKEN,				(SEC_ERROR_BASE + 65),
-"The security card or token does not exist, needs to be initialized, or has been removed.")
-
-ER3(SEC_ERROR_READ_ONLY,			(SEC_ERROR_BASE + 66),
-"security library: read-only database.")
-
-ER3(SEC_ERROR_NO_SLOT_SELECTED,			(SEC_ERROR_BASE + 67),
-"No slot or token was selected.")
-
-ER3(SEC_ERROR_CERT_NICKNAME_COLLISION,		(SEC_ERROR_BASE + 68),
-"A certificate with the same nickname already exists.")
-
-ER3(SEC_ERROR_KEY_NICKNAME_COLLISION,		(SEC_ERROR_BASE + 69),
-"A key with the same nickname already exists.")
-
-ER3(SEC_ERROR_SAFE_NOT_CREATED,			(SEC_ERROR_BASE + 70),
-"error while creating safe object")
-
-ER3(SEC_ERROR_BAGGAGE_NOT_CREATED,		(SEC_ERROR_BASE + 71),
-"error while creating baggage object")
-
-ER3(XP_JAVA_REMOVE_PRINCIPAL_ERROR,		(SEC_ERROR_BASE + 72),
-"Couldn't remove the principal")
-
-ER3(XP_JAVA_DELETE_PRIVILEGE_ERROR,		(SEC_ERROR_BASE + 73),
-"Couldn't delete the privilege")
-
-ER3(XP_JAVA_CERT_NOT_EXISTS_ERROR,		(SEC_ERROR_BASE + 74),
-"This principal doesn't have a certificate")
-
-ER3(SEC_ERROR_BAD_EXPORT_ALGORITHM,		(SEC_ERROR_BASE + 75),
-"Required algorithm is not allowed.")
-
-ER3(SEC_ERROR_EXPORTING_CERTIFICATES,		(SEC_ERROR_BASE + 76),
-"Error attempting to export certificates.")
-
-ER3(SEC_ERROR_IMPORTING_CERTIFICATES,		(SEC_ERROR_BASE + 77),
-"Error attempting to import certificates.")
-
-ER3(SEC_ERROR_PKCS12_DECODING_PFX,		(SEC_ERROR_BASE + 78),
-"Unable to import.  Decoding error.  File not valid.")
-
-ER3(SEC_ERROR_PKCS12_INVALID_MAC,		(SEC_ERROR_BASE + 79),
-"Unable to import.  Invalid MAC.  Incorrect password or corrupt file.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM,	(SEC_ERROR_BASE + 80),
-"Unable to import.  MAC algorithm not supported.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE,(SEC_ERROR_BASE + 81),
-"Unable to import.  Only password integrity and privacy modes supported.")
-
-ER3(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE,	(SEC_ERROR_BASE + 82),
-"Unable to import.  File structure is corrupt.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, (SEC_ERROR_BASE + 83),
-"Unable to import.  Encryption algorithm not supported.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION,	(SEC_ERROR_BASE + 84),
-"Unable to import.  File version not supported.")
-
-ER3(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT,(SEC_ERROR_BASE + 85),
-"Unable to import.  Incorrect privacy password.")
-
-ER3(SEC_ERROR_PKCS12_CERT_COLLISION,		(SEC_ERROR_BASE + 86),
-"Unable to import.  Same nickname already exists in database.")
-
-ER3(SEC_ERROR_USER_CANCELLED,			(SEC_ERROR_BASE + 87),
-"The user pressed cancel.")
-
-ER3(SEC_ERROR_PKCS12_DUPLICATE_DATA,		(SEC_ERROR_BASE + 88),
-"Not imported, already in database.")
-
-ER3(SEC_ERROR_MESSAGE_SEND_ABORTED,		(SEC_ERROR_BASE + 89),
-"Message not sent.")
-
-ER3(SEC_ERROR_INADEQUATE_KEY_USAGE,		(SEC_ERROR_BASE + 90),
-"Certificate key usage inadequate for attempted operation.")
-
-ER3(SEC_ERROR_INADEQUATE_CERT_TYPE,		(SEC_ERROR_BASE + 91),
-"Certificate type not approved for application.")
-
-ER3(SEC_ERROR_CERT_ADDR_MISMATCH,		(SEC_ERROR_BASE + 92),
-"Address in signing certificate does not match address in message headers.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY,	(SEC_ERROR_BASE + 93),
-"Unable to import.  Error attempting to import private key.")
-
-ER3(SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN,	(SEC_ERROR_BASE + 94),
-"Unable to import.  Error attempting to import certificate chain.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, (SEC_ERROR_BASE + 95),
-"Unable to export.  Unable to locate certificate or key by nickname.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY,	(SEC_ERROR_BASE + 96),
-"Unable to export.  Private Key could not be located and exported.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_WRITE, 		(SEC_ERROR_BASE + 97),
-"Unable to export.  Unable to write the export file.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_READ,		(SEC_ERROR_BASE + 98),
-"Unable to import.  Unable to read the import file.")
-
-ER3(SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, (SEC_ERROR_BASE + 99),
-"Unable to export.  Key database corrupt or deleted.")
-
-ER3(SEC_ERROR_KEYGEN_FAIL,			(SEC_ERROR_BASE + 100),
-"Unable to generate public/private key pair.")
-
-ER3(SEC_ERROR_INVALID_PASSWORD,			(SEC_ERROR_BASE + 101),
-"Password entered is invalid.  Please pick a different one.")
-
-ER3(SEC_ERROR_RETRY_OLD_PASSWORD,		(SEC_ERROR_BASE + 102),
-"Old password entered incorrectly.  Please try again.")
-
-ER3(SEC_ERROR_BAD_NICKNAME,			(SEC_ERROR_BASE + 103),
-"Certificate nickname already in use.")
-
-ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER,       	(SEC_ERROR_BASE + 104),
-"Peer FORTEZZA chain has a non-FORTEZZA Certificate.")
-
-/* ER3(SEC_ERROR_UNKNOWN, 			(SEC_ERROR_BASE + 105), */
-
-ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, 		(SEC_ERROR_BASE + 106),
-"Invalid module name.")
-
-ER3(SEC_ERROR_JS_INVALID_DLL, 			(SEC_ERROR_BASE + 107),
-"Invalid module path/filename")
-
-ER3(SEC_ERROR_JS_ADD_MOD_FAILURE, 		(SEC_ERROR_BASE + 108),
-"Unable to add module")
-
-ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, 		(SEC_ERROR_BASE + 109),
-"Unable to delete module")
-
-ER3(SEC_ERROR_OLD_KRL,	     			(SEC_ERROR_BASE + 110),
-"New KRL is not later than the current one.")
- 
-ER3(SEC_ERROR_CKL_CONFLICT,	     		(SEC_ERROR_BASE + 111),
-"New CKL has different issuer than current CKL.  Delete current CKL.")
-
-ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, 		(SEC_ERROR_BASE + 112),
-"The Certifying Authority for this certificate is not permitted to issue a \
-certificate with this name.")
-
-ER3(SEC_ERROR_KRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 113),
-"The key revocation list for this certificate is not yet valid.")
-
-ER3(SEC_ERROR_CRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 114),
-"The certificate revocation list for this certificate is not yet valid.")
-
-ER3(SEC_ERROR_UNKNOWN_CERT,			(SEC_ERROR_BASE + 115),
-"The requested certificate could not be found.")
-
-ER3(SEC_ERROR_UNKNOWN_SIGNER,			(SEC_ERROR_BASE + 116),
-"The signer's certificate could not be found.")
-
-ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION,		(SEC_ERROR_BASE + 117),
-"The location for the certificate status server has invalid format.")
-
-ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE,	(SEC_ERROR_BASE + 118),
-"The OCSP response cannot be fully decoded; it is of an unknown type.")
-
-ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE,		(SEC_ERROR_BASE + 119),
-"The OCSP server returned unexpected/invalid HTTP data.")
-
-ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST,		(SEC_ERROR_BASE + 120),
-"The OCSP server found the request to be corrupted or improperly formed.")
-
-ER3(SEC_ERROR_OCSP_SERVER_ERROR,		(SEC_ERROR_BASE + 121),
-"The OCSP server experienced an internal error.")
-
-ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER,		(SEC_ERROR_BASE + 122),
-"The OCSP server suggests trying again later.")
-
-ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG,		(SEC_ERROR_BASE + 123),
-"The OCSP server requires a signature on this request.")
-
-ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST,	(SEC_ERROR_BASE + 124),
-"The OCSP server has refused this request as unauthorized.")
-
-ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS,	(SEC_ERROR_BASE + 125),
-"The OCSP server returned an unrecognizable status.")
-
-ER3(SEC_ERROR_OCSP_UNKNOWN_CERT,		(SEC_ERROR_BASE + 126),
-"The OCSP server has no status for the certificate.")
-
-ER3(SEC_ERROR_OCSP_NOT_ENABLED,			(SEC_ERROR_BASE + 127),
-"You must enable OCSP before performing this operation.")
-
-ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER,	(SEC_ERROR_BASE + 128),
-"You must set the OCSP default responder before performing this operation.")
-
-ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE,		(SEC_ERROR_BASE + 129),
-"The response from the OCSP server was corrupted or improperly formed.")
-
-ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE,	(SEC_ERROR_BASE + 130),
-"The signer of the OCSP response is not authorized to give status for \
-this certificate.")
-
-ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE,		(SEC_ERROR_BASE + 131),
-"The OCSP response is not yet valid (contains a date in the future).")
-
-ER3(SEC_ERROR_OCSP_OLD_RESPONSE,		(SEC_ERROR_BASE + 132),
-"The OCSP response contains out-of-date information.")
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/SSLerrs.h
+++ /dev/null
@@ -1,369 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* SSL-specific security error codes  */
-/* caller must include "sslerr.h" */
-
-ER3(SSL_ERROR_EXPORT_ONLY_SERVER,			SSL_ERROR_BASE + 0,
-"Unable to communicate securely.  Peer does not support high-grade encryption.")
-
-ER3(SSL_ERROR_US_ONLY_SERVER,				SSL_ERROR_BASE + 1,
-"Unable to communicate securely.  Peer requires high-grade encryption which is not supported.")
-
-ER3(SSL_ERROR_NO_CYPHER_OVERLAP,			SSL_ERROR_BASE + 2,
-"Cannot communicate securely with peer: no common encryption algorithm(s).")
-
-ER3(SSL_ERROR_NO_CERTIFICATE,				SSL_ERROR_BASE + 3,
-"Unable to find the certificate or key necessary for authentication.")
-
-ER3(SSL_ERROR_BAD_CERTIFICATE,				SSL_ERROR_BASE + 4,
-"Unable to communicate securely with peer: peers's certificate was rejected.")
-
-/* unused						(SSL_ERROR_BASE + 5),*/
-
-ER3(SSL_ERROR_BAD_CLIENT,				SSL_ERROR_BASE + 6,
-"The server has encountered bad data from the client.")
-
-ER3(SSL_ERROR_BAD_SERVER,				SSL_ERROR_BASE + 7,
-"The client has encountered bad data from the server.")
-
-ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,		SSL_ERROR_BASE + 8,
-"Unsupported certificate type.")
-
-ER3(SSL_ERROR_UNSUPPORTED_VERSION,			SSL_ERROR_BASE + 9,
-"Peer using unsupported version of security protocol.")
-
-/* unused						(SSL_ERROR_BASE + 10),*/
-
-ER3(SSL_ERROR_WRONG_CERTIFICATE,			SSL_ERROR_BASE + 11,
-"Client authentication failed: private key in key database does not match public key in certificate database.")
-
-ER3(SSL_ERROR_BAD_CERT_DOMAIN,				SSL_ERROR_BASE + 12,
-"Unable to communicate securely with peer: requested domain name does not match the server's certificate.")
-
-/* SSL_ERROR_POST_WARNING				(SSL_ERROR_BASE + 13),
-   defined in sslerr.h
-*/
-
-ER3(SSL_ERROR_SSL2_DISABLED,				(SSL_ERROR_BASE + 14),
-"Peer only supports SSL version 2, which is locally disabled.")
-
-
-ER3(SSL_ERROR_BAD_MAC_READ,				(SSL_ERROR_BASE + 15),
-"SSL received a record with an incorrect Message Authentication Code.")
-
-ER3(SSL_ERROR_BAD_MAC_ALERT,				(SSL_ERROR_BASE + 16),
-"SSL peer reports incorrect Message Authentication Code.")
-
-ER3(SSL_ERROR_BAD_CERT_ALERT,				(SSL_ERROR_BASE + 17),
-"SSL peer cannot verify your certificate.")
-
-ER3(SSL_ERROR_REVOKED_CERT_ALERT,			(SSL_ERROR_BASE + 18),
-"SSL peer rejected your certificate as revoked.")
-
-ER3(SSL_ERROR_EXPIRED_CERT_ALERT,			(SSL_ERROR_BASE + 19),
-"SSL peer rejected your certificate as expired.")
-
-ER3(SSL_ERROR_SSL_DISABLED,				(SSL_ERROR_BASE + 20),
-"Cannot connect: SSL is disabled.")
-
-ER3(SSL_ERROR_FORTEZZA_PQG,				(SSL_ERROR_BASE + 21),
-"Cannot connect: SSL peer is in another FORTEZZA domain.")
-
-
-ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE          , (SSL_ERROR_BASE + 22),
-"An unknown SSL cipher suite has been requested.")
-
-ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED          , (SSL_ERROR_BASE + 23),
-"No cipher suites are present and enabled in this program.")
-
-ER3(SSL_ERROR_BAD_BLOCK_PADDING             , (SSL_ERROR_BASE + 24),
-"SSL received a record with bad block padding.")
-
-ER3(SSL_ERROR_RX_RECORD_TOO_LONG            , (SSL_ERROR_BASE + 25),
-"SSL received a record that exceeded the maximum permissible length.")
-
-ER3(SSL_ERROR_TX_RECORD_TOO_LONG            , (SSL_ERROR_BASE + 26),
-"SSL attempted to send a record that exceeded the maximum permissible length.")
-
-/*
- * Received a malformed (too long or short or invalid content) SSL handshake.
- */
-ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST    , (SSL_ERROR_BASE + 27),
-"SSL received a malformed Hello Request handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO     , (SSL_ERROR_BASE + 28),
-"SSL received a malformed Client Hello handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO     , (SSL_ERROR_BASE + 29),
-"SSL received a malformed Server Hello handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE      , (SSL_ERROR_BASE + 30),
-"SSL received a malformed Certificate handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH  , (SSL_ERROR_BASE + 31),
-"SSL received a malformed Server Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST     , (SSL_ERROR_BASE + 32),
-"SSL received a malformed Certificate Request handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE       , (SSL_ERROR_BASE + 33),
-"SSL received a malformed Server Hello Done handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY      , (SSL_ERROR_BASE + 34),
-"SSL received a malformed Certificate Verify handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH  , (SSL_ERROR_BASE + 35),
-"SSL received a malformed Client Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_FINISHED         , (SSL_ERROR_BASE + 36),
-"SSL received a malformed Finished handshake message.")
-
-/*
- * Received a malformed (too long or short) SSL record.
- */
-ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER    , (SSL_ERROR_BASE + 37),
-"SSL received a malformed Change Cipher Spec record.")
-
-ER3(SSL_ERROR_RX_MALFORMED_ALERT            , (SSL_ERROR_BASE + 38),
-"SSL received a malformed Alert record.")
-
-ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE        , (SSL_ERROR_BASE + 39),
-"SSL received a malformed Handshake record.")
-
-ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40),
-"SSL received a malformed Application Data record.")
-
-/*
- * Received an SSL handshake that was inappropriate for the state we're in.
- * E.g. Server received message from server, or wrong state in state machine.
- */
-ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST   , (SSL_ERROR_BASE + 41),
-"SSL received an unexpected Hello Request handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO    , (SSL_ERROR_BASE + 42),
-"SSL received an unexpected Client Hello handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO    , (SSL_ERROR_BASE + 43),
-"SSL received an unexpected Server Hello handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE     , (SSL_ERROR_BASE + 44),
-"SSL received an unexpected Certificate handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45),
-"SSL received an unexpected Server Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST    , (SSL_ERROR_BASE + 46),
-"SSL received an unexpected Certificate Request handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE      , (SSL_ERROR_BASE + 47),
-"SSL received an unexpected Server Hello Done handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY     , (SSL_ERROR_BASE + 48),
-"SSL received an unexpected Certificate Verify handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49),
-"SSL received an unexpected Cllient Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED        , (SSL_ERROR_BASE + 50),
-"SSL received an unexpected Finished handshake message.")
-
-/*
- * Received an SSL record that was inappropriate for the state we're in.
- */
-ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER   , (SSL_ERROR_BASE + 51),
-"SSL received an unexpected Change Cipher Spec record.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_ALERT           , (SSL_ERROR_BASE + 52),
-"SSL received an unexpected Alert record.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE       , (SSL_ERROR_BASE + 53),
-"SSL received an unexpected Handshake record.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54),
-"SSL received an unexpected Application Data record.")
-
-/*
- * Received record/message with unknown discriminant.
- */
-ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE        , (SSL_ERROR_BASE + 55),
-"SSL received a record with an unknown content type.")
-
-ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE          , (SSL_ERROR_BASE + 56),
-"SSL received a handshake message with an unknown message type.")
-
-ER3(SSL_ERROR_RX_UNKNOWN_ALERT              , (SSL_ERROR_BASE + 57),
-"SSL received an alert record with an unknown alert description.")
-
-/*
- * Received an alert reporting what we did wrong.  (more alerts above)
- */
-ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT            , (SSL_ERROR_BASE + 58),
-"SSL peer has closed this connection.")
-
-ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT    , (SSL_ERROR_BASE + 59),
-"SSL peer was not expecting a handshake message it received.")
-
-ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT   , (SSL_ERROR_BASE + 60),
-"SSL peer was unable to succesfully decompress an SSL record it received.")
-
-ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT       , (SSL_ERROR_BASE + 61),
-"SSL peer was unable to negotiate an acceptable set of security parameters.")
-
-ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT       , (SSL_ERROR_BASE + 62),
-"SSL peer rejected a handshake message for unacceptable content.")
-
-ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT        , (SSL_ERROR_BASE + 63),
-"SSL peer does not support certificates of the type it received.")
-
-ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT     , (SSL_ERROR_BASE + 64),
-"SSL peer had some unspecified issue with the certificate it received.")
-
-
-ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE       , (SSL_ERROR_BASE + 65),
-"SSL experienced a failure of its random number generator.")
-
-ER3(SSL_ERROR_SIGN_HASHES_FAILURE           , (SSL_ERROR_BASE + 66),
-"Unable to digitally sign data required to verify your certificate.")
-
-ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE    , (SSL_ERROR_BASE + 67),
-"SSL was unable to extract the public key from the peer's certificate.")
-
-ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE   , (SSL_ERROR_BASE + 68),
-"Unspecified failure while processing SSL Server Key Exchange handshake.")
-
-ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE   , (SSL_ERROR_BASE + 69),
-"Unspecified failure while processing SSL Client Key Exchange handshake.")
-
-ER3(SSL_ERROR_ENCRYPTION_FAILURE            , (SSL_ERROR_BASE + 70),
-"Bulk data encryption algorithm failed in selected cipher suite.")
-
-ER3(SSL_ERROR_DECRYPTION_FAILURE            , (SSL_ERROR_BASE + 71),
-"Bulk data decryption algorithm failed in selected cipher suite.")
-
-ER3(SSL_ERROR_SOCKET_WRITE_FAILURE          , (SSL_ERROR_BASE + 72),
-"Attempt to write encrypted data to underlying socket failed.")
-
-ER3(SSL_ERROR_MD5_DIGEST_FAILURE            , (SSL_ERROR_BASE + 73),
-"MD5 digest function failed.")
-
-ER3(SSL_ERROR_SHA_DIGEST_FAILURE            , (SSL_ERROR_BASE + 74),
-"SHA-1 digest function failed.")
-
-ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE       , (SSL_ERROR_BASE + 75),
-"MAC computation failed.")
-
-ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE       , (SSL_ERROR_BASE + 76),
-"Failure to create Symmetric Key context.")
-
-ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE        , (SSL_ERROR_BASE + 77),
-"Failure to unwrap the Symmetric key in Client Key Exchange message.")
-
-ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED   , (SSL_ERROR_BASE + 78),
-"SSL Server attempted to use domestic-grade public key with export cipher suite.")
-
-ER3(SSL_ERROR_IV_PARAM_FAILURE              , (SSL_ERROR_BASE + 79),
-"PKCS11 code failed to translate an IV into a param.")
-
-ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE     , (SSL_ERROR_BASE + 80),
-"Failed to initialize the selected cipher suite.")
-
-ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE       , (SSL_ERROR_BASE + 81),
-"Client failed to generate session keys for SSL session.")
-
-ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG         , (SSL_ERROR_BASE + 82),
-"Server has no key for the attempted key exchange algorithm.")
-
-ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL       , (SSL_ERROR_BASE + 83),
-"PKCS#11 token was inserted or removed while operation was in progress.")
-
-ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND          , (SSL_ERROR_BASE + 84),
-"No PKCS#11 token could be found to do a required operation.")
-
-ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP        , (SSL_ERROR_BASE + 85),
-"Cannot communicate securely with peer: no common compression algorithm(s).")
-
-ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED       , (SSL_ERROR_BASE + 86),
-"Cannot initiate another SSL handshake until current handshake is complete.")
-
-ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE      , (SSL_ERROR_BASE + 87),
-"Received incorrect handshakes hash values from peer.")
-
-ER3(SSL_ERROR_CERT_KEA_MISMATCH             , (SSL_ERROR_BASE + 88),
-"The certificate provided cannot be used with the selected key exchange algorithm.")
-
-ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA	, (SSL_ERROR_BASE + 89),
-"No certificate authority is trusted for SSL client authentication.")
-
-ER3(SSL_ERROR_SESSION_NOT_FOUND		, (SSL_ERROR_BASE + 90),
-"Client's SSL session ID not found in server's session cache.")
-
-ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT     , (SSL_ERROR_BASE + 91),
-"Peer was unable to decrypt an SSL record it received.")
-
-ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT       , (SSL_ERROR_BASE + 92),
-"Peer received an SSL record that was longer than is permitted.")
-
-ER3(SSL_ERROR_UNKNOWN_CA_ALERT            , (SSL_ERROR_BASE + 93),
-"Peer does not recognize and trust the CA that issued your certificate.")
-
-ER3(SSL_ERROR_ACCESS_DENIED_ALERT         , (SSL_ERROR_BASE + 94),
-"Peer received a valid certificate, but access was denied.")
-
-ER3(SSL_ERROR_DECODE_ERROR_ALERT          , (SSL_ERROR_BASE + 95),
-"Peer could not decode an SSL handshake message.")
-
-ER3(SSL_ERROR_DECRYPT_ERROR_ALERT         , (SSL_ERROR_BASE + 96),
-"Peer reports failure of signature verification or key exchange.")
-
-ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT    , (SSL_ERROR_BASE + 97),
-"Peer reports negotiation not in compliance with export regulations.")
-
-ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT      , (SSL_ERROR_BASE + 98),
-"Peer reports incompatible or unsupported protocol version.")
-
-ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99),
-"Server requires ciphers more secure than those supported by client.")
-
-ER3(SSL_ERROR_INTERNAL_ERROR_ALERT        , (SSL_ERROR_BASE + 100),
-"Peer reports it experienced an internal error.")
-
-ER3(SSL_ERROR_USER_CANCELED_ALERT         , (SSL_ERROR_BASE + 101),
-"Peer user canceled handshake.")
-
-ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT      , (SSL_ERROR_BASE + 102),
-"Peer does not permit renegotiation of SSL security parameters.")
-
--- a/security/nss/cmd/SSLsample/client.mn
+++ b/security/nss/cmd/SSLsample/client.mn
@@ -41,14 +41,10 @@ MODULE = nss
 EXPORTS = 
 
 CSRCS =  client.c \
 	sslsample.c \
 	$(NULL)
 
 PROGRAM = client
 
-REQUIRES = dbm 
-
 IMPORTS = nss/lib/nss
 
-DEFINES = -DNSPR20 
-
--- a/security/nss/cmd/SSLsample/server.mn
+++ b/security/nss/cmd/SSLsample/server.mn
@@ -41,12 +41,8 @@ MODULE  = nss
 EXPORTS = 
 
 CSRCS =  server.c	\
 	sslsample.c	\
 	$(NULL)
 
 PROGRAM  = server
 
-REQUIRES = dbm 
-
-DEFINES  = -DNSPR20
-
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -179,17 +179,17 @@ static void Usage()
     PRINTUSAGE("",	"-k", "file which contains key");
 #ifdef NSS_ENABLE_ECC
     PRINTUSAGE("",	"-n", "name of curve for EC key generation; one of:");
     PRINTUSAGE("",  "",   "  sect163k1, nistk163, sect163r1, sect163r2,");
     PRINTUSAGE("",  "",   "  nistb163, sect193r1, sect193r2, sect233k1, nistk233,");
     PRINTUSAGE("",  "",   "  sect233r1, nistb233, sect239k1, sect283k1, nistk283,");
     PRINTUSAGE("",  "",   "  sect283r1, nistb283, sect409k1, nistk409, sect409r1,");
     PRINTUSAGE("",  "",   "  nistb409, sect571k1, nistk571, sect571r1, nistb571,");
-    PRINTUSAGE("",  "",   "  secp169k1, secp160r1, secp160r2, secp192k1, secp192r1,");
+    PRINTUSAGE("",  "",   "  secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,");
     PRINTUSAGE("",  "",   "  nistp192, secp224k1, secp224r1, nistp224, secp256k1,");
     PRINTUSAGE("",  "",   "  secp256r1, nistp256, secp384r1, nistp384, secp521r1,");
     PRINTUSAGE("",  "",   "  nistp521, prime192v1, prime192v2, prime192v3,");
     PRINTUSAGE("",  "",   "  prime239v1, prime239v2, prime239v3, c2pnb163v1,");
     PRINTUSAGE("",  "",   "  c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,");
     PRINTUSAGE("",  "",   "  c2tnb191v2, c2tnb191v3, c2onb191v4, c2onb191v5,");
     PRINTUSAGE("",  "",   "  c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,");
     PRINTUSAGE("",  "",   "  c2onb239v4, c2onb239v5, c2pnb272w1, c2pnb304w1,");
@@ -2494,19 +2494,22 @@ print_td:
               fprintf(stdout, "%8s", "pqg_mod");
           else
               fprintf(stdout, "%8d", PQG_INDEX_TO_PBITS(info->params.dsa.j));
           break;
 #ifdef NSS_ENABLE_ECC
       case bltestECDSA:
           if (td)
               fprintf(stdout, "%12s", "ec_curve");
-          else
+          else {
+	      ECCurveName curveName = info->params.ecdsa.eckey->ecParams.name;
               fprintf(stdout, "%12s",
-                      ecCurve_map[info->params.ecdsa.eckey->ecParams.name]->text);
+                      ecCurve_map[curveName]? ecCurve_map[curveName]->text:
+					      "Unsupported curve");
+	  }
           break;
 #endif
       case bltestMD2:
       case bltestMD5:
       case bltestSHA1:
       case bltestSHA256:
       case bltestSHA384:
       case bltestSHA512:
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -65,17 +65,18 @@
 #include "secasn1.h"
 #include "cert.h"
 #include "cryptohi.h"
 #include "secoid.h"
 #include "certdb.h"
 #include "nss.h"
 
 #define MIN_KEY_BITS		512
-#define MAX_KEY_BITS		2048
+/* MAX_KEY_BITS should agree with MAX_RSA_MODULUS in freebl */
+#define MAX_KEY_BITS		8192
 #define DEFAULT_KEY_BITS	1024
 
 #define GEN_BREAK(e) rv=e; break;
 
 
 extern SECKEYPrivateKey *CERTUTIL_GeneratePrivateKey(KeyType keytype,
 						     PK11SlotInfo *slot, 
                                                      int rsasize,
@@ -757,16 +758,19 @@ ValidateCert(CERTCertDBHandle *handle, c
     CERTVerifyLog *log = NULL;
 
     if (!certUsage) {
 	    PORT_SetError (SEC_ERROR_INVALID_ARGS);
 	    return (SECFailure);
     }
     
     switch (*certUsage) {
+	case 'O':
+	    usage = certificateUsageStatusResponder;
+	    break;
 	case 'C':
 	    usage = certificateUsageSSLClient;
 	    break;
 	case 'V':
 	    usage = certificateUsageSSLServer;
 	    break;
 	case 'S':
 	    usage = certificateUsageEmailSigner;
@@ -988,16 +992,17 @@ static void
 Usage(char *progName)
 {
 #define FPS fprintf(stderr, 
     FPS "Type %s -H for more detailed descriptions\n", progName);
     FPS "Usage:  %s -N [-d certdir] [-P dbprefix] [-f pwfile]\n", progName);
     FPS "Usage:  %s -T [-d certdir] [-P dbprefix] [-h token-name] [-f pwfile]\n", progName);
     FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
     	progName);
+    FPS "\t%s -B -i batch-file\n", progName);
     FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
 	"\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
         "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-1] [-2] [-3] [-4] [-5]\n"
 	"\t\t [-6] [-7 emailAddrs] [-8 dns-names]\n",
 	progName);
     FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
 	progName);
@@ -1036,16 +1041,18 @@ Usage(char *progName)
     exit(1);
 }
 
 static void LongUsage(char *progName)
 {
 
     FPS "%-15s Add a certificate to the database        (create if needed)\n",
 	"-A");
+    FPS "%-15s Run a series of certutil commands from a batch file\n", "-B");
+    FPS "%-20s Specify the batch file\n", "   -i batch-file");
     FPS "%-15s Add an Email certificate to the database (create if needed)\n",
 	"-E");
     FPS "%-20s Specify the nickname of the certificate to add\n",
 	"   -n cert-name");
     FPS "%-20s Set the certificate trust attributes:\n",
 	"   -t trustargs");
     FPS "%-25s p \t valid peer\n", "");
     FPS "%-25s P \t trusted peer (implies p)\n", "");
@@ -1133,17 +1140,17 @@ static void LongUsage(char *progName)
 #ifdef NSS_ENABLE_ECC
     FPS "%-20s Elliptic curve name (ec only)\n",
 	"   -q curve-name");
     FPS "%-20s One of sect163k1, nistk163, sect163r1, sect163r2,\n", "");
     FPS "%-20s nistb163, sect193r1, sect193r2, sect233k1, nistk233,\n", "");
     FPS "%-20s sect233r1, nistb233, sect239k1, sect283k1, nistk283,\n", "");
     FPS "%-20s sect283r1, nistb283, sect409k1, nistk409, sect409r1,\n", "");
     FPS "%-20s nistb409, sect571k1, nistk571, sect571r1, nistb571,\n", "");
-    FPS "%-20s secp169k1, secp160r1, secp160r2, secp192k1, secp192r1,\n", "");
+    FPS "%-20s secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,\n", "");
     FPS "%-20s nistp192, secp224k1, secp224r1, nistp224, secp256k1,\n", "");
     FPS "%-20s secp256r1, nistp256, secp384r1, nistp384, secp521r1,\n", "");
     FPS "%-20s nistp521, prime192v1, prime192v2, prime192v3, \n", "");
     FPS "%-20s prime239v1, prime239v2, prime239v3, c2pnb163v1, \n", "");
     FPS "%-20s c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, \n", "");
     FPS "%-20s c2tnb191v2, c2tnb191v3, c2onb191v4, c2onb191v5, \n", "");
     FPS "%-20s c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, \n", "");
     FPS "%-20s c2onb239v4, c2onb239v5, c2pnb272w1, c2pnb304w1, \n", "");
@@ -1302,16 +1309,17 @@ static void LongUsage(char *progName)
 	"   -b time");
     FPS "%-20s Check certificate signature \n",
 	"   -e ");   
     FPS "%-20s Specify certificate usage:\n", "   -u certusage");
     FPS "%-25s C \t SSL Client\n", "");
     FPS "%-25s V \t SSL Server\n", "");
     FPS "%-25s S \t Email signer\n", "");
     FPS "%-25s R \t Email Recipient\n", "");   
+    FPS "%-25s O \t OCSP status responder\n", "");   
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
 	"   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
 	"   -P dbprefix");
     FPS "%-20s force the database to open R/W\n",
 	"   -X");
     FPS "\n");
 
@@ -1385,17 +1393,17 @@ static void LongUsage(char *progName)
 
 static CERTCertificate *
 MakeV1Cert(	CERTCertDBHandle *	handle, 
 		CERTCertificateRequest *req,
 	    	char *			issuerNickName, 
 		PRBool 			selfsign, 
 		unsigned int 		serialNumber,
 		int 			warpmonths,
-                int                     validitylength)
+                int                     validityMonths)
 {
     CERTCertificate *issuerCert = NULL;
     CERTValidity *validity;
     CERTCertificate *cert = NULL;
     PRExplodedTime printableTime;
     PRTime now, after;
 
     if ( !selfsign ) {
@@ -1409,18 +1417,17 @@ MakeV1Cert(	CERTCertDBHandle *	handle,
 
     now = PR_Now();
     PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
     if ( warpmonths ) {
 	printableTime.tm_month += warpmonths;
 	now = PR_ImplodeTime (&printableTime);
 	PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
     }
-    printableTime.tm_month += validitylength;
-    printableTime.tm_month += 3;
+    printableTime.tm_month += validityMonths;
     after = PR_ImplodeTime (&printableTime);
 
     /* note that the time is now in micro-second unit */
     validity = CERT_CreateValidity (now, after);
 
     cert = CERT_CreateCertificate(serialNumber, 
 				  (selfsign ? &req->subject 
 				            : &issuerCert->subject), 
@@ -1556,17 +1563,17 @@ AddOidToSequence(CERTOidSequence *os, SE
   }
 
   os->oids = oids;
   os->oids[count] = &od->oid;
 
   return SECSuccess;
 }
 
-SEC_ASN1_MKSUB(SEC_ObjectIDTemplate);
+SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
 
 const SEC_ASN1Template CERT_OidSeqTemplate[] = {
     { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN,
 	  offsetof(CERTOidSequence, oids),
 	  SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
 };
 
 
@@ -2184,17 +2191,17 @@ CreateCert(
 	char *  issuerNickName, 
 	PRFileDesc *inFile,
 	PRFileDesc *outFile, 
 	SECKEYPrivateKey *selfsignprivkey,
 	void 	*pwarg,
 	SECOidTag hashAlgTag,
 	unsigned int serialNumber, 
 	int     warpmonths,
-	int     validitylength,
+	int     validityMonths,
 	const char *emailAddrs,
 	const char *dnsNames,
 	PRBool  ascii,
 	PRBool  selfsign,
 	PRBool	keyUsage, 
 	PRBool  extKeyUsage,
 	PRBool  basicConstraint, 
 	PRBool  authKeyID,
@@ -2219,17 +2226,17 @@ CreateCert(
 	
 	/* Create a certrequest object from the input cert request der */
 	certReq = GetCertRequest(inFile, ascii);
 	if (certReq == NULL) {
 	    GEN_BREAK (SECFailure)
 	}
 
 	subjectCert = MakeV1Cert (handle, certReq, issuerNickName, selfsign,
-				  serialNumber, warpmonths, validitylength);
+				  serialNumber, warpmonths, validityMonths);
 	if (subjectCert == NULL) {
 	    GEN_BREAK (SECFailure)
 	}
         
         
 	extHandle = CERT_StartCertExtensions (subjectCert);
 	if (extHandle == NULL) {
 	    GEN_BREAK (SECFailure)
@@ -2297,17 +2304,18 @@ enum {
     cmd_NewDBs,
     cmd_DumpChain,
     cmd_CertReq,
     cmd_CreateAndAddCert,
     cmd_TokenReset,
     cmd_ListModules,
     cmd_CheckCertValidity,
     cmd_ChangePassword,
-    cmd_Version
+    cmd_Version,
+    cmd_Batch
 };
 
 /*  Certutil options */
 enum {
     opt_SSOPass = 0,
     opt_AddKeyUsageExt,
     opt_AddBasicConstraintExt,
     opt_AddAuthorityKeyIDExt,
@@ -2339,18 +2347,17 @@ enum {
     opt_Trust,
     opt_Usage,
     opt_Validity,
     opt_OffsetMonths,
     opt_SelfSign,
     opt_RW,
     opt_Exponent,
     opt_NoiseFile,
-    opt_Hash,
-    opt_Batch
+    opt_Hash
 };
 
 static int 
 certutil_main(int argc, char **argv, PRBool initialize)
 {
     CERTCertDBHandle *certHandle;
     PK11SlotInfo *slot = NULL;
     CERTName *  subject         = 0;
@@ -2362,21 +2369,22 @@ certutil_main(int argc, char **argv, PRB
     char *      certPrefix      = "";
     KeyType     keytype         = rsaKey;
     char *      name            = NULL;
     SECOidTag   hashAlgTag      = SEC_OID_UNKNOWN;
     int	        keysize	        = DEFAULT_KEY_BITS;
     int         publicExponent  = 0x010001;
     unsigned int serialNumber   = 0;
     int         warpmonths      = 0;
-    int         validitylength  = 0;
+    int         validityMonths  = 3;
     int         commandsEntered = 0;
     char        commandToRun    = '\0';
     secuPWData  pwdata          = { PW_NONE, 0 };
     PRBool 	readOnly	= PR_FALSE;
+    PRBool      initialized     = PR_FALSE;
 
     SECKEYPrivateKey *privkey = NULL;
     SECKEYPublicKey *pubkey = NULL;
 
     int i;
     SECStatus rv;
 
     secuCommand certutil;
@@ -2396,17 +2404,18 @@ secuCommandFlag certutil_commands[] =
 	{ /* cmd_NewDBs              */  'N', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_DumpChain           */  'O', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CertReq             */  'R', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CreateAndAddCert    */  'S', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_TokenReset          */  'T', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_ListModules         */  'U', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CheckCertValidity   */  'V', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_ChangePassword      */  'W', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_Version             */  'Y', PR_FALSE, 0, PR_FALSE }
+	{ /* cmd_Version             */  'Y', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_Batch               */  'B', PR_FALSE, 0, PR_FALSE }
 };
 
 secuCommandFlag certutil_options[] =
 {
 	{ /* opt_SSOPass             */  '0', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_AddKeyUsageExt      */  '1', PR_FALSE, 0, PR_FALSE },
 	{ /* opt_AddBasicConstraintExt*/ '2', PR_FALSE, 0, PR_FALSE },
 	{ /* opt_AddAuthorityKeyIDExt*/  '3', PR_FALSE, 0, PR_FALSE },
@@ -2438,18 +2447,17 @@ secuCommandFlag certutil_options[] =
 	{ /* opt_Trust               */  't', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_Usage               */  'u', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_Validity            */  'v', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_OffsetMonths        */  'w', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_SelfSign            */  'x', PR_FALSE, 0, PR_FALSE },
 	{ /* opt_RW                  */  'X', PR_FALSE, 0, PR_FALSE },
 	{ /* opt_Exponent            */  'y', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_NoiseFile           */  'z', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Hash                */  'Z', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Batch               */  'B', PR_TRUE,  0, PR_FALSE }
+	{ /* opt_Hash                */  'Z', PR_TRUE,  0, PR_FALSE }
 };
 
 
     certutil.numCommands = sizeof(certutil_commands) / sizeof(secuCommandFlag);
     certutil.numOptions = sizeof(certutil_options) / sizeof(secuCommandFlag);
     certutil.commands = certutil_commands;
     certutil.options = certutil_options;
 
@@ -2571,18 +2579,18 @@ secuCommandFlag certutil_options[] =
 	    PR_fprintf(PR_STDERR, "%s -s: improperly formatted name: \"%s\"\n",
 	               progName, certutil.options[opt_Subject].arg);
 	    return 255;
 	}
     }
 
     /*  -v validity period  */
     if (certutil.options[opt_Validity].activated) {
-	validitylength = PORT_Atoi(certutil.options[opt_Validity].arg);
-	if (validitylength < 0) {
+	validityMonths = PORT_Atoi(certutil.options[opt_Validity].arg);
+	if (validityMonths < 0) {
 	    PR_fprintf(PR_STDERR, "%s -v: incorrect validity period: \"%s\"\n",
 	               progName, certutil.options[opt_Validity].arg);
 	    return 255;
 	}
     }
 
     /*  -w warp months  */
     if (certutil.options[opt_OffsetMonths].activated)
@@ -2796,16 +2804,17 @@ secuCommandFlag certutil_options[] =
         PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
         rv = NSS_Initialize(SECU_ConfigDirectory(NULL), certPrefix, certPrefix,
                             "secmod.db", readOnly ? NSS_INIT_READONLY: 0);
         if (rv != SECSuccess) {
 	    SECU_PrintPRandOSError(progName);
 	    rv = SECFailure;
 	    goto shutdown;
         }
+        initialized = PR_TRUE;
     	SECU_RegisterDynamicOids();
     }
     certHandle = CERT_GetDefaultCertDB();
 
     if (certutil.commands[cmd_Version].activated) {
 	printf("Certificate database content version: command not implemented.\n");
     }
 
@@ -2989,17 +2998,17 @@ secuCommandFlag certutil_options[] =
     }
 
     /*  Create a certificate (-C or -S).  */
     if (certutil.commands[cmd_CreateAndAddCert].activated ||
          certutil.commands[cmd_CreateNewCert].activated) {
 	rv = CreateCert(certHandle, 
 	                certutil.options[opt_IssuerName].arg,
 	                inFile, outFile, privkey, &pwdata, hashAlgTag,
-	                serialNumber, warpmonths, validitylength,
+	                serialNumber, warpmonths, validityMonths,
 		        certutil.options[opt_ExtendedEmailAddrs].arg,
 		        certutil.options[opt_ExtendedDNSNames].arg,
 	                certutil.options[opt_ASCIIForIO].activated,
 	                certutil.options[opt_SelfSign].activated,
 	                certutil.options[opt_AddKeyUsageExt].activated,
 	                certutil.options[opt_AddExtKeyUsageExt].activated,
 	                certutil.options[opt_AddBasicConstraintExt].activated,
 	                certutil.options[opt_AddAuthorityKeyIDExt].activated,
@@ -3069,23 +3078,31 @@ shutdown:
      * command file.
      * - Quoting with double quote characters ("...") is supported
      * to allow white space in a command line argument.  The
      * double quote character cannot be escaped and quoting cannot
      * be nested in this version.
      * - each line in the batch file is limited to 512 characters
     */
 
-    if ((SECSuccess == rv) && certutil.options[opt_Batch].activated) {
-	FILE* batchFile = fopen(certutil.options[opt_Batch].arg, "r");
+    if ((SECSuccess == rv) && certutil.commands[cmd_Batch].activated) {
+	FILE* batchFile = NULL;
         char nextcommand[512];
+        if (!certutil.options[opt_InputFile].activated ||
+            !certutil.options[opt_InputFile].arg) {
+	    PR_fprintf(PR_STDERR,
+	               "%s:  no batch input file specified.\n",
+	               progName);
+	    return 255;
+        }
+        batchFile = fopen(certutil.options[opt_InputFile].arg, "r");
         if (!batchFile) {
 	    PR_fprintf(PR_STDERR,
 	               "%s:  unable to open \"%s\" for reading (%ld, %ld).\n",
-	               progName, certutil.options[opt_Batch].arg,
+	               progName, certutil.options[opt_InputFile].arg,
 	               PR_GetError(), PR_GetOSError());
 	    return 255;
         }
         /* read and execute command-lines in a loop */
         while ( (SECSuccess == rv ) &&
                 fgets(nextcommand, sizeof(nextcommand), batchFile)) {
             /* we now need to split the command into argc / argv format */
             char* commandline = PORT_Strdup(nextcommand);
@@ -3139,17 +3156,17 @@ shutdown:
                     rv = SECFailure;
             }
             PORT_Free(newargv);
             PORT_Free(commandline);
         }
         fclose(batchFile);
     }
 
-    if ((initialize == PR_TRUE) && NSS_Shutdown() != SECSuccess) {
+    if ((initialized == PR_TRUE) && NSS_Shutdown() != SECSuccess) {
         exit(1);
     }
 
     if (rv == SECSuccess) {
 	return 0;
     } else {
 	return 255;
     }
--- a/security/nss/cmd/crlutil/crlgen.c
+++ b/security/nss/cmd/crlutil/crlgen.c
@@ -1,40 +1,43 @@
-/*
- * The contents of this file are subject to the Maxilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
  * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
  * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
 
 /*
 ** crlgen.c
 **
 ** utility for managing certificates revocation lists generation
 **
 */
 
--- a/security/nss/cmd/crlutil/crlutil.c
+++ b/security/nss/cmd/crlutil/crlutil.c
@@ -57,29 +57,57 @@
 
 static char *progName;
 
 static CERTSignedCrl *FindCRL
    (CERTCertDBHandle *certHandle, char *name, int type)
 {
     CERTSignedCrl *crl = NULL;    
     CERTCertificate *cert = NULL;
-
+    SECItem derName;
 
-    cert = CERT_FindCertByNickname(certHandle, name);
+    derName.data = NULL;
+    derName.len = 0;
+
+    cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name);
     if (!cert) {
-	SECU_PrintError(progName, "could not find certificate named %s", name);
-	return ((CERTSignedCrl *)NULL);
+        CERTName *certName = NULL;
+        PRArenaPool *arena = NULL;
+    
+        certName = CERT_AsciiToName(name);
+        if (certName) {
+            arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+            if (arena) {
+                SECItem *nameItem = 
+                    SEC_ASN1EncodeItem (arena, NULL, (void *)certName,
+                                        SEC_ASN1_GET(CERT_NameTemplate));
+                if (nameItem) {
+                    SECITEM_CopyItem(NULL, &derName, nameItem);
+                }
+                PORT_FreeArena(arena, PR_FALSE);
+            }
+            CERT_DestroyName(certName);
+        }
+
+        if (!derName.len || !derName.data) {
+            SECU_PrintError(progName, "could not find certificate named '%s'", name);
+            return ((CERTSignedCrl *)NULL);
+        }
+    } else {
+        SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
+        CERT_DestroyCertificate (cert);
     }
-	
-    crl = SEC_FindCrlByName(certHandle, &cert->derSubject, type);
+ 
+    crl = SEC_FindCrlByName(certHandle, &derName, type);
     if (crl ==NULL) 
 	SECU_PrintError
 		(progName, "could not find %s's CRL", name);
-    CERT_DestroyCertificate (cert);
+    if (derName.data) {
+        SECITEM_FreeItem(&derName, PR_FALSE);
+    }
     return (crl);
 }
 
 static void DisplayCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
 {
     CERTSignedCrl *crl = NULL;
 
     crl = FindCRL (certHandle, nickName, crlType);
@@ -123,26 +151,49 @@ static void ListCRLNames (CERTCertDBHand
 	if (!crlList)
 	    break;
 
 	crlNode  = crlList->first;
 
         fprintf (stdout, "\n");
 	fprintf (stdout, "\n%-40s %-5s\n\n", "CRL names", "CRL Type");
 	while (crlNode) {
-	   char* asciiname = NULL;
-	   name = &crlNode->crl->crl.name;
-	   if (!name){
-		fprintf(stderr, "%s: fail to get the CRL issuer name (%s)\n", progName,
-		SECU_Strerror(PORT_GetError()));
-		break;
+	    char* asciiname = NULL;
+	    CERTCertificate *cert = NULL;
+	    if (crlNode->crl && &crlNode->crl->crl.derName) {
+	        cert = CERT_FindCertByName(certHandle, 
+	                                   &crlNode->crl->crl.derName);
+	        if (!cert) {
+	            SECU_PrintError(progName, "could not find signing "
+	                         "certificate in database");
+	        }
 	    }
-
-	    asciiname = CERT_NameToAscii(name);
-	    fprintf (stdout, "\n%-40s %-5s\n", asciiname, "CRL");
+	    if (cert) {
+	        char* certName = NULL;
+                 if (cert->nickname && PORT_Strlen(cert->nickname) > 0) {
+	            certName = cert->nickname;
+	        } else if (cert->emailAddr && PORT_Strlen(cert->emailAddr) > 0) {
+	            certName = cert->emailAddr;
+	        }
+	        if (certName) {
+	            asciiname = PORT_Strdup(certName);
+	        }
+	        CERT_DestroyCertificate(cert);
+	    }
+                
+	    if (!asciiname) {
+	        name = &crlNode->crl->crl.name;
+	        if (!name){
+	            SECU_PrintError(progName, "fail to get the CRL "
+	                           "issuer name");
+	            continue;
+	        }
+	        asciiname = CERT_NameToAscii(name);
+	    }
+	    fprintf (stdout, "%-40s %-5s\n", asciiname, "CRL");
 	    if (asciiname) {
 		PORT_Free(asciiname);
 	    }
             if ( PR_TRUE == deletecrls) {
                 CERTSignedCrl* acrl = NULL;
                 SECItem* issuer = &crlNode->crl->crl.derName;
                 acrl = SEC_FindCrlByName(certHandle, issuer, crlType);
                 if (acrl)
@@ -295,31 +346,31 @@ FindSigningCert(CERTCertDBHandle *certHa
     if (certTemp)
         CERT_DestroyCertificate(certTemp);
     if (cert && rv != SECSuccess)
         CERT_DestroyCertificate(cert);
     return cert;
 }
 
 static CERTSignedCrl*
-DuplicateModCrl(PRArenaPool *arena, CERTCertDBHandle *certHandle,
+CreateModifiedCRLCopy(PRArenaPool *arena, CERTCertDBHandle *certHandle,
                 CERTCertificate **cert, char *certNickName,
                 PRFileDesc *inFile, PRInt32 decodeOptions,
                 PRInt32 importOptions)
 {
     SECItem crlDER;
     CERTSignedCrl *signCrl = NULL;
     CERTSignedCrl *modCrl = NULL;
     PRArenaPool *modArena = NULL;
     SECStatus rv = SECSuccess;
 
     PORT_Assert(arena != NULL && certHandle != NULL &&
                 certNickName != NULL);
     if (!arena || !certHandle || !certNickName) {
-        SECU_PrintError(progName, "DuplicateModCrl: invalid args\n");
+        SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n");
         return NULL;
     }
 
     modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     if (!modArena) {
         SECU_PrintError(progName, "fail to allocate memory\n");
         return NULL;
     }
@@ -373,17 +424,25 @@ DuplicateModCrl(PRArenaPool *arena, CERT
 
     rv = SECU_CopyCRL(arena, &signCrl->crl, &modCrl->crl);
     if (rv != SECSuccess) {
         SECU_PrintError(progName, "unable to dublicate crl for "
                         "modification.");
         goto loser;
     }  
 
-    signCrl->arena = arena;    
+    /* Make sure the update time is current. It can be modified later
+     * by "update <time>" command from crl generation script */
+    rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "fail to encode current time\n");
+        goto loser;
+    }
+
+    signCrl->arena = arena;
 
   loser:
     SECITEM_FreeItem(&crlDER, PR_FALSE);
     if (modCrl)
         SEC_DestroyCrl(modCrl);
     if (rv != SECSuccess && signCrl) {
         SEC_DestroyCrl(signCrl);
         signCrl = NULL;
@@ -619,17 +678,17 @@ GenerateCRL (CERTCertDBHandle *certHandl
 
     arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
     if (!arena) {
         SECU_PrintError(progName, "fail to allocate memory\n");
         return SECFailure;
     }
 
     if (modifyFlag == PR_TRUE) {
-        signCrl = DuplicateModCrl(arena, certHandle, &cert, certNickName,
+        signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName,
                                          inFile, decodeOptions, importOptions);
         if (signCrl == NULL) {
             goto loser;
         }
     }
 
     if (!cert) {
         cert = FindSigningCert(certHandle, signCrl, certNickName);
--- a/security/nss/cmd/dbck/Makefile
+++ b/security/nss/cmd/dbck/Makefile
@@ -63,17 +63,17 @@ include ../platlibs.mk
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
-
+INCLUDES += -I ../../lib/softoken
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
 
 include ../platrules.mk
  
--- a/security/nss/cmd/dbck/dbck.c
+++ b/security/nss/cmd/dbck/dbck.c
@@ -46,39 +46,88 @@
 #include "secutil.h"
 #include "cdbhdl.h"
 #include "certdb.h"
 #include "cert.h"
 #include "nspr.h"
 #include "prtypes.h"
 #include "prtime.h"
 #include "prlong.h"
+#include "pcert.h"
+#include "nss.h"
 
 static char *progName;
 
 /* placeholders for pointer error types */
 static void *WrongEntry;
 static void *NoNickname;
 static void *NoSMime;
 
+typedef enum {
+/* 0*/ NoSubjectForCert = 0,
+/* 1*/ SubjectHasNoKeyForCert,
+/* 2*/ NoNicknameOrSMimeForSubject,
+/* 3*/ WrongNicknameForSubject,
+/* 4*/ NoNicknameEntry,
+/* 5*/ WrongSMimeForSubject,
+/* 6*/ NoSMimeEntry,
+/* 7*/ NoSubjectForNickname,
+/* 8*/ NoSubjectForSMime,
+/* 9*/ NicknameAndSMimeEntries,
+    NUM_ERROR_TYPES
+} dbErrorType;
+
+static char *dbErrorString[NUM_ERROR_TYPES] = {
+/* 0*/ "<CERT ENTRY>\nDid not find a subject entry for this certificate.",
+/* 1*/ "<SUBJECT ENTRY>\nSubject has certKey which is not in db.",
+/* 2*/ "<SUBJECT ENTRY>\nSubject does not have a nickname or email address.",
+/* 3*/ "<SUBJECT ENTRY>\nUsing this subject's nickname, found a nickname entry for a different subject.",
+/* 4*/ "<SUBJECT ENTRY>\nDid not find a nickname entry for this subject.",
+/* 5*/ "<SUBJECT ENTRY>\nUsing this subject's email, found an S/MIME entry for a different subject.",
+/* 6*/ "<SUBJECT ENTRY>\nDid not find an S/MIME entry for this subject.",
+/* 7*/ "<NICKNAME ENTRY>\nDid not find a subject entry for this nickname.",
+/* 8*/ "<S/MIME ENTRY>\nDid not find a subject entry for this S/MIME profile.",
+};
+
+static char *errResult[NUM_ERROR_TYPES] = {
+    "Certificate entries that had no subject entry.", 
+    "Subject entries with no corresponding Certificate entries.", 
+    "Subject entries that had no nickname or S/MIME entries.",
+    "Redundant nicknames (subjects with the same nickname).",
+    "Subject entries that had no nickname entry.",
+    "Redundant email addresses (subjects with the same email address).",
+    "Subject entries that had no S/MIME entry.",
+    "Nickname entries that had no subject entry.", 
+    "S/MIME entries that had no subject entry.",
+    "Subject entries with BOTH nickname and S/MIME entries."
+};
+
+
 enum {
     GOBOTH = 0,
     GORIGHT,
     GOLEFT
 };
 
 typedef struct
 {
     PRBool verbose;
     PRBool dograph;
     PRFileDesc *out;
     PRFileDesc *graphfile;
-    int dbErrors[10];
+    int dbErrors[NUM_ERROR_TYPES];
 } dbDebugInfo;
 
+struct certDBEntryListNodeStr {
+    PRCList link;
+    certDBEntry entry;
+    void *appData;
+};
+typedef struct certDBEntryListNodeStr  certDBEntryListNode;
+
 /*
  * A list node for a cert db entry.  The index is a unique identifier
  * to use for creating generic maps of a db.  This struct handles
  * the cert, nickname, and smime db entry types, as all three have a
  * single handle to a subject entry.
  * This structure is pointed to by certDBEntryListNode->appData.
  */
 typedef struct 
@@ -108,75 +157,72 @@ typedef struct
  * A map of a certdb.
  */
 typedef struct
 {
     int numCerts;
     int numSubjects;
     int numNicknames;
     int numSMime;
+    int numRevocation;
     certDBEntryListNode certs;      /* pointer to head of cert list */
     certDBEntryListNode subjects;   /* pointer to head of subject list */
     certDBEntryListNode nicknames;  /* pointer to head of nickname list */
     certDBEntryListNode smime;      /* pointer to head of smime list */
+    certDBEntryListNode revocation; /* pointer to head of revocation list */
 } certDBArray;
 
 /* Cast list to the base element, a certDBEntryListNode. */
 #define LISTNODE_CAST(node) \
     ((certDBEntryListNode *)(node))
 
 static void 
 Usage(char *progName)
 {
 #define FPS fprintf(stderr, 
     FPS "Type %s -H for more detailed descriptions\n", progName);
-    FPS "Usage:  %s -D [-d certdir] [-i dbname] [-m] [-v  [-f dumpfile]]\n", 
+    FPS "Usage:  %s -D [-d certdir] [-m] [-v [-f dumpfile]]\n", 
 	progName);
-    FPS "        %s -R -o newdbname [-d certdir] [-i dbname] [-aprsx] [-v [-f dumpfile]]\n", 
+#ifdef DORECOVER
+    FPS "        %s -R -o newdbname [-d certdir] [-aprsx] [-v [-f dumpfile]]\n", 
 	progName);
+#endif
     exit(-1);
 }
 
 static void
 LongUsage(char *progName)
 {
     FPS "%-15s Display this help message.\n",
 	"-H");
     FPS "%-15s Dump analysis.  No changes will be made to the database.\n",
 	"-D");
     FPS "%-15s Cert database directory (default is ~/.netscape)\n",
 	"   -d certdir");
-    FPS "%-15s Input cert database name (default is cert7.db)\n",
-	"   -i dbname");
-    FPS "%-15s Mail a graph of the database to certdb@netscape.com.\n",
+    FPS "%-15s Put database graph in ./mailfile (default is stdout).\n",
 	"   -m");
-    FPS "%-15s This will produce an index graph of your cert db and send\n",
-	"");
-    FPS "%-15s it to Netscape for analysis.  Personal info will be removed.\n",
-	"");
-    FPS "%-15s Verbose mode.  Dumps the entire contents of your cert7.db.\n",
+    FPS "%-15s Verbose mode.  Dumps the entire contents of your cert8.db.\n",
 	"   -v");
-    FPS "%-15s File to dump verbose output into.\n",
+    FPS "%-15s File to dump verbose output into. (default is stdout)\n",
 	"   -f dumpfile");
+#ifdef DORECOVER
     FPS "%-15s Repair the database.  The program will look for broken\n",
 	"-R");
     FPS "%-15s dependencies between subject entries and certificates,\n",
         "");
     FPS "%-15s between nickname entries and subjects, and between SMIME\n",
         "");
     FPS "%-15s profiles and subjects.  Any duplicate entries will be\n",
         "");
     FPS "%-15s removed, any missing entries will be created.\n",
         "");
-    FPS "%-15s File to store new database in (default is new_cert7.db)\n",
+    FPS "%-15s File to store new database in (default is new_cert8.db)\n",
 	"   -o newdbname");
     FPS "%-15s Cert database directory (default is ~/.netscape)\n",
 	"   -d certdir");
-    FPS "%-15s Input cert database name (default is cert7.db)\n",
-	"   -i dbname");
     FPS "%-15s Prompt before removing any certificates.\n",
         "   -p");
     FPS "%-15s Keep all possible certificates.  Only remove certificates\n",
 	"   -a");
     FPS "%-15s which prevent creation of a consistent database.  Thus any\n",
 	"");
     FPS "%-15s expired or redundant entries will be kept.\n",
 	"");
@@ -190,64 +236,41 @@ LongUsage(char *progName)
 	"");
     FPS "%-15s Keep expired certificates.\n",
 	"   -x");
     FPS "%-15s Verbose mode - report all activity while recovering db.\n",
 	"   -v");
     FPS "%-15s File to dump verbose output into.\n",
 	"   -f dumpfile");
     FPS "\n");
+#endif
     exit(-1);
 #undef FPS
 }
 
 /*******************************************************************
  *
  *  Functions for dbck.
  *
  ******************************************************************/
 
 void
 printHexString(PRFileDesc *out, SECItem *hexval)
 {
-    int i;
+    unsigned int i;
     for (i = 0; i < hexval->len; i++) {
 	if (i != hexval->len - 1) {
 	    PR_fprintf(out, "%02x:", hexval->data[i]);
 	} else {
 	    PR_fprintf(out, "%02x", hexval->data[i]);
 	}
     }
     PR_fprintf(out, "\n");
 }
 
-typedef enum {
-/* 0*/ NoSubjectForCert = 0,
-/* 1*/ SubjectHasNoKeyForCert,
-/* 2*/ NoNicknameOrSMimeForSubject,
-/* 3*/ WrongNicknameForSubject,
-/* 4*/ NoNicknameEntry,
-/* 5*/ WrongSMimeForSubject,
-/* 6*/ NoSMimeEntry,
-/* 7*/ NoSubjectForNickname,
-/* 8*/ NoSubjectForSMime,
-/* 9*/ NicknameAndSMimeEntry
-} dbErrorType;
-
-static char *dbErrorString[] = {
-/* 0*/ "<CERT ENTRY>\nDid not find a subject entry for this certificate.",
-/* 1*/ "<SUBJECT ENTRY>\nSubject has certKey which is not in db.",
-/* 2*/ "<SUBJECT ENTRY>\nSubject does not have a nickname or email address.",
-/* 3*/ "<SUBJECT ENTRY>\nUsing this subject's nickname, found a nickname entry for a different subject.",
-/* 4*/ "<SUBJECT ENTRY>\nDid not find a nickname entry for this subject.",
-/* 5*/ "<SUBJECT ENTRY>\nUsing this subject's email, found an S/MIME entry for a different subject.",
-/* 6*/ "<SUBJECT ENTRY>\nDid not find an S/MIME entry for this subject.",
-/* 7*/ "<NICKNAME ENTRY>\nDid not find a subject entry for this nickname.",
-/* 8*/ "<S/MIME ENTRY>\nDid not find a subject entry for this S/MIME profile.",
-};
 
 SECStatus
 dumpCertificate(CERTCertificate *cert, int num, PRFileDesc *outfile)
 {
     int userCert = 0;
     CERTCertTrust *trust = cert->trust;
     userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
                (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
@@ -280,41 +303,55 @@ dumpCertificate(CERTCertificate *cert, i
     }
     PR_fprintf(outfile, "\n");
     return SECSuccess;
 }
 
 SECStatus
 dumpCertEntry(certDBEntryCert *entry, int num, PRFileDesc *outfile)
 {
+#if 0
+    NSSLOWCERTCertificate *cert;
+    /* should we check for existing duplicates? */
+    cert = nsslowcert_DecodeDERCertificate(&entry->cert.derCert, 
+					    entry->cert.nickname);
+#else
     CERTCertificate *cert;
     cert = CERT_DecodeDERCertificate(&entry->derCert, PR_FALSE, NULL);
+#endif
     if (!cert) {
 	fprintf(stderr, "Failed to decode certificate.\n");
 	return SECFailure;
     }
-    cert->trust = &entry->trust;
+    cert->trust = (CERTCertTrust *)&entry->trust;
     dumpCertificate(cert, num, outfile);
     CERT_DestroyCertificate(cert);
     return SECSuccess;
 }
 
 SECStatus
 dumpSubjectEntry(certDBEntrySubject *entry, int num, PRFileDesc *outfile)
 {
-    char *subjectName;
-    subjectName = CERT_DerNameToAscii(&entry->derSubject);
+    char *subjectName = CERT_DerNameToAscii(&entry->derSubject);
+
     PR_fprintf(outfile, "Subject: %3d\n", num);
     PR_fprintf(outfile, "------------\n");
     PR_fprintf(outfile, "## %s\n", subjectName);
     if (entry->nickname)
 	PR_fprintf(outfile, "## Subject nickname:  %s\n", entry->nickname);
-    if (entry->emailAddr && entry->emailAddr[0])
-	PR_fprintf(outfile, "## Subject email address:  %s\n", 
-	           entry->emailAddr);
+    if (entry->emailAddrs) {
+	unsigned int n;
+	for (n = 0; n < entry->nemailAddrs && entry->emailAddrs[n]; ++n) {
+	    char * emailAddr = entry->emailAddrs[n];
+	    if (emailAddr[0]) {
+		PR_fprintf(outfile, "## Subject email address:  %s\n", 
+	           emailAddr);
+	    }
+	}
+    }
     PR_fprintf(outfile, "## This subject has %d cert(s).\n", entry->ncerts);
     PR_fprintf(outfile, "\n");
     PORT_Free(subjectName);
     return SECSuccess;
 }
 
 SECStatus
 dumpNicknameEntry(certDBEntryNickname *entry, int num, PRFileDesc *outfile)
@@ -326,37 +363,44 @@ dumpNicknameEntry(certDBEntryNickname *e
 }
 
 SECStatus
 dumpSMimeEntry(certDBEntrySMime *entry, int num, PRFileDesc *outfile)
 {
     PR_fprintf(outfile, "S/MIME Profile: %3d\n", num);
     PR_fprintf(outfile, "-------------------\n");
     PR_fprintf(outfile, "##  \"%s\"\n", entry->emailAddr);
+#ifdef OLDWAY
     PR_fprintf(outfile, "##  OPTIONS:  ");
     printHexString(outfile, &entry->smimeOptions);
     PR_fprintf(outfile, "##  TIMESTAMP:  ");
     printHexString(outfile, &entry->optionsDate);
+#else
+    SECU_PrintAny(stdout, &entry->smimeOptions, "##  OPTIONS  ", 0);
+    fflush(stdout);
+    if (entry->optionsDate.len && entry->optionsDate.data)
+	PR_fprintf(outfile, "##  TIMESTAMP: %.*s\n", 
+	           entry->optionsDate.len, entry->optionsDate.data);
+#endif
     PR_fprintf(outfile, "\n");
     return SECSuccess;
 }
 
 SECStatus
 mapCertEntries(certDBArray *dbArray)
 {
     certDBEntryCert *certEntry;
     certDBEntrySubject *subjectEntry;
     certDBEntryListNode *certNode, *subjNode;
     certDBSubjectEntryMap *smap;
     certDBEntryMap *map;
     PRArenaPool *tmparena;
     SECItem derSubject;
     SECItem certKey;
     PRCList *cElem, *sElem;
-    int i;
 
     /* Arena for decoded entries */
     tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (tmparena == NULL) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	return SECFailure;
     }
 
@@ -372,16 +416,17 @@ mapCertEntries(certDBArray *dbArray)
 	CERT_NameFromDERCert(&certEntry->derCert, &derSubject);
 	CERT_KeyFromDERCert(tmparena, &certEntry->derCert, &certKey);
 	/*  Loop over found subjects for cert's DN.  */
 	for (sElem = PR_LIST_HEAD(&dbArray->subjects.link);
 	     sElem != &dbArray->subjects.link; sElem = PR_NEXT_LINK(sElem)) {
 	    subjNode = LISTNODE_CAST(sElem);
 	    subjectEntry = (certDBEntrySubject *)&subjNode->entry;
 	    if (SECITEM_ItemsAreEqual(&derSubject, &subjectEntry->derSubject)) {
+		unsigned int i;
 		/*  Found matching subject name, create link.  */
 		map->pSubject = subjNode;
 		/*  Make sure subject entry has cert's key.  */
 		for (i=0; i<subjectEntry->ncerts; i++) {
 		    if (SECITEM_ItemsAreEqual(&certKey,
 		                              &subjectEntry->certKeys[i])) {
 			/*  Found matching cert key.  */
 			smap = (certDBSubjectEntryMap *)subjNode->appData;
@@ -395,87 +440,100 @@ mapCertEntries(certDBArray *dbArray)
     PORT_FreeArena(tmparena, PR_FALSE);
     return SECSuccess;
 }
 
 SECStatus
 mapSubjectEntries(certDBArray *dbArray)
 {
     certDBEntrySubject *subjectEntry;
-    certDBEntryNickname *nicknameEntry;
-    certDBEntrySMime *smimeEntry;
-    certDBEntryListNode *subjNode, *nickNode, *smimeNode;
+    certDBEntryListNode *subjNode;
     certDBSubjectEntryMap *subjMap;
-    certDBEntryMap *nickMap, *smimeMap;
-    PRCList *sElem, *nElem, *mElem;
+    PRCList *sElem;
 
     for (sElem = PR_LIST_HEAD(&dbArray->subjects.link);
          sElem != &dbArray->subjects.link; sElem = PR_NEXT_LINK(sElem)) {
 	/* Iterate over subject entries and map subjects to nickname
 	 * and smime entries.  The cert<->subject map will be handled
 	 * by a subsequent call to mapCertEntries.
 	 */
 	subjNode = LISTNODE_CAST(sElem);
 	subjectEntry = (certDBEntrySubject *)&subjNode->entry;
 	subjMap = (certDBSubjectEntryMap *)subjNode->appData;
 	/* need to alloc memory here for array of matching certs. */
 	subjMap->pCerts = PORT_ArenaAlloc(subjMap->arena, 
 	                                  subjectEntry->ncerts*sizeof(int));
 	subjMap->numCerts = subjectEntry->ncerts;
+	subjMap->pNickname = NoNickname;
+	subjMap->pSMime = NoSMime;
+
 	if (subjectEntry->nickname) {
 	    /* Subject should have a nickname entry, so create a link. */
+	    PRCList *nElem;
 	    for (nElem = PR_LIST_HEAD(&dbArray->nicknames.link);
 	         nElem != &dbArray->nicknames.link; 
 	         nElem = PR_NEXT_LINK(nElem)) {
+		certDBEntryListNode *nickNode;
+		certDBEntryNickname *nicknameEntry;
 		/*  Look for subject's nickname in nickname entries.  */
 		nickNode = LISTNODE_CAST(nElem);
 		nicknameEntry = (certDBEntryNickname *)&nickNode->entry;
-		nickMap = (certDBEntryMap *)nickNode->appData;
 		if (PL_strcmp(subjectEntry->nickname, 
 		              nicknameEntry->nickname) == 0) {
 		    /*  Found a nickname entry for subject's nickname.  */
 		    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
 		                              &nicknameEntry->subjectName)) {
+			certDBEntryMap *nickMap;
+			nickMap = (certDBEntryMap *)nickNode->appData;
 			/*  Nickname and subject match.  */
 			subjMap->pNickname = nickNode;
 			nickMap->pSubject = subjNode;
-		    } else {
+		    } else if (subjMap->pNickname == NoNickname) {
 			/*  Nickname entry found is for diff. subject.  */
 			subjMap->pNickname = WrongEntry;
 		    }
 		}
 	    }
-	} else {
-	    subjMap->pNickname = NoNickname;
 	}
-	if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
-	    /* Subject should have an smime entry, so create a link. */
-	    for (mElem = PR_LIST_HEAD(&dbArray->smime.link);
-	         mElem != &dbArray->smime.link; mElem = PR_NEXT_LINK(mElem)) {
-		/*  Look for subject's email in S/MIME entries.  */
-		smimeNode = LISTNODE_CAST(mElem);
-		smimeEntry = (certDBEntrySMime *)&smimeNode->entry;
-		smimeMap = (certDBEntryMap *)smimeNode->appData;
-		if (PL_strcmp(subjectEntry->emailAddr, 
-		              smimeEntry->emailAddr) == 0) {
-		    /*  Found a S/MIME entry for subject's email.  */
-		    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-		                              &smimeEntry->subjectName)) {
-			/*  S/MIME entry and subject match.  */
-			subjMap->pSMime = smimeNode;
-			smimeMap->pSubject = subjNode;
-		    } else {
-			/*  S/MIME entry found is for diff. subject.  */
-			subjMap->pSMime = WrongEntry;
-		    }
-		}
-	    }
-	} else {
-	    subjMap->pSMime = NoSMime;
-	}
+	if (subjectEntry->emailAddrs) {
+	    unsigned int n;
+	    for (n = 0; n < subjectEntry->nemailAddrs && 
+	                subjectEntry->emailAddrs[n]; ++n) {
+		char * emailAddr = subjectEntry->emailAddrs[n];
+		if (emailAddr[0]) {
+		    PRCList *mElem;
+		    /* Subject should have an smime entry, so create a link. */
+		    for (mElem = PR_LIST_HEAD(&dbArray->smime.link);
+			 mElem != &dbArray->smime.link; 
+			 mElem = PR_NEXT_LINK(mElem)) {
+			certDBEntryListNode *smimeNode;
+			certDBEntrySMime *smimeEntry;
+			/*  Look for subject's email in S/MIME entries.  */
+			smimeNode = LISTNODE_CAST(mElem);
+			smimeEntry = (certDBEntrySMime *)&smimeNode->entry;
+			if (PL_strcmp(emailAddr, 
+				      smimeEntry->emailAddr) == 0) {
+			    /*  Found a S/MIME entry for subject's email.  */
+			    if (SECITEM_ItemsAreEqual(
+			    		&subjectEntry->derSubject,
+				        &smimeEntry->subjectName)) {
+				certDBEntryMap *smimeMap;
+				/*  S/MIME entry and subject match.  */
+				subjMap->pSMime = smimeNode;
+				smimeMap = (certDBEntryMap *)smimeNode->appData;
+				smimeMap->pSubject = subjNode;
+			    } else if (subjMap->pSMime == NoSMime) {
+				/*  S/MIME entry found is for diff. subject.  */
+				subjMap->pSMime = WrongEntry;
+			    }
+			}
+		    }   /* end for */
+		}   /* endif (emailAddr[0]) */
+	    }   /* end for */
+	}   /* endif (subjectEntry->emailAddrs) */
     }
     return SECSuccess;
 }
 
 void
 printnode(dbDebugInfo *info, const char *str, int num)
 {
     if (!info->dograph)
@@ -530,16 +588,17 @@ print_smime_graph(dbDebugInfo *info, cer
 	/* Need to output subject and cert first, see print_subject_graph */
 	subjNode = smimeMap->pSubject;
 	if (map_handle_is_ok(info, (void *)subjNode, 1)) {
 	    subjMap = (certDBSubjectEntryMap *)subjNode->appData; 
 	    print_subject_graph(info, subjMap, GOLEFT,
 	                        smimeMap->index, certDBEntryTypeSMimeProfile);
 	} else {
 	    printnode(info, "<---- S/MIME   %5d   ", smimeMap->index);
+	    info->dbErrors[NoSubjectForSMime]++;
 	}
     } else {
 	printnode(info, "S/MIME   %5d   ", smimeMap->index);
     }
 }
 
 /* Given a nickname entry, print its unique identifier.  If GOLEFT is 
  * specified, print the cert<-subject<-nickname map, else just print
@@ -554,16 +613,17 @@ print_nickname_graph(dbDebugInfo *info, 
 	/* Need to output subject and cert first, see print_subject_graph */
 	subjNode = nickMap->pSubject;
 	if (map_handle_is_ok(info, (void *)subjNode, 1)) {
 	    subjMap = (certDBSubjectEntryMap *)subjNode->appData;
 	    print_subject_graph(info, subjMap, GOLEFT,
 	                        nickMap->index, certDBEntryTypeNickname);
 	} else {
 	    printnode(info, "<---- Nickname %5d   ", nickMap->index);
+	    info->dbErrors[NoSubjectForNickname]++;
 	}
     } else {
 	printnode(info, "Nickname %5d   ", nickMap->index);
     }
 }
 
 /* Given a subject entry, if going right print the graph of the nickname|smime
  * that it maps to (by its unique identifier); and if going left
@@ -598,16 +658,18 @@ print_subject_graph(dbDebugInfo *info, c
 	    /* XXX uh-oh */
 	    return;
 	/* get the first cert and dump it. */
 	node = subjMap->pCerts[0];
 	if (map_handle_is_ok(info, (void *)node, 0)) {
 	    map = (certDBEntryMap *)node->appData;
 	    /* going left here stops. */
 	    print_cert_graph(info, map, GOLEFT); 
+	} else {
+	    info->dbErrors[SubjectHasNoKeyForCert]++;
 	}
 	/* Now it is safe to output the subject id. */
 	if (direction == GOLEFT)
 	    printnode(info, "Subject  %5d <---- ", subjMap->index);
 	else /* direction == GOBOTH */
 	    printnode(info, "Subject  %5d ----> ", subjMap->index);
     }
     if (direction == GORIGHT || direction == GOBOTH) { 
@@ -627,16 +689,20 @@ print_subject_graph(dbDebugInfo *info, c
 	    if (map_handle_is_ok(info, (void *)node, 0)) {
 		map = (certDBEntryMap *)node->appData;
 		/* going right here stops. */
 		print_smime_graph(info, map, GORIGHT); 
 	    }
 	}
 	if (!subjMap->pNickname && !subjMap->pSMime) {
 	    printnode(info, "******************* ", -1);
+	    info->dbErrors[NoNicknameOrSMimeForSubject]++;
+	}
+	if (subjMap->pNickname && subjMap->pSMime) {
+	    info->dbErrors[NicknameAndSMimeEntries]++;
 	}
     }
     if (direction != GORIGHT) { /* going right has only one cert */
 	if (opttype == certDBEntryTypeNickname)
 	    printnode(info, "Nickname %5d   ", optindex);
 	else if (opttype == certDBEntryTypeSMimeProfile)
 	    printnode(info, "S/MIME   %5d   ", optindex);
 	for (i=1 /* 1st one already done */; i<subjMap->numCerts; i++) {
@@ -667,16 +733,18 @@ print_cert_graph(dbDebugInfo *info, cert
 	return;
     }
     /* Keep going right then. */
     printnode(info, "Cert     %5d ----> ", certMap->index);
     subjNode = certMap->pSubject;
     if (map_handle_is_ok(info, (void *)subjNode, 0)) {
 	subjMap = (certDBSubjectEntryMap *)subjNode->appData;
 	print_subject_graph(info, subjMap, GORIGHT, -1, -1);
+    } else {
+	info->dbErrors[NoSubjectForCert]++;
     }
 }
 
 SECStatus
 computeDBGraph(certDBArray *dbArray, dbDebugInfo *info)
 {
     PRCList *cElem, *sElem, *nElem, *mElem;
     certDBEntryListNode *node;
@@ -769,48 +837,57 @@ verboseOutput(certDBArray *dbArray, dbDe
 	    PR_fprintf(info->out, "-->(subject %d)\n\n\n", ref);
 	} else {
 	    PR_fprintf(info->out, "-->(MISSING SUBJECT ENTRY)\n\n\n");
 	}
     }
     /* List subjects */
     for (elem = PR_LIST_HEAD(&dbArray->subjects.link);
          elem != &dbArray->subjects.link; elem = PR_NEXT_LINK(elem)) {
+	int refs = 0;
 	node = LISTNODE_CAST(elem);
 	subjectEntry = (certDBEntrySubject *)&node->entry;
 	smap = (certDBSubjectEntryMap *)node->appData;
 	dumpSubjectEntry(subjectEntry, smap->index, info->out);
 	/* iterate over subject's certs */
 	for (i=0; i<smap->numCerts; i++) {
 	    /* walk each subject handle to it's cert entries */
 	    if (map_handle_is_ok(info, smap->pCerts[i], -1)) {
 		ref = ((certDBEntryMap *)smap->pCerts[i]->appData)->index;
 		PR_fprintf(info->out, "-->(%d. certificate %d)\n", i, ref);
 	    } else {
 		PR_fprintf(info->out, "-->(%d. MISSING CERT ENTRY)\n", i);
 	    }
 	}
 	if (subjectEntry->nickname) {
+	    ++refs;
 	    /* walk each subject handle to it's nickname entry */
 	    if (map_handle_is_ok(info, smap->pNickname, -1)) {
 		ref = ((certDBEntryMap *)smap->pNickname->appData)->index;
 		PR_fprintf(info->out, "-->(nickname %d)\n", ref);
 	    } else {
 		PR_fprintf(info->out, "-->(MISSING NICKNAME ENTRY)\n");
 	    }
 	}
-	if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
+	if (subjectEntry->nemailAddrs && 
+	    subjectEntry->emailAddrs &&
+	    subjectEntry->emailAddrs[0] &&
+	    subjectEntry->emailAddrs[0][0]) {
+	    ++refs;
 	    /* walk each subject handle to it's smime entry */
 	    if (map_handle_is_ok(info, smap->pSMime, -1)) {
 		ref = ((certDBEntryMap *)smap->pSMime->appData)->index;
 		PR_fprintf(info->out, "-->(s/mime %d)\n", ref);
 	    } else {
 		PR_fprintf(info->out, "-->(MISSING S/MIME ENTRY)\n");
 	    }
 	}
+	if (!refs) {
+	    PR_fprintf(info->out, "-->(NO NICKNAME+S/MIME ENTRY)\n");
+	}
 	PR_fprintf(info->out, "\n\n");
     }
     for (elem = PR_LIST_HEAD(&dbArray->nicknames.link);
          elem != &dbArray->nicknames.link; elem = PR_NEXT_LINK(elem)) {
 	node = LISTNODE_CAST(elem);
 	map = (certDBEntryMap *)node->appData;
 	dumpNicknameEntry((certDBEntryNickname*)&node->entry, map->index, 
 	                  info->out);
@@ -831,62 +908,85 @@ verboseOutput(certDBArray *dbArray, dbDe
 	    PR_fprintf(info->out, "-->(subject %d)\n\n\n", ref);
 	} else {
 	    PR_fprintf(info->out, "-->(MISSING SUBJECT ENTRY)\n\n\n");
 	}
     }
     PR_fprintf(info->out, "\n\n");
 }
 
-char *errResult[] = {
-    "Certificate entries that had no subject entry.", 
-    "Certificate entries that had no key in their subject entry.", 
-    "Subject entries that had no nickname or email address.",
-    "Redundant nicknames (subjects with the same nickname).",
-    "Subject entries that had no nickname entry.",
-    "Redundant email addresses (subjects with the same email address).",
-    "Subject entries that had no S/MIME entry.",
-    "Nickname entries that had no subject entry.", 
-    "S/MIME entries that had no subject entry.",
-};
+
+/* A callback function, intended to be called from nsslowcert_TraverseDBEntries
+ * Builds a PRCList of DB entries of the specified type.
+ */
+SECStatus 
+SEC_GetCertDBEntryList(SECItem *dbdata, SECItem *dbkey, 
+                       certDBEntryType entryType, void *pdata)
+{
+    certDBEntry         * entry;
+    certDBEntryListNode * node;
+    PRCList             * list = (PRCList *)pdata;
+
+    if (!dbdata || !dbkey || !pdata || !dbdata->data || !dbkey->data) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    entry = nsslowcert_DecodeAnyDBEntry(dbdata, dbkey, entryType, NULL);
+    if (!entry) {
+    	return SECSuccess; /* skip it */
+    }
+    node = PORT_ArenaZNew(entry->common.arena, certDBEntryListNode);
+    if (!node) {
+    	/* DestroyDBEntry(entry); */
+	PLArenaPool *arena = entry->common.arena;
+	PORT_Memset(&entry->common, 0, sizeof entry->common);
+	PORT_FreeArena(arena, PR_FALSE);
+	return SECFailure;
+    }
+    node->entry = *entry;  		/* crude but effective. */
+    PR_INIT_CLIST(&node->link);
+    PR_INSERT_BEFORE(&node->link, list);
+    return SECSuccess;
+}
+
 
 int
-fillDBEntryArray(CERTCertDBHandle *handle, certDBEntryType type, 
+fillDBEntryArray(NSSLOWCERTCertDBHandle *handle, certDBEntryType type, 
                  certDBEntryListNode *list)
 {
     PRCList *elem;
     certDBEntryListNode *node;
     certDBEntryMap *mnode;
     certDBSubjectEntryMap *smnode;
     PRArenaPool *arena;
     int count = 0;
+
     /* Initialize a dummy entry in the list.  The list head will be the
      * next element, so this element is skipped by for loops.
      */
     PR_INIT_CLIST((PRCList *)list);
     /* Collect all of the cert db entries for this type into a list. */
-    SEC_TraverseDBEntries(handle, type, SEC_GetCertDBEntryList, 
-                          (PRCList *)list);
+    nsslowcert_TraverseDBEntries(handle, type, SEC_GetCertDBEntryList, list);
+
     for (elem = PR_LIST_HEAD(&list->link); 
          elem != &list->link; elem = PR_NEXT_LINK(elem)) {
 	/* Iterate over the entries and ... */
 	node = (certDBEntryListNode *)elem;
 	if (type != certDBEntryTypeSubject) {
 	    arena = PORT_NewArena(sizeof(*mnode));
-	    mnode = (certDBEntryMap *)PORT_ArenaZAlloc(arena, sizeof(*mnode));
+	    mnode = PORT_ArenaZNew(arena, certDBEntryMap);
 	    mnode->arena = arena;
 	    /* ... assign a unique index number to each node, and ... */
 	    mnode->index = count;
 	    /* ... set the map pointer for the node. */
 	    node->appData = (void *)mnode;
 	} else {
 	    /* allocate some room for the cert pointers also */
 	    arena = PORT_NewArena(sizeof(*smnode) + 20*sizeof(void *));
-	    smnode = (certDBSubjectEntryMap *)
-	              PORT_ArenaZAlloc(arena, sizeof(*smnode));
+	    smnode = PORT_ArenaZNew(arena, certDBSubjectEntryMap);
 	    smnode->arena = arena;
 	    smnode->index = count;
 	    node->appData = (void *)smnode;
 	}
 	count++;
     }
     return count;
 }
@@ -905,52 +1005,56 @@ freeDBEntryList(PRCList *list)
 	PR_REMOVE_LINK(&node->link);
 	PORT_FreeArena(map->arena, PR_TRUE);
 	PORT_FreeArena(node->entry.common.arena, PR_TRUE);
 	elem = next;
     }
 }
 
 void
-DBCK_DebugDB(CERTCertDBHandle *handle, PRFileDesc *out, PRFileDesc *mailfile)
+DBCK_DebugDB(NSSLOWCERTCertDBHandle *handle, PRFileDesc *out, 
+	     PRFileDesc *mailfile)
 {
     int i, nCertsFound, nSubjFound, nErr;
-    int nCerts, nSubjects, nSubjCerts, nNicknames, nSMime;
+    int nCerts, nSubjects, nSubjCerts, nNicknames, nSMime, nRevocation;
     PRCList *elem;
     char c;
     dbDebugInfo info;
     certDBArray dbArray;
 
     PORT_Memset(&dbArray, 0, sizeof(dbArray));
     PORT_Memset(&info, 0, sizeof(info));
-    info.verbose = (out == NULL) ? PR_FALSE : PR_TRUE ;
-    info.dograph = (mailfile == NULL) ? PR_FALSE : PR_TRUE ;
-    info.out = (out) ? out : PR_STDOUT;
-    info.graphfile = mailfile;
+    info.verbose = (PRBool)(out != NULL);
+    info.dograph = info.verbose;
+    info.out       = (out)    ? out      : PR_STDOUT;
+    info.graphfile = mailfile ? mailfile : PR_STDOUT;
 
     /*  Fill the array structure with cert/subject/nickname/smime entries.  */
-    dbArray.numCerts = fillDBEntryArray(handle, certDBEntryTypeCert, 
-                                        &dbArray.certs);
-    dbArray.numSubjects = fillDBEntryArray(handle, certDBEntryTypeSubject, 
-                                           &dbArray.subjects);
+    dbArray.numCerts     = fillDBEntryArray(handle, certDBEntryTypeCert, 
+                                            &dbArray.certs);
+    dbArray.numSubjects  = fillDBEntryArray(handle, certDBEntryTypeSubject, 
+                                            &dbArray.subjects);
     dbArray.numNicknames = fillDBEntryArray(handle, certDBEntryTypeNickname, 
                                             &dbArray.nicknames);
-    dbArray.numSMime = fillDBEntryArray(handle, certDBEntryTypeSMimeProfile, 
-                                        &dbArray.smime);
+    dbArray.numSMime     = fillDBEntryArray(handle, certDBEntryTypeSMimeProfile, 
+                                            &dbArray.smime);
+    dbArray.numRevocation= fillDBEntryArray(handle, certDBEntryTypeRevocation, 
+                                            &dbArray.revocation);
 
     /*  Compute the map between the database entries.  */
     mapSubjectEntries(&dbArray);
     mapCertEntries(&dbArray);
     computeDBGraph(&dbArray, &info);
 
     /*  Store the totals for later reference.  */
-    nCerts = dbArray.numCerts;
-    nSubjects = dbArray.numSubjects;
+    nCerts     = dbArray.numCerts;
+    nSubjects  = dbArray.numSubjects;
     nNicknames = dbArray.numNicknames;
-    nSMime = dbArray.numSMime;
+    nSMime     = dbArray.numSMime;
+    nRevocation= dbArray.numRevocation;
     nSubjCerts = 0;
     for (elem = PR_LIST_HEAD(&dbArray.subjects.link);
          elem != &dbArray.subjects.link; elem = PR_NEXT_LINK(elem)) {
 	certDBSubjectEntryMap *smap;
 	smap = (certDBSubjectEntryMap *)LISTNODE_CAST(elem)->appData;
 	nSubjCerts += smap->numCerts;
     }
 
@@ -958,33 +1062,36 @@ DBCK_DebugDB(CERTCertDBHandle *handle, P
 	/*  Dump the database contents.  */
 	verboseOutput(&dbArray, &info);
     }
 
     freeDBEntryList(&dbArray.certs.link);
     freeDBEntryList(&dbArray.subjects.link);
     freeDBEntryList(&dbArray.nicknames.link);
     freeDBEntryList(&dbArray.smime.link);
+    freeDBEntryList(&dbArray.revocation.link);
 
     PR_fprintf(info.out, "\n");
     PR_fprintf(info.out, "Database statistics:\n");
     PR_fprintf(info.out, "N0: Found %4d Certificate entries.\n", 
                           nCerts);
     PR_fprintf(info.out, "N1: Found %4d Subject entries (unique DN's).\n", 
                           nSubjects);
     PR_fprintf(info.out, "N2: Found %4d Cert keys within Subject entries.\n", 
                           nSubjCerts);
     PR_fprintf(info.out, "N3: Found %4d Nickname entries.\n", 
                           nNicknames);
     PR_fprintf(info.out, "N4: Found %4d S/MIME entries.\n", 
                           nSMime);
+    PR_fprintf(info.out, "N5: Found %4d CRL entries.\n", 
+                          nRevocation);
     PR_fprintf(info.out, "\n");
 
     nErr = 0;
-    for (i=0; i<sizeof(errResult)/sizeof(char*); i++) {
+    for (i=0; i < NUM_ERROR_TYPES; i++) {
 	PR_fprintf(info.out, "E%d: Found %4d %s\n", 
 	           i, info.dbErrors[i], errResult[i]);
 	nErr += info.dbErrors[i];
     }
     PR_fprintf(info.out, "--------------\n    Found %4d errors in database.\n", 
                nErr);
 
     PR_fprintf(info.out, "\nCertificates:\n");
@@ -993,710 +1100,52 @@ DBCK_DebugDB(CERTCertDBHandle *handle, P
     nCertsFound = nSubjCerts +
                   info.dbErrors[NoSubjectForCert] +
                   info.dbErrors[SubjectHasNoKeyForCert];
     c = (nCertsFound == nCerts) ? '=' : '!';
     PR_fprintf(info.out, "%d %c= %d + %d + %d\n", nCerts, c, nSubjCerts, 
                   info.dbErrors[NoSubjectForCert],
                   info.dbErrors[SubjectHasNoKeyForCert]);
     PR_fprintf(info.out, "\nSubjects:\n");
-    PR_fprintf(info.out, "N1 == N3 + N4 + E%d + E%d + E%d + E%d + E%d - E%d - E%d\n",
-                  NoNicknameOrSMimeForSubject, WrongNicknameForSubject,
-		  NoNicknameEntry, WrongSMimeForSubject, NoSMimeEntry,
-		  NoSubjectForNickname, NoSubjectForSMime);
-    PR_fprintf(info.out, "      - #(subjects with both nickname and S/MIME entries)\n");
+    PR_fprintf(info.out, 
+    "N1 == N3 + N4 + E%d + E%d + E%d + E%d + E%d - E%d - E%d - E%d\n",
+                  NoNicknameOrSMimeForSubject, 
+		  WrongNicknameForSubject,
+		  NoNicknameEntry, 
+		  WrongSMimeForSubject, 
+		  NoSMimeEntry,
+		  NoSubjectForNickname, 
+		  NoSubjectForSMime,
+		  NicknameAndSMimeEntries);
     nSubjFound = nNicknames + nSMime + 
                  info.dbErrors[NoNicknameOrSMimeForSubject] +
 		 info.dbErrors[WrongNicknameForSubject] +
 		 info.dbErrors[NoNicknameEntry] +
 		 info.dbErrors[WrongSMimeForSubject] +
                  info.dbErrors[NoSMimeEntry] -
 		 info.dbErrors[NoSubjectForNickname] -
 		 info.dbErrors[NoSubjectForSMime] -
-		 info.dbErrors[NicknameAndSMimeEntry];
+		 info.dbErrors[NicknameAndSMimeEntries];
     c = (nSubjFound == nSubjects) ? '=' : '!';
-    PR_fprintf(info.out, "%d %c= %d + %d + %d + %d + %d + %d + %d - %d - %d - %d\n",
+    PR_fprintf(info.out, 
+    "%2d %c= %2d + %2d + %2d + %2d + %2d + %2d + %2d - %2d - %2d - %2d\n",
                   nSubjects, c, nNicknames, nSMime,
                   info.dbErrors[NoNicknameOrSMimeForSubject],
 		  info.dbErrors[WrongNicknameForSubject],
 		  info.dbErrors[NoNicknameEntry],
 		  info.dbErrors[WrongSMimeForSubject],
                   info.dbErrors[NoSMimeEntry],
 		  info.dbErrors[NoSubjectForNickname],
 		  info.dbErrors[NoSubjectForSMime],
-		  info.dbErrors[NicknameAndSMimeEntry]);
+		  info.dbErrors[NicknameAndSMimeEntries]);
     PR_fprintf(info.out, "\n");
 }
 
 #ifdef DORECOVER
-enum {
-    dbInvalidCert = 0,
-    dbNoSMimeProfile,
-    dbOlderCert,
-    dbBadCertificate,
-    dbCertNotWrittenToDB
-};
-
-typedef struct dbRestoreInfoStr
-{
-    CERTCertDBHandle *handle;
-    PRBool verbose;
-    PRFileDesc *out;
-    int nCerts;
-    int nOldCerts;
-    int dbErrors[5];
-    PRBool removeType[3];
-    PRBool promptUser[3];
-} dbRestoreInfo;
-
-char *
-IsEmailCert(CERTCertificate *cert)
-{
-    char *email, *tmp1, *tmp2;
-    PRBool isCA;
-    int len;
-
-    if (!cert->subjectName) {
-	return NULL;
-    }
-
-    tmp1 = PORT_Strstr(cert->subjectName, "E=");
-    tmp2 = PORT_Strstr(cert->subjectName, "MAIL=");
-    /* XXX Nelson has cert for KTrilli which does not have either
-     * of above but is email cert (has cert->emailAddr). 
-     */
-    if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) {
-	return NULL;
-    }
-
-    /*  Server or CA cert, not personal email.  */
-    isCA = CERT_IsCACert(cert, NULL);
-    if (isCA)
-	return NULL;
-
-    /*  XXX CERT_IsCACert advertises checking the key usage ext.,
-	but doesn't appear to. */
-    /*  Check the key usage extension.  */
-    if (cert->keyUsagePresent) {
-	/*  Must at least be able to sign or encrypt (not neccesarily
-	 *  both if it is one of a dual cert).  
-	 */
-	if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || 
-              (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT)))
-	    return NULL;
-
-	/*  CA cert, not personal email.  */
-	if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN))
-	    return NULL;
-    }
-
-    if (cert->emailAddr && cert->emailAddr[0]) {
-	email = PORT_Strdup(cert->emailAddr);
-    } else {
-	if (tmp1)
-	    tmp1 += 2; /* "E="  */
-	else
-	    tmp1 = tmp2 + 5; /* "MAIL=" */
-	len = strcspn(tmp1, ", ");
-	email = (char*)PORT_Alloc(len+1);
-	PORT_Strncpy(email, tmp1, len);
-	email[len] = '\0';
-    }
-
-    return email;
-}
-
-SECStatus
-deleteit(CERTCertificate *cert, void *arg)
-{
-    return SEC_DeletePermCertificate(cert);
-}
-
-/*  Different than DeleteCertificate - has the added bonus of removing
- *  all certs with the same DN.  
- */
-SECStatus
-deleteAllEntriesForCert(CERTCertDBHandle *handle, CERTCertificate *cert,
-                        PRFileDesc *outfile)
-{
-#if 0
-    certDBEntrySubject *subjectEntry;
-    certDBEntryNickname *nicknameEntry;
-    certDBEntrySMime *smimeEntry;
-    int i;
-#endif
-
-    if (outfile) {
-	PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n");
-	PR_fprintf(outfile, "Deleting redundant certificate:\n");
-	dumpCertificate(cert, -1, outfile);
-    }
-
-    CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL);
-#if 0
-    CERT_LockDB(handle);
-    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
-    /*  It had better be there, or created a bad db.  */
-    PORT_Assert(subjectEntry);
-    for (i=0; i<subjectEntry->ncerts; i++) {
-	DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]);
-    }
-    DeleteDBSubjectEntry(handle, &cert->derSubject);
-    if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
-	smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr);
-	if (smimeEntry) {
-	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-	                              &smimeEntry->subjectName))
-		/*  Only delete it if it's for this subject!  */
-		DeleteDBSMimeEntry(handle, subjectEntry->emailAddr);
-	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-	}
-    }
-    if (subjectEntry->nickname) {
-	nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname);
-	if (nicknameEntry) {
-	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-	                              &nicknameEntry->subjectName))
-		/*  Only delete it if it's for this subject!  */
-		DeleteDBNicknameEntry(handle, subjectEntry->nickname);
-	    SEC_DestroyDBEntry((certDBEntry*)nicknameEntry);
-	}
-    }
-    SEC_DestroyDBEntry((certDBEntry*)subjectEntry);
-    CERT_UnlockDB(handle);
-#endif
-    return SECSuccess;
-}
-
-void
-getCertsToDelete(char *numlist, int len, int *certNums, int nCerts)
-{
-    int j, num;
-    char *numstr, *numend, *end;
-
-    numstr = numlist;
-    end = numstr + len - 1;
-    while (numstr != end) {
-	numend = strpbrk(numstr, ", \n");
-	*numend = '\0';
-	if (PORT_Strlen(numstr) == 0)
-	    return;
-	num = PORT_Atoi(numstr);
-	if (numstr == numlist)
-	    certNums[0] = num;
-	for (j=1; j<nCerts+1; j++) {
-	    if (num == certNums[j]) {
-		certNums[j] = -1;
-		break;
-	    }
-	}
-	if (numend == end)
-	    break;
-	numstr = strpbrk(numend+1, "0123456789");
-    }
-}
-
-PRBool
-userSaysDeleteCert(CERTCertificate **certs, int nCerts,
-                   int errtype, dbRestoreInfo *info, int *certNums)
-{
-    char response[32];
-    int32 nb;
-    int i;
-    /*  User wants to remove cert without prompting.  */
-    if (info->promptUser[errtype] == PR_FALSE)
-	return (info->removeType[errtype]);
-    switch (errtype) {
-    case dbInvalidCert:
-	PR_fprintf(PR_STDOUT, "********  Expired ********\n");
-	PR_fprintf(PR_STDOUT, "Cert has expired.\n\n");
-	dumpCertificate(certs[0], -1, PR_STDOUT);
-	PR_fprintf(PR_STDOUT,
-	           "Keep it? (y/n - this one, Y/N - all expired certs) [n] ");
-	break;
-    case dbNoSMimeProfile:
-	PR_fprintf(PR_STDOUT, "********  No Profile ********\n");
-	PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n");
-	dumpCertificate(certs[0], -1, PR_STDOUT);
-	PR_fprintf(PR_STDOUT,
-	      "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] ");
-	break;
-    case dbOlderCert:
-	PR_fprintf(PR_STDOUT, "*******  Redundant nickname/email *******\n\n");
-	PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n");
-	for (i=0; i<nCerts; i++)
-	    dumpCertificate(certs[i], i, PR_STDOUT);
-	PR_fprintf(PR_STDOUT, 
-	"Enter the certs you would like to keep from those listed above.\n");
-	PR_fprintf(PR_STDOUT, 
-	"Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n");
-	PR_fprintf(PR_STDOUT, 
-	"The first cert in the list will be the primary cert\n");
-	PR_fprintf(PR_STDOUT, 
-	" accessed by the nickname/email handle.\n");
-	PR_fprintf(PR_STDOUT, 
-	"List cert numbers to keep here, or hit enter\n");
-	PR_fprintf(PR_STDOUT, 
-	" to always keep only the newest cert:  ");
-	break;
-    default:
-    }
-    nb = PR_Read(PR_STDIN, response, sizeof(response));
-    PR_fprintf(PR_STDOUT, "\n\n");
-    if (errtype == dbOlderCert) {
-	if (!isdigit(response[0])) {
-	    info->promptUser[errtype] = PR_FALSE;
-	    info->removeType[errtype] = PR_TRUE;
-	    return PR_TRUE;
-	}
-	getCertsToDelete(response, nb, certNums, nCerts);
-	return PR_TRUE;
-    }
-    /*  User doesn't want to be prompted for this type anymore.  */
-    if (response[0] == 'Y') {
-	info->promptUser[errtype] = PR_FALSE;
-	info->removeType[errtype] = PR_FALSE;
-	return PR_FALSE;
-    } else if (response[0] == 'N') {
-	info->promptUser[errtype] = PR_FALSE;
-	info->removeType[errtype] = PR_TRUE;
-	return PR_TRUE;
-    }
-    return (response[0] != 'y') ? PR_TRUE : PR_FALSE;
-}
-
-SECStatus
-addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, 
-            CERTCertDBHandle *oldhandle)
-{
-    SECStatus rv = SECSuccess;
-    PRBool allowOverride;
-    PRBool userCert;
-    SECCertTimeValidity validity;
-    CERTCertificate *oldCert = NULL;
-    CERTCertificate *dbCert = NULL;
-    CERTCertificate *newCert = NULL;
-    CERTCertTrust *trust;
-    certDBEntrySMime *smimeEntry = NULL;
-    char *email = NULL;
-    char *nickname = NULL;
-    int nCertsForSubject = 1;
-
-    oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE,
-                                        certEntry->nickname);
-    if (!oldCert) {
-	info->dbErrors[dbBadCertificate]++;
-	SEC_DestroyDBEntry((certDBEntry*)certEntry);
-	return SECSuccess;
-    }
-
-    oldCert->dbEntry = certEntry;
-    oldCert->trust = &certEntry->trust;
-    oldCert->dbhandle = oldhandle;
-
-    trust = oldCert->trust;
-
-    info->nOldCerts++;
-
-    if (info->verbose)
-	PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n");
-
-    if (oldCert->nickname)
-	nickname = PORT_Strdup(oldCert->nickname);
-
-    /*  Always keep user certs.  Skip ahead.  */
-    /*  XXX if someone sends themselves a signed message, it is possible
-	for their cert to be imported as an "other" cert, not a user cert.
-	this mucks with smime entries...  */
-    userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
-               (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
-               (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
-    if (userCert)
-	goto createcert;
-
-    /*  If user chooses so, ignore expired certificates.  */
-    allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
-                         (oldCert->keyUsage == certUsageSSLServerWithStepUp));
-    validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
-    /*  If cert expired and user wants to delete it, ignore it. */
-    if ((validity != secCertTimeValid) && 
-	 userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) {
-	info->dbErrors[dbInvalidCert]++;
-	if (info->verbose) {
-	    PR_fprintf(info->out, "Deleting expired certificate:\n");
-	    dumpCertificate(oldCert, -1, info->out);
-	}
-	goto cleanup;
-    }
-
-    /*  New database will already have default certs, don't attempt
-	to overwrite them.  */
-    dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert);
-    if (dbCert) {
-	info->nCerts++;
-	if (info->verbose) {
-	    PR_fprintf(info->out, "Added certificate to database:\n");
-	    dumpCertificate(oldCert, -1, info->out);
-	}
-	goto cleanup;
-    }
-    
-    /*  Determine if cert is S/MIME and get its email if so.  */
-    email = IsEmailCert(oldCert);
-
-    /*
-	XXX  Just create empty profiles?
-    if (email) {
-	SECItem *profile = CERT_FindSMimeProfile(oldCert);
-	if (!profile &&
-	    userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) {
-	    info->dbErrors[dbNoSMimeProfile]++;
-	    if (info->verbose) {
-		PR_fprintf(info->out, 
-		           "Deleted cert missing S/MIME profile.\n");
-		dumpCertificate(oldCert, -1, info->out);
-	    }
-	    goto cleanup;
-	} else {
-	    SECITEM_FreeItem(profile);
-	}
-    }
-    */
-
-createcert:
-
-    /*  Sometimes happens... */
-    if (!nickname && userCert)
-	nickname = PORT_Strdup(oldCert->subjectName);
-
-    /*  Create a new certificate, copy of the old one.  */
-    newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, 
-                                      nickname, PR_FALSE, PR_TRUE);
-    if (!newCert) {
-	PR_fprintf(PR_STDERR, "Unable to create new certificate.\n");
-	dumpCertificate(oldCert, -1, PR_STDERR);
-	info->dbErrors[dbBadCertificate]++;
-	goto cleanup;
-    }
-
-    /*  Add the cert to the new database.  */
-    rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust);
-    if (rv) {
-	PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n");
-	dumpCertificate(oldCert, -1, PR_STDERR);
-	info->dbErrors[dbCertNotWrittenToDB]++;
-	goto cleanup;
-    }
-
-    if (info->verbose) {
-	PR_fprintf(info->out, "Added certificate to database:\n");
-	dumpCertificate(oldCert, -1, info->out);
-    }
-
-    /*  If the cert is an S/MIME cert, and the first with it's subject,
-     *  modify the subject entry to include the email address,
-     *  CERT_AddTempCertToPerm does not do email addresses and S/MIME entries.
-     */
-    if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */
-#if 0
-	UpdateSubjectWithEmailAddr(newCert, email);
-#endif
-	SECItem emailProfile, profileTime;
-	rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime);
-	/*  calls UpdateSubjectWithEmailAddr  */
-	if (rv == SECSuccess)
-	    rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime);
-    }
-
-    info->nCerts++;
-
-cleanup:
-
-    if (nickname)
-	PORT_Free(nickname);
-    if (email)
-	PORT_Free(email);
-    if (oldCert)
-	CERT_DestroyCertificate(oldCert);
-    if (dbCert)
-	CERT_DestroyCertificate(dbCert);
-    if (newCert)
-	CERT_DestroyCertificate(newCert);
-    if (smimeEntry)
-	SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-    return SECSuccess;
-}
-
-#if 0
-SECStatus
-copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata)
-{
-    SECStatus rv;
-    CERTCertDBHandle *newdb = (CERTCertDBHandle *)pdata;
-    certDBEntryCommon common;
-    SECItem dbkey;
-
-    common.type = type;
-    common.version = CERT_DB_FILE_VERSION;
-    common.flags = data->data[2];
-    common.arena = NULL;
-
-    dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char));
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len);
-    dbkey.data[0] = type;
-
-    rv = WriteDBEntry(newdb, &common, &dbkey, data);
-
-    PORT_Free(dbkey.data);
-    return rv;
-}
-#endif
-
-int
-certIsOlder(CERTCertificate **cert1, CERTCertificate** cert2)
-{
-    return !CERT_IsNewer(*cert1, *cert2);
-}
-
-int
-findNewestSubjectForEmail(CERTCertDBHandle *handle, int subjectNum,
-                          certDBArray *dbArray, dbRestoreInfo *info,
-                          int *subjectWithSMime, int *smimeForSubject)
-{
-    int newestSubject;
-    int subjectsForEmail[50];
-    int i, j, ns, sNum;
-    certDBEntryListNode *subjects = &dbArray->subjects;
-    certDBEntryListNode *smime = &dbArray->smime;
-    certDBEntrySubject *subjectEntry1, *subjectEntry2;
-    certDBEntrySMime *smimeEntry;
-    CERTCertificate **certs;
-    CERTCertificate *cert;
-    CERTCertTrust *trust;
-    PRBool userCert;
-    int *certNums;
-
-    ns = 0;
-    subjectEntry1 = (certDBEntrySubject*)&subjects.entries[subjectNum];
-    subjectsForEmail[ns++] = subjectNum;
-
-    *subjectWithSMime = -1;
-    *smimeForSubject = -1;
-    newestSubject = subjectNum;
-
-    cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
-    if (cert) {
-	trust = cert->trust;
-	userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
-	          (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
-	         (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
-	CERT_DestroyCertificate(cert);
-    }
-
-    /*
-     * XXX Should we make sure that subjectEntry1->emailAddr is not
-     * a null pointer or an empty string before going into the next
-     * two for loops, which pass it to PORT_Strcmp?
-     */
-
-    /*  Loop over the remaining subjects.  */
-    for (i=subjectNum+1; i<subjects.numEntries; i++) {
-	subjectEntry2 = (certDBEntrySubject*)&subjects.entries[i];
-	if (!subjectEntry2)
-	    continue;
-	if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] &&
-	     PORT_Strcmp(subjectEntry1->emailAddr, 
-	                 subjectEntry2->emailAddr) == 0) {
-	    /*  Found a subject using the same email address.  */
-	    subjectsForEmail[ns++] = i;
-	}
-    }
-
-    /*  Find the S/MIME entry for this email address.  */
-    for (i=0; i<smime.numEntries; i++) {
-	smimeEntry = (certDBEntrySMime*)&smime.entries[i];
-	if (smimeEntry->common.arena == NULL)
-	    continue;
-	if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && 
-	    PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) {
-	    /*  Find which of the subjects uses this S/MIME entry.  */
-	    for (j=0; j<ns && *subjectWithSMime < 0; j++) {
-		sNum = subjectsForEmail[j];
-		subjectEntry2 = (certDBEntrySubject*)&subjects.entries[sNum];
-		if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName,
-		                          &subjectEntry2->derSubject)) {
-		    /*  Found the subject corresponding to the S/MIME entry. */
-		    *subjectWithSMime = sNum;
-		    *smimeForSubject = i;
-		}
-	    }
-	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-	    PORT_Memset(smimeEntry, 0, sizeof(certDBEntry));
-	    break;
-	}
-    }
-
-    if (ns <= 1)
-	return subjectNum;
-
-    if (userCert)
-	return *subjectWithSMime;
-
-    /*  Now find which of the subjects has the newest cert.  */
-    certs = (CERTCertificate**)PORT_Alloc(ns*sizeof(CERTCertificate*));
-    certNums = (int*)PORT_Alloc((ns+1)*sizeof(int));
-    certNums[0] = 0;
-    for (i=0; i<ns; i++) {
-	sNum = subjectsForEmail[i];
-	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
-	certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
-	certNums[i+1] = i;
-    }
-    /*  Sort the array by validity.  */
-    qsort(certs, ns, sizeof(CERTCertificate*), 
-          (int (*)(const void *, const void *))certIsOlder);
-    newestSubject = -1;
-    for (i=0; i<ns; i++) {
-	sNum = subjectsForEmail[i];
-	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
-	if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject,
-	                          &certs[0]->derSubject))
-	    newestSubject = sNum;
-	else
-	    SEC_DestroyDBEntry((certDBEntry*)subjectEntry1);
-    }
-    if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) {
-	for (i=1; i<ns+1; i++) {
-	    if (certNums[i] >= 0 && certNums[i] != certNums[0]) {
-		deleteAllEntriesForCert(handle, certs[certNums[i]], info->out);
-		info->dbErrors[dbOlderCert]++;
-	    }
-	}
-    }
-    CERT_DestroyCertArray(certs, ns);
-    return newestSubject;
-}
-
-CERTCertDBHandle *
-DBCK_ReconstructDBFromCerts(CERTCertDBHandle *oldhandle, char *newdbname,
-                            PRFileDesc *outfile, PRBool removeExpired,
-                            PRBool requireProfile, PRBool singleEntry,
-                            PRBool promptUser)
-{
-    SECStatus rv;
-    dbRestoreInfo info;
-    certDBEntryContentVersion *oldContentVersion;
-    certDBArray dbArray;
-    int i;
-
-    PORT_Memset(&dbArray, 0, sizeof(dbArray));
-    PORT_Memset(&info, 0, sizeof(info));
-    info.verbose = (outfile) ? PR_TRUE : PR_FALSE;
-    info.out = (outfile) ? outfile : PR_STDOUT;
-    info.removeType[dbInvalidCert] = removeExpired;
-    info.removeType[dbNoSMimeProfile] = requireProfile;
-    info.removeType[dbOlderCert] = singleEntry;
-    info.promptUser[dbInvalidCert]  = promptUser;
-    info.promptUser[dbNoSMimeProfile]  = promptUser;
-    info.promptUser[dbOlderCert]  = promptUser;
-
-    /*  Allocate a handle to fill with CERT_OpenCertDB below.  */
-    info.handle = (CERTCertDBHandle *)PORT_ZAlloc(sizeof(CERTCertDBHandle));
-    if (!info.handle) {
-	fprintf(stderr, "unable to get database handle");
-	return NULL;
-    }
-
-    /*  Create a certdb with the most recent set of roots.  */
-    rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE);
-
-    if (rv) {
-	fprintf(stderr, "could not open certificate database");
-	goto loser;
-    }
-
-    /*  Create certificate, subject, nickname, and email records.
-     *  mcom_db seems to have a sequential access bug.  Though reads and writes
-     *  should be allowed during traversal, they seem to screw up the sequence.
-     *  So, stuff all the cert entries into an array, and loop over the array
-     *  doing read/writes in the db.
-     */
-    fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs);
-    for (elem = PR_LIST_HEAD(&dbArray->certs.link);
-         elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) {
-	node = LISTNODE_CAST(elem);
-	addCertToDB((certDBEntryCert*)&node->entry, &info, oldhandle);
-	/* entries get destroyed in addCertToDB */
-    }
-#if 0
-    rv = SEC_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, 
-                               copyDBEntry, info.handle);
-#endif
-
-    /*  Fix up the pointers between (nickname|S/MIME) --> (subject).
-     *  Create S/MIME entries for S/MIME certs.
-     *  Have the S/MIME entry point to the last-expiring cert using
-     *  an email address.
-     */
-#if 0
-    CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info);
-#endif
-
-    freeDBEntryList(&dbArray.certs.link);
-
-    /*  Copy over the version record.  */
-    /*  XXX Already exists - and _must_ be correct... */
-    /*
-    versionEntry = ReadDBVersionEntry(oldhandle);
-    rv = WriteDBVersionEntry(info.handle, versionEntry);
-    */
-
-    /*  Copy over the content version record.  */
-    /*  XXX Can probably get useful info from old content version?
-     *      Was this db created before/after this tool?  etc.
-     */
-#if 0
-    oldContentVersion = ReadDBContentVersionEntry(oldhandle);
-    CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); 
-#endif
-
-#if 0
-    /*  Copy over the CRL & KRL records.  */
-    rv = SEC_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, 
-                               copyDBEntry, info.handle);
-    /*  XXX Only one KRL, just do db->get? */
-    rv = SEC_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, 
-                               copyDBEntry, info.handle);
-#endif
-
-    PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts);
-
-    PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts);
-    PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", 
-                       info.dbErrors[dbInvalidCert]);
-    PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", 
-                       info.dbErrors[dbNoSMimeProfile]);
-    PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", 
-                       info.dbErrors[dbOlderCert]);
-    PR_fprintf(info.out, "     Rejected %d corrupt certificates.\n", 
-                       info.dbErrors[dbBadCertificate]);
-    PR_fprintf(info.out, "     Rejected %d certificates which did not write to the DB.\n", 
-                       info.dbErrors[dbCertNotWrittenToDB]);
-
-    if (rv)
-	goto loser;
-
-    return info.handle;
-
-loser:
-    if (info.handle) 
-	PORT_Free(info.handle);
-    return NULL;
-}
+#include "dbrecover.c"
 #endif /* DORECOVER */
 
 enum {
     cmd_Debug = 0,
     cmd_LongUsage,
     cmd_Recover
 };
 
@@ -1731,34 +1180,72 @@ static secuCommandFlag dbck_options[] =
     { /* opt_Mailfile,          */  'm', PR_FALSE, 0, PR_FALSE },
     { /* opt_Prompt,            */  'p', PR_FALSE, 0, PR_FALSE },
     { /* opt_KeepRedundant,     */  'r', PR_FALSE, 0, PR_FALSE },
     { /* opt_KeepNoSMimeProfile,*/  's', PR_FALSE, 0, PR_FALSE },
     { /* opt_Verbose,           */  'v', PR_FALSE, 0, PR_FALSE },
     { /* opt_KeepExpired,       */  'x', PR_FALSE, 0, PR_FALSE }
 };
 
+#define CERT_DB_FMT "%s/cert%s.db"
+
+static char *
+dbck_certdb_name_cb(void *arg, int dbVersion)
+{
+    const char *configdir = (const char *)arg;
+    const char *dbver;
+    char *smpname = NULL;
+    char *dbname = NULL;
+
+    switch (dbVersion) {
+      case 8:
+	dbver = "8";
+	break;
+      case 7:
+	dbver = "7";
+	break;
+      case 6:
+	dbver = "6";
+	break;
+      case 5:
+	dbver = "5";
+	break;
+      case 4:
+      default:
+	dbver = "";
+	break;
+    }
+
+    /* make sure we return something allocated with PORT_ so we have properly
+     * matched frees at the end */
+    smpname = PR_smprintf(CERT_DB_FMT, configdir, dbver);
+    if (smpname) {
+	dbname = PORT_Strdup(smpname);
+	PR_smprintf_free(smpname);
+    }
+    return dbname;
+}
+    
+
 int 
 main(int argc, char **argv)
 {
-    CERTCertDBHandle *certHandle;
+    NSSLOWCERTCertDBHandle *certHandle;
 
-    PRFileInfo fileInfo;
     PRFileDesc *mailfile = NULL;
     PRFileDesc *dumpfile = NULL;
 
     char * pathname     = 0;
     char * fullname     = 0;
     char * newdbname    = 0;
 
     PRBool removeExpired, requireProfile, singleEntry;
-    
-    SECStatus rv;
+    SECStatus   rv;
+    secuCommand dbck;
 
-    secuCommand dbck;
     dbck.numCommands = sizeof(dbck_commands) / sizeof(secuCommandFlag);
     dbck.numOptions = sizeof(dbck_options) / sizeof(secuCommandFlag);
     dbck.commands = dbck_commands;
     dbck.options = dbck_options;
 
     progName = strrchr(argv[0], '/');
     progName = progName ? progName+1 : argv[0];
 
@@ -1767,89 +1254,108 @@ main(int argc, char **argv)
     if (rv != SECSuccess)
 	Usage(progName);
 
     if (dbck.commands[cmd_LongUsage].activated)
 	LongUsage(progName);
 
     if (!dbck.commands[cmd_Debug].activated &&
         !dbck.commands[cmd_Recover].activated) {
-	PR_fprintf(PR_STDERR, "Please specify -D or -R.\n");
+	PR_fprintf(PR_STDERR, "Please specify -H, -D or -R.\n");
 	Usage(progName);
     }
 
     removeExpired = !(dbck.options[opt_KeepAll].activated ||
                       dbck.options[opt_KeepExpired].activated);
 
     requireProfile = !(dbck.options[opt_KeepAll].activated ||
                     dbck.options[opt_KeepNoSMimeProfile].activated);
 
     singleEntry = !(dbck.options[opt_KeepAll].activated ||
                     dbck.options[opt_KeepRedundant].activated);
 
     if (dbck.options[opt_OutputDB].activated) {
 	newdbname = PL_strdup(dbck.options[opt_OutputDB].arg);
     } else {
-	newdbname = PL_strdup("new_cert7.db");
+	newdbname = PL_strdup("new_cert8.db");
     }
 
     /*  Create a generic graph of the database.  */
     if (dbck.options[opt_Mailfile].activated) {
 	mailfile = PR_Open("./mailfile", PR_RDWR | PR_CREATE_FILE, 00660);
 	if (!mailfile) {
 	    fprintf(stderr, "Unable to create mailfile.\n");
 	    return -1;
 	}
     }
 
     /*  Dump all debugging info while running.  */
     if (dbck.options[opt_Verbose].activated) {
 	if (dbck.options[opt_Dumpfile].activated) {
 	    dumpfile = PR_Open(dbck.options[opt_Dumpfile].arg,
 	                       PR_RDWR | PR_CREATE_FILE, 00660);
-	}
-	if (!dumpfile) {
-	    fprintf(stderr, "Unable to create dumpfile.\n");
-	    return -1;
+	    if (!dumpfile) {
+		fprintf(stderr, "Unable to create dumpfile.\n");
+		return -1;
+	    }
+	} else {
+	    dumpfile = PR_STDOUT;
 	}
     }
 
     /*  Set the cert database directory.  */
     if (dbck.options[opt_CertDir].activated) {
 	SECU_ConfigDirectory(dbck.options[opt_CertDir].arg);
     }
 
+    pathname = SECU_ConfigDirectory(NULL);
+
     PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    SEC_Init();
+    rv = NSS_NoDB_Init(pathname);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "NSS_NoDB_Init failed\n");
+	return -1;
+    }
 
-    certHandle = (CERTCertDBHandle *)PORT_ZAlloc(sizeof(CERTCertDBHandle));
+    certHandle = PORT_ZNew(NSSLOWCERTCertDBHandle);
     if (!certHandle) {
 	SECU_PrintError(progName, "unable to get database handle");
 	return -1;
     }
+    certHandle->ref = 1;
 
+#ifdef NOTYET
     /*  Open the possibly corrupt database.  */
     if (dbck.options[opt_InputDB].activated) {
-	pathname = SECU_ConfigDirectory(NULL);
+	PRFileInfo fileInfo;
 	fullname = PR_smprintf("%s/%s", pathname, 
 	                                dbck.options[opt_InputDB].arg);
 	if (PR_GetFileInfo(fullname, &fileInfo) != PR_SUCCESS) {
 	    fprintf(stderr, "Unable to read file \"%s\".\n", fullname);
 	    return -1;
 	}
 	rv = CERT_OpenCertDBFilename(certHandle, fullname, PR_TRUE);
-    } else {
+    } else 
+#endif
+    {
 	/*  Use the default.  */
+#ifdef NOTYET
 	fullname = SECU_CertDBNameCallback(NULL, CERT_DB_FILE_VERSION);
 	if (PR_GetFileInfo(fullname, &fileInfo) != PR_SUCCESS) {
 	    fprintf(stderr, "Unable to read file \"%s\".\n", fullname);
 	    return -1;
 	}
-	rv = CERT_OpenCertDB(certHandle, PR_TRUE, 
-	                     SECU_CertDBNameCallback, NULL);
+#endif
+	rv = nsslowcert_OpenCertDB(certHandle, 
+	                           PR_TRUE, 		    /* readOnly */
+				   NULL,                    /* rdb appName */
+				   "",                      /* rdb prefix */
+	                           dbck_certdb_name_cb,     /* namecb */
+				   pathname, 		    /* configDir */
+				   PR_FALSE);		    /* volatile */
     }
 
     if (rv) {
 	SECU_PrintError(progName, "unable to open cert database");
 	return -1;
     }
 
     if (dbck.commands[cmd_Debug].activated) {
@@ -1867,13 +1373,13 @@ main(int argc, char **argv)
     }
 #endif
 
     if (mailfile)
 	PR_Close(mailfile);
     if (dumpfile)
 	PR_Close(dumpfile);
     if (certHandle) {
-	CERT_ClosePermCertDB(certHandle);
+	nsslowcert_ClosePermCertDB(certHandle);
 	PORT_Free(certHandle);
     }
     return -1;
 }
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/dbck/dbrecover.c
@@ -0,0 +1,702 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+enum {
+    dbInvalidCert = 0,
+    dbNoSMimeProfile,
+    dbOlderCert,
+    dbBadCertificate,
+    dbCertNotWrittenToDB
+};
+
+typedef struct dbRestoreInfoStr
+{
+    NSSLOWCERTCertDBHandle *handle;
+    PRBool verbose;
+    PRFileDesc *out;
+    int nCerts;
+    int nOldCerts;
+    int dbErrors[5];
+    PRBool removeType[3];
+    PRBool promptUser[3];
+} dbRestoreInfo;
+
+char *
+IsEmailCert(CERTCertificate *cert)
+{
+    char *email, *tmp1, *tmp2;
+    PRBool isCA;
+    int len;
+
+    if (!cert->subjectName) {
+	return NULL;
+    }
+
+    tmp1 = PORT_Strstr(cert->subjectName, "E=");
+    tmp2 = PORT_Strstr(cert->subjectName, "MAIL=");
+    /* XXX Nelson has cert for KTrilli which does not have either
+     * of above but is email cert (has cert->emailAddr). 
+     */
+    if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) {
+	return NULL;
+    }
+
+    /*  Server or CA cert, not personal email.  */
+    isCA = CERT_IsCACert(cert, NULL);
+    if (isCA)
+	return NULL;
+
+    /*  XXX CERT_IsCACert advertises checking the key usage ext.,
+	but doesn't appear to. */
+    /*  Check the key usage extension.  */
+    if (cert->keyUsagePresent) {
+	/*  Must at least be able to sign or encrypt (not neccesarily
+	 *  both if it is one of a dual cert).  
+	 */
+	if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || 
+              (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT)))
+	    return NULL;
+
+	/*  CA cert, not personal email.  */
+	if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN))
+	    return NULL;
+    }
+
+    if (cert->emailAddr && cert->emailAddr[0]) {
+	email = PORT_Strdup(cert->emailAddr);
+    } else {
+	if (tmp1)
+	    tmp1 += 2; /* "E="  */
+	else
+	    tmp1 = tmp2 + 5; /* "MAIL=" */
+	len = strcspn(tmp1, ", ");
+	email = (char*)PORT_Alloc(len+1);
+	PORT_Strncpy(email, tmp1, len);
+	email[len] = '\0';
+    }
+
+    return email;
+}
+
+SECStatus
+deleteit(CERTCertificate *cert, void *arg)
+{
+    return SEC_DeletePermCertificate(cert);
+}
+
+/*  Different than DeleteCertificate - has the added bonus of removing
+ *  all certs with the same DN.  
+ */
+SECStatus
+deleteAllEntriesForCert(NSSLOWCERTCertDBHandle *handle, CERTCertificate *cert,
+                        PRFileDesc *outfile)
+{
+#if 0
+    certDBEntrySubject *subjectEntry;
+    certDBEntryNickname *nicknameEntry;
+    certDBEntrySMime *smimeEntry;
+    int i;
+#endif
+
+    if (outfile) {
+	PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n");
+	PR_fprintf(outfile, "Deleting redundant certificate:\n");
+	dumpCertificate(cert, -1, outfile);
+    }
+
+    CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL);
+#if 0
+    CERT_LockDB(handle);
+    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
+    /*  It had better be there, or created a bad db.  */
+    PORT_Assert(subjectEntry);
+    for (i=0; i<subjectEntry->ncerts; i++) {
+	DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]);
+    }
+    DeleteDBSubjectEntry(handle, &cert->derSubject);
+    if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
+	smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr);
+	if (smimeEntry) {
+	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
+	                              &smimeEntry->subjectName))
+		/*  Only delete it if it's for this subject!  */
+		DeleteDBSMimeEntry(handle, subjectEntry->emailAddr);
+	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+	}
+    }
+    if (subjectEntry->nickname) {
+	nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname);
+	if (nicknameEntry) {
+	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
+	                              &nicknameEntry->subjectName))
+		/*  Only delete it if it's for this subject!  */
+		DeleteDBNicknameEntry(handle, subjectEntry->nickname);
+	    SEC_DestroyDBEntry((certDBEntry*)nicknameEntry);
+	}
+    }
+    SEC_DestroyDBEntry((certDBEntry*)subjectEntry);
+    CERT_UnlockDB(handle);
+#endif
+    return SECSuccess;
+}
+
+void
+getCertsToDelete(char *numlist, int len, int *certNums, int nCerts)
+{
+    int j, num;
+    char *numstr, *numend, *end;
+
+    numstr = numlist;
+    end = numstr + len - 1;
+    while (numstr != end) {
+	numend = strpbrk(numstr, ", \n");
+	*numend = '\0';
+	if (PORT_Strlen(numstr) == 0)
+	    return;
+	num = PORT_Atoi(numstr);
+	if (numstr == numlist)
+	    certNums[0] = num;
+	for (j=1; j<nCerts+1; j++) {
+	    if (num == certNums[j]) {
+		certNums[j] = -1;
+		break;
+	    }
+	}
+	if (numend == end)
+	    break;
+	numstr = strpbrk(numend+1, "0123456789");
+    }
+}
+
+PRBool
+userSaysDeleteCert(CERTCertificate **certs, int nCerts,
+                   int errtype, dbRestoreInfo *info, int *certNums)
+{
+    char response[32];
+    int32 nb;
+    int i;
+    /*  User wants to remove cert without prompting.  */
+    if (info->promptUser[errtype] == PR_FALSE)
+	return (info->removeType[errtype]);
+    switch (errtype) {
+    case dbInvalidCert:
+	PR_fprintf(PR_STDOUT, "********  Expired ********\n");
+	PR_fprintf(PR_STDOUT, "Cert has expired.\n\n");
+	dumpCertificate(certs[0], -1, PR_STDOUT);
+	PR_fprintf(PR_STDOUT,
+	           "Keep it? (y/n - this one, Y/N - all expired certs) [n] ");
+	break;
+    case dbNoSMimeProfile:
+	PR_fprintf(PR_STDOUT, "********  No Profile ********\n");
+	PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n");
+	dumpCertificate(certs[0], -1, PR_STDOUT);
+	PR_fprintf(PR_STDOUT,
+	      "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] ");
+	break;
+    case dbOlderCert:
+	PR_fprintf(PR_STDOUT, "*******  Redundant nickname/email *******\n\n");
+	PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n");
+	for (i=0; i<nCerts; i++)
+	    dumpCertificate(certs[i], i, PR_STDOUT);
+	PR_fprintf(PR_STDOUT, 
+	"Enter the certs you would like to keep from those listed above.\n");
+	PR_fprintf(PR_STDOUT, 
+	"Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n");
+	PR_fprintf(PR_STDOUT, 
+	"The first cert in the list will be the primary cert\n");
+	PR_fprintf(PR_STDOUT, 
+	" accessed by the nickname/email handle.\n");
+	PR_fprintf(PR_STDOUT, 
+	"List cert numbers to keep here, or hit enter\n");
+	PR_fprintf(PR_STDOUT, 
+	" to always keep only the newest cert:  ");
+	break;
+    default:
+    }
+    nb = PR_Read(PR_STDIN, response, sizeof(response));
+    PR_fprintf(PR_STDOUT, "\n\n");
+    if (errtype == dbOlderCert) {
+	if (!isdigit(response[0])) {
+	    info->promptUser[errtype] = PR_FALSE;
+	    info->removeType[errtype] = PR_TRUE;
+	    return PR_TRUE;
+	}
+	getCertsToDelete(response, nb, certNums, nCerts);
+	return PR_TRUE;
+    }
+    /*  User doesn't want to be prompted for this type anymore.  */
+    if (response[0] == 'Y') {
+	info->promptUser[errtype] = PR_FALSE;
+	info->removeType[errtype] = PR_FALSE;
+	return PR_FALSE;
+    } else if (response[0] == 'N') {
+	info->promptUser[errtype] = PR_FALSE;
+	info->removeType[errtype] = PR_TRUE;
+	return PR_TRUE;
+    }
+    return (response[0] != 'y') ? PR_TRUE : PR_FALSE;
+}
+
+SECStatus
+addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, 
+            NSSLOWCERTCertDBHandle *oldhandle)
+{
+    SECStatus rv = SECSuccess;
+    PRBool allowOverride;
+    PRBool userCert;
+    SECCertTimeValidity validity;
+    CERTCertificate *oldCert = NULL;
+    CERTCertificate *dbCert = NULL;
+    CERTCertificate *newCert = NULL;
+    CERTCertTrust *trust;
+    certDBEntrySMime *smimeEntry = NULL;
+    char *email = NULL;
+    char *nickname = NULL;
+    int nCertsForSubject = 1;
+
+    oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE,
+                                        certEntry->nickname);
+    if (!oldCert) {
+	info->dbErrors[dbBadCertificate]++;
+	SEC_DestroyDBEntry((certDBEntry*)certEntry);
+	return SECSuccess;
+    }
+
+    oldCert->dbEntry = certEntry;
+    oldCert->trust = &certEntry->trust;
+    oldCert->dbhandle = oldhandle;
+
+    trust = oldCert->trust;
+
+    info->nOldCerts++;
+
+    if (info->verbose)
+	PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n");
+
+    if (oldCert->nickname)
+	nickname = PORT_Strdup(oldCert->nickname);
+
+    /*  Always keep user certs.  Skip ahead.  */
+    /*  XXX if someone sends themselves a signed message, it is possible
+	for their cert to be imported as an "other" cert, not a user cert.
+	this mucks with smime entries...  */
+    userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
+               (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
+               (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
+    if (userCert)
+	goto createcert;
+
+    /*  If user chooses so, ignore expired certificates.  */
+    allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
+                         (oldCert->keyUsage == certUsageSSLServerWithStepUp));
+    validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
+    /*  If cert expired and user wants to delete it, ignore it. */
+    if ((validity != secCertTimeValid) && 
+	 userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) {
+	info->dbErrors[dbInvalidCert]++;
+	if (info->verbose) {
+	    PR_fprintf(info->out, "Deleting expired certificate:\n");
+	    dumpCertificate(oldCert, -1, info->out);
+	}
+	goto cleanup;
+    }
+
+    /*  New database will already have default certs, don't attempt
+	to overwrite them.  */
+    dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert);
+    if (dbCert) {
+	info->nCerts++;
+	if (info->verbose) {
+	    PR_fprintf(info->out, "Added certificate to database:\n");
+	    dumpCertificate(oldCert, -1, info->out);
+	}
+	goto cleanup;
+    }
+    
+    /*  Determine if cert is S/MIME and get its email if so.  */
+    email = IsEmailCert(oldCert);
+
+    /*
+	XXX  Just create empty profiles?
+    if (email) {
+	SECItem *profile = CERT_FindSMimeProfile(oldCert);
+	if (!profile &&
+	    userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) {
+	    info->dbErrors[dbNoSMimeProfile]++;
+	    if (info->verbose) {
+		PR_fprintf(info->out, 
+		           "Deleted cert missing S/MIME profile.\n");
+		dumpCertificate(oldCert, -1, info->out);
+	    }
+	    goto cleanup;
+	} else {
+	    SECITEM_FreeItem(profile);
+	}
+    }
+    */
+
+createcert:
+
+    /*  Sometimes happens... */
+    if (!nickname && userCert)
+	nickname = PORT_Strdup(oldCert->subjectName);
+
+    /*  Create a new certificate, copy of the old one.  */
+    newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, 
+                                      nickname, PR_FALSE, PR_TRUE);
+    if (!newCert) {
+	PR_fprintf(PR_STDERR, "Unable to create new certificate.\n");
+	dumpCertificate(oldCert, -1, PR_STDERR);
+	info->dbErrors[dbBadCertificate]++;
+	goto cleanup;
+    }
+
+    /*  Add the cert to the new database.  */
+    rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust);
+    if (rv) {
+	PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n");
+	dumpCertificate(oldCert, -1, PR_STDERR);
+	info->dbErrors[dbCertNotWrittenToDB]++;
+	goto cleanup;
+    }
+
+    if (info->verbose) {
+	PR_fprintf(info->out, "Added certificate to database:\n");
+	dumpCertificate(oldCert, -1, info->out);
+    }
+
+    /*  If the cert is an S/MIME cert, and the first with it's subject,
+     *  modify the subject entry to include the email address,
+     *  CERT_AddTempCertToPerm does not do email addresses and S/MIME entries.
+     */
+    if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */
+#if 0
+	UpdateSubjectWithEmailAddr(newCert, email);
+#endif
+	SECItem emailProfile, profileTime;
+	rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime);
+	/*  calls UpdateSubjectWithEmailAddr  */
+	if (rv == SECSuccess)
+	    rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime);
+    }
+
+    info->nCerts++;
+
+cleanup:
+
+    if (nickname)
+	PORT_Free(nickname);
+    if (email)
+	PORT_Free(email);
+    if (oldCert)
+	CERT_DestroyCertificate(oldCert);
+    if (dbCert)
+	CERT_DestroyCertificate(dbCert);
+    if (newCert)
+	CERT_DestroyCertificate(newCert);
+    if (smimeEntry)
+	SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+    return SECSuccess;
+}
+
+#if 0
+SECStatus
+copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata)
+{
+    SECStatus rv;
+    NSSLOWCERTCertDBHandle *newdb = (NSSLOWCERTCertDBHandle *)pdata;
+    certDBEntryCommon common;
+    SECItem dbkey;
+
+    common.type = type;
+    common.version = CERT_DB_FILE_VERSION;
+    common.flags = data->data[2];
+    common.arena = NULL;
+
+    dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN;
+    dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char));
+    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len);
+    dbkey.data[0] = type;
+
+    rv = WriteDBEntry(newdb, &common, &dbkey, data);
+
+    PORT_Free(dbkey.data);
+    return rv;
+}
+#endif
+
+int
+certIsOlder(CERTCertificate **cert1, CERTCertificate** cert2)
+{
+    return !CERT_IsNewer(*cert1, *cert2);
+}
+
+int
+findNewestSubjectForEmail(NSSLOWCERTCertDBHandle *handle, int subjectNum,
+                          certDBArray *dbArray, dbRestoreInfo *info,
+                          int *subjectWithSMime, int *smimeForSubject)
+{
+    int newestSubject;
+    int subjectsForEmail[50];
+    int i, j, ns, sNum;
+    certDBEntryListNode *subjects = &dbArray->subjects;
+    certDBEntryListNode *smime = &dbArray->smime;
+    certDBEntrySubject *subjectEntry1, *subjectEntry2;
+    certDBEntrySMime *smimeEntry;
+    CERTCertificate **certs;
+    CERTCertificate *cert;
+    CERTCertTrust *trust;
+    PRBool userCert;
+    int *certNums;
+
+    ns = 0;
+    subjectEntry1 = (certDBEntrySubject*)&subjects.entries[subjectNum];
+    subjectsForEmail[ns++] = subjectNum;
+
+    *subjectWithSMime = -1;
+    *smimeForSubject = -1;
+    newestSubject = subjectNum;
+
+    cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
+    if (cert) {
+	trust = cert->trust;
+	userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
+	          (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
+	         (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
+	CERT_DestroyCertificate(cert);
+    }
+
+    /*
+     * XXX Should we make sure that subjectEntry1->emailAddr is not
+     * a null pointer or an empty string before going into the next
+     * two for loops, which pass it to PORT_Strcmp?
+     */
+
+    /*  Loop over the remaining subjects.  */
+    for (i=subjectNum+1; i<subjects.numEntries; i++) {
+	subjectEntry2 = (certDBEntrySubject*)&subjects.entries[i];
+	if (!subjectEntry2)
+	    continue;
+	if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] &&
+	     PORT_Strcmp(subjectEntry1->emailAddr, 
+	                 subjectEntry2->emailAddr) == 0) {
+	    /*  Found a subject using the same email address.  */
+	    subjectsForEmail[ns++] = i;
+	}
+    }
+
+    /*  Find the S/MIME entry for this email address.  */
+    for (i=0; i<smime.numEntries; i++) {
+	smimeEntry = (certDBEntrySMime*)&smime.entries[i];
+	if (smimeEntry->common.arena == NULL)
+	    continue;
+	if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && 
+	    PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) {
+	    /*  Find which of the subjects uses this S/MIME entry.  */
+	    for (j=0; j<ns && *subjectWithSMime < 0; j++) {
+		sNum = subjectsForEmail[j];
+		subjectEntry2 = (certDBEntrySubject*)&subjects.entries[sNum];
+		if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName,
+		                          &subjectEntry2->derSubject)) {
+		    /*  Found the subject corresponding to the S/MIME entry. */
+		    *subjectWithSMime = sNum;
+		    *smimeForSubject = i;
+		}
+	    }
+	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+	    PORT_Memset(smimeEntry, 0, sizeof(certDBEntry));
+	    break;
+	}
+    }
+
+    if (ns <= 1)
+	return subjectNum;
+
+    if (userCert)
+	return *subjectWithSMime;
+
+    /*  Now find which of the subjects has the newest cert.  */
+    certs = (CERTCertificate**)PORT_Alloc(ns*sizeof(CERTCertificate*));
+    certNums = (int*)PORT_Alloc((ns+1)*sizeof(int));
+    certNums[0] = 0;
+    for (i=0; i<ns; i++) {
+	sNum = subjectsForEmail[i];
+	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
+	certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
+	certNums[i+1] = i;
+    }
+    /*  Sort the array by validity.  */
+    qsort(certs, ns, sizeof(CERTCertificate*), 
+          (int (*)(const void *, const void *))certIsOlder);
+    newestSubject = -1;
+    for (i=0; i<ns; i++) {
+	sNum = subjectsForEmail[i];
+	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
+	if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject,
+	                          &certs[0]->derSubject))
+	    newestSubject = sNum;
+	else
+	    SEC_DestroyDBEntry((certDBEntry*)subjectEntry1);
+    }
+    if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) {
+	for (i=1; i<ns+1; i++) {
+	    if (certNums[i] >= 0 && certNums[i] != certNums[0]) {
+		deleteAllEntriesForCert(handle, certs[certNums[i]], info->out);
+		info->dbErrors[dbOlderCert]++;
+	    }
+	}
+    }
+    CERT_DestroyCertArray(certs, ns);
+    return newestSubject;
+}
+
+NSSLOWCERTCertDBHandle *
+DBCK_ReconstructDBFromCerts(NSSLOWCERTCertDBHandle *oldhandle, char *newdbname,
+                            PRFileDesc *outfile, PRBool removeExpired,
+                            PRBool requireProfile, PRBool singleEntry,
+                            PRBool promptUser)
+{
+    SECStatus rv;
+    dbRestoreInfo info;
+    certDBEntryContentVersion *oldContentVersion;
+    certDBArray dbArray;
+    int i;
+
+    PORT_Memset(&dbArray, 0, sizeof(dbArray));
+    PORT_Memset(&info, 0, sizeof(info));
+    info.verbose = (outfile) ? PR_TRUE : PR_FALSE;
+    info.out = (outfile) ? outfile : PR_STDOUT;
+    info.removeType[dbInvalidCert] = removeExpired;
+    info.removeType[dbNoSMimeProfile] = requireProfile;
+    info.removeType[dbOlderCert] = singleEntry;
+    info.promptUser[dbInvalidCert]  = promptUser;
+    info.promptUser[dbNoSMimeProfile]  = promptUser;
+    info.promptUser[dbOlderCert]  = promptUser;
+
+    /*  Allocate a handle to fill with CERT_OpenCertDB below.  */
+    info.handle = PORT_ZNew(NSSLOWCERTCertDBHandle);
+    if (!info.handle) {
+	fprintf(stderr, "unable to get database handle");
+	return NULL;
+    }
+
+    /*  Create a certdb with the most recent set of roots.  */
+    rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE);
+
+    if (rv) {
+	fprintf(stderr, "could not open certificate database");
+	goto loser;
+    }
+
+    /*  Create certificate, subject, nickname, and email records.
+     *  mcom_db seems to have a sequential access bug.  Though reads and writes
+     *  should be allowed during traversal, they seem to screw up the sequence.
+     *  So, stuff all the cert entries into an array, and loop over the array
+     *  doing read/writes in the db.
+     */
+    fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs);
+    for (elem = PR_LIST_HEAD(&dbArray->certs.link);
+         elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) {
+	node = LISTNODE_CAST(elem);
+	addCertToDB((certDBEntryCert*)&node->entry, &info, oldhandle);
+	/* entries get destroyed in addCertToDB */
+    }
+#if 0
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, 
+                               copyDBEntry, info.handle);
+#endif
+
+    /*  Fix up the pointers between (nickname|S/MIME) --> (subject).
+     *  Create S/MIME entries for S/MIME certs.
+     *  Have the S/MIME entry point to the last-expiring cert using
+     *  an email address.
+     */
+#if 0
+    CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info);
+#endif
+
+    freeDBEntryList(&dbArray.certs.link);
+
+    /*  Copy over the version record.  */
+    /*  XXX Already exists - and _must_ be correct... */
+    /*
+    versionEntry = ReadDBVersionEntry(oldhandle);
+    rv = WriteDBVersionEntry(info.handle, versionEntry);
+    */
+
+    /*  Copy over the content version record.  */
+    /*  XXX Can probably get useful info from old content version?
+     *      Was this db created before/after this tool?  etc.
+     */
+#if 0
+    oldContentVersion = ReadDBContentVersionEntry(oldhandle);
+    CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); 
+#endif
+
+#if 0
+    /*  Copy over the CRL & KRL records.  */
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, 
+                               copyDBEntry, info.handle);
+    /*  XXX Only one KRL, just do db->get? */
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, 
+                               copyDBEntry, info.handle);
+#endif
+
+    PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts);
+
+    PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts);
+    PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", 
+                       info.dbErrors[dbInvalidCert]);
+    PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", 
+                       info.dbErrors[dbNoSMimeProfile]);
+    PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", 
+                       info.dbErrors[dbOlderCert]);
+    PR_fprintf(info.out, "     Rejected %d corrupt certificates.\n", 
+                       info.dbErrors[dbBadCertificate]);
+    PR_fprintf(info.out, "     Rejected %d certificates which did not write to the DB.\n", 
+                       info.dbErrors[dbCertNotWrittenToDB]);
+
+    if (rv)
+	goto loser;
+
+    return info.handle;
+
+loser:
+    if (info.handle) 
+	PORT_Free(info.handle);
+    return NULL;
+}
+
--- a/security/nss/cmd/dbck/manifest.mn
+++ b/security/nss/cmd/dbck/manifest.mn
@@ -46,8 +46,9 @@ CSRCS = \
 	dbck.c \
 	$(NULL)
 
 # The MODULE is always implicitly required.
 # Listing it here in REQUIRES makes it appear twice in the cc command line.
 REQUIRES = dbm seccmd
 
 PROGRAM = dbck
+USE_STATIC_LIBS = 1
--- a/security/nss/cmd/dbtest/Makefile
+++ b/security/nss/cmd/dbtest/Makefile
@@ -57,26 +57,16 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 
 include ../platlibs.mk
 
 ifdef XP_OS2_VACPP
 CFLAGS += -I../modutil
 endif
 
-ifeq (,$(filter-out WINNT WIN95 WIN16,$(OS_TARGET)))  # omits WINCE
-ifndef BUILD_OPT
-ifndef NS_USE_GCC
-LDFLAGS   +=  /subsystem:console /profile /debug /machine:I386 /incremental:no
-endif
-OS_CFLAGS += -D_CONSOLE
-endif
-endif
-
-
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
--- a/security/nss/cmd/fipstest/Makefile
+++ b/security/nss/cmd/fipstest/Makefile
@@ -57,20 +57,19 @@ include $(CORE_DEPTH)/coreconf/config.mk
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
 include ../platlibs.mk
 
-#EXTRA_SHARED_LIBS += \
-#	-L/usr/lib \
-#	-lposix4 \
-#	$(NULL)
+ifdef NSS_ENABLE_ECC
+DEFINES += -DNSS_ENABLE_ECC
+endif
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
new file mode 100755
--- /dev/null
+++ b/security/nss/cmd/fipstest/dsa.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST DSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+request=KeyPair.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa keypair $request > $response
+
+request=PQGGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa pqggen $request > $response
+
+request=PQGVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa pqgver $request > $response
+
+request=SigGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa siggen $request > $response
+
+request=SigVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa sigver $request > $response
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/fipstest/ecdsa.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST ECDSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+request=KeyPair.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa keypair $request > $response
+
+request=PKV.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa pkv $request > $response
+
+request=SigGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa siggen $request > $response
+
+request=SigVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa sigver $request > $response
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -36,308 +36,49 @@
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <ctype.h>
 
 #include "secitem.h"
 #include "blapi.h"
 #include "nss.h"
+#include "secerr.h"
+#include "secder.h"
+#include "secdig.h"
+#include "keythi.h"
+#include "ec.h"
+#include "hasht.h"
+#include "lowkeyi.h"
+#include "softoken.h"
+#include "pqgutil.h"
+
 #if 0
 #include "../../lib/freebl/mpi/mpi.h"
 #endif
 
-static const unsigned char
-table3[32][8] = {
-  { 0x10, 0x46, 0x91, 0x34, 0x89, 0x98, 0x01, 0x31 },
-  { 0x10, 0x07, 0x10, 0x34, 0x89, 0x98, 0x80, 0x20 },
-  { 0x10, 0x07, 0x10, 0x34, 0xc8, 0x98, 0x01, 0x20 },
-  { 0x10, 0x46, 0x10, 0x34, 0x89, 0x98, 0x80, 0x20 },
-  { 0x10, 0x86, 0x91, 0x15, 0x19, 0x19, 0x01, 0x01 },
-  { 0x10, 0x86, 0x91, 0x15, 0x19, 0x58, 0x01, 0x01 },
-  { 0x51, 0x07, 0xb0, 0x15, 0x19, 0x58, 0x01, 0x01 },
-  { 0x10, 0x07, 0xb0, 0x15, 0x19, 0x19, 0x01, 0x01 },
-  { 0x31, 0x07, 0x91, 0x54, 0x98, 0x08, 0x01, 0x01 },
-  { 0x31, 0x07, 0x91, 0x94, 0x98, 0x08, 0x01, 0x01 },
-  { 0x10, 0x07, 0x91, 0x15, 0xb9, 0x08, 0x01, 0x40 },
-  { 0x31, 0x07, 0x91, 0x15, 0x98, 0x08, 0x01, 0x40 },
-  { 0x10, 0x07, 0xd0, 0x15, 0x89, 0x98, 0x01, 0x01 },
-  { 0x91, 0x07, 0x91, 0x15, 0x89, 0x98, 0x01, 0x01 },
-  { 0x91, 0x07, 0xd0, 0x15, 0x89, 0x19, 0x01, 0x01 },
-  { 0x10, 0x07, 0xd0, 0x15, 0x98, 0x98, 0x01, 0x20 },
-  { 0x10, 0x07, 0x94, 0x04, 0x98, 0x19, 0x01, 0x01 },
-  { 0x01, 0x07, 0x91, 0x04, 0x91, 0x19, 0x04, 0x01 },
-  { 0x01, 0x07, 0x91, 0x04, 0x91, 0x19, 0x01, 0x01 },
-  { 0x01, 0x07, 0x94, 0x04, 0x91, 0x19, 0x04, 0x01 },
-  { 0x19, 0x07, 0x92, 0x10, 0x98, 0x1a, 0x01, 0x01 },
-  { 0x10, 0x07, 0x91, 0x19, 0x98, 0x19, 0x08, 0x01 },
-  { 0x10, 0x07, 0x91, 0x19, 0x98, 0x1a, 0x08, 0x01 },
-  { 0x10, 0x07, 0x92, 0x10, 0x98, 0x19, 0x01, 0x01 },
-  { 0x10, 0x07, 0x91, 0x15, 0x98, 0x19, 0x01, 0x0b },
-  { 0x10, 0x04, 0x80, 0x15, 0x98, 0x19, 0x01, 0x01 },
-  { 0x10, 0x04, 0x80, 0x15, 0x98, 0x19, 0x01, 0x02 },
-  { 0x10, 0x04, 0x80, 0x15, 0x98, 0x19, 0x01, 0x08 },
-  { 0x10, 0x02, 0x91, 0x15, 0x98, 0x10, 0x01, 0x04 },
-  { 0x10, 0x02, 0x91, 0x15, 0x98, 0x19, 0x01, 0x04 },
-  { 0x10, 0x02, 0x91, 0x15, 0x98, 0x10, 0x02, 0x01 },
-  { 0x10, 0x02, 0x91, 0x16, 0x98, 0x10, 0x01, 0x01 }