Bug 461082, Deliver NSS 3.12.2 and NSPR 4.7.2 to Mozilla
authorKai Engert <kaie@kuix.de>
Thu, 23 Oct 2008 02:38:29 +0200
changeset 20768 78d4f20a71a87b1ac2a14853523bf476f1363c35
parent 20767 644b31f76962168aaf637d16c77d6305b40559cb
child 20769 cb9fdd5a2b4091db8bf329c49dfa2abc0716116d
push idunknown
push userunknown
push dateunknown
bugs461082
milestone1.9.1b2pre
Bug 461082, Deliver NSS 3.12.2 and NSPR 4.7.2 to Mozilla r=wtc
dbm/include/mcom_db.h
dbm/src/h_bigkey.c
dbm/src/h_page.c
dbm/src/hash.c
dbm/src/hash_buf.c
dbm/src/mktemp.c
dbm/src/snprintf.c
nsprpub/pkg/linux/Makefile.in
nsprpub/pkg/solaris/SUNWprd/prototype
nsprpub/pr/include/prinit.h
nsprpub/pr/src/misc/prtime.c
nsprpub/pr/tests/formattm.c
nsprpub/pr/tests/runtests.pl
security/coreconf/Linux.mk
security/coreconf/UNIX.mk
security/coreconf/WINNT6.0.mk
security/coreconf/nsinstall/nsinstall.c
security/nss/cmd/SSLsample/Makefile
security/nss/cmd/SSLsample/README
security/nss/cmd/SSLsample/client.c
security/nss/cmd/SSLsample/client.mn
security/nss/cmd/SSLsample/gencerts
security/nss/cmd/SSLsample/make.client
security/nss/cmd/SSLsample/make.server
security/nss/cmd/SSLsample/server.c
security/nss/cmd/SSLsample/server.mn
security/nss/cmd/SSLsample/sslerror.h
security/nss/cmd/SSLsample/sslsample.c
security/nss/cmd/SSLsample/sslsample.h
security/nss/cmd/certutil/certutil.c
security/nss/cmd/crlutil/crlutil.c
security/nss/cmd/lib/SECerrs.h
security/nss/cmd/lib/ffs.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/lib/secutil.h
security/nss/cmd/manifest.mn
security/nss/cmd/modutil/error.h
security/nss/cmd/modutil/pk11.c
security/nss/cmd/pk12util/pk12util.c
security/nss/cmd/platlibs.mk
security/nss/cmd/selfserv/selfserv.c
security/nss/cmd/shlibsign/shlibsign.c
security/nss/cmd/signtool/signtool.c
security/nss/cmd/signtool/util.c
security/nss/cmd/signver/manifest.mn
security/nss/cmd/signver/pk7print.c
security/nss/cmd/tests/conflict.c
security/nss/cmd/tests/manifest.mn
security/nss/cmd/tstclnt/tstclnt.c
security/nss/lib/base/nssbaset.h
security/nss/lib/certdb/stanpcertdb.c
security/nss/lib/certhigh/ocsp.c
security/nss/lib/ckfw/builtins/certdata.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/ckfw/capi/staticobj.c
security/nss/lib/ckfw/nssmkey/staticobj.c
security/nss/lib/ckfw/wrap.c
security/nss/lib/dev/ckhelper.c
security/nss/lib/dev/devtoken.c
security/nss/lib/dev/devutil.c
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/config.mk
security/nss/lib/freebl/mac_rand.c
security/nss/lib/freebl/md2.c
security/nss/lib/freebl/md5.c
security/nss/lib/freebl/sysrand.c
security/nss/lib/jar/jarfile.c
security/nss/lib/libpkix/pkix/checker/manifest.mn
security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c
security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.h
security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.h
security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c
security/nss/lib/libpkix/pkix/checker/pkix_policychecker.h
security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.c
security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.h
security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.h
security/nss/lib/libpkix/pkix/top/manifest.mn
security/nss/lib/libpkix/pkix/top/pkix_basicconstraintschecker.c
security/nss/lib/libpkix/pkix/top/pkix_basicconstraintschecker.h
security/nss/lib/libpkix/pkix/top/pkix_defaultcrlchecker.c
security/nss/lib/libpkix/pkix/top/pkix_defaultcrlchecker.h
security/nss/lib/libpkix/pkix/top/pkix_expirationchecker.c
security/nss/lib/libpkix/pkix/top/pkix_expirationchecker.h
security/nss/lib/libpkix/pkix/top/pkix_namechainingchecker.c
security/nss/lib/libpkix/pkix/top/pkix_namechainingchecker.h
security/nss/lib/libpkix/pkix/top/pkix_nameconstraintschecker.c
security/nss/lib/libpkix/pkix/top/pkix_nameconstraintschecker.h
security/nss/lib/libpkix/pkix/top/pkix_policychecker.c
security/nss/lib/libpkix/pkix/top/pkix_policychecker.h
security/nss/lib/libpkix/pkix/top/pkix_signaturechecker.c
security/nss/lib/libpkix/pkix/top/pkix_signaturechecker.h
security/nss/lib/libpkix/pkix/top/pkix_targetcertchecker.c
security/nss/lib/libpkix/pkix/top/pkix_targetcertchecker.h
security/nss/lib/libpkix/pkix/util/pkix_tools.h
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.h
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
security/nss/lib/nss/config.mk
security/nss/lib/nss/nss.h
security/nss/lib/nss/nssinit.c
security/nss/lib/pk11wrap/debug_module.c
security/nss/lib/pk11wrap/dev3hack.c
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11cxt.c
security/nss/lib/pk11wrap/pk11err.c
security/nss/lib/pk11wrap/pk11load.c
security/nss/lib/pk11wrap/pk11merge.c
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pk11wrap/pk11slot.c
security/nss/lib/pkcs12/p12.h
security/nss/lib/pkcs12/p12d.c
security/nss/lib/pkcs12/p12e.c
security/nss/lib/pkcs7/certread.c
security/nss/lib/pki/trustdomain.c
security/nss/lib/smime/config.mk
security/nss/lib/smime/smime.def
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/pkcs11t.h
security/nss/lib/softoken/pkcs11u.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/config.mk
security/nss/lib/ssl/manifest.mn
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/ssl/sslsecur.c
security/nss/lib/ssl/sslsnce.c
security/nss/lib/util/nssb64d.c
security/nss/lib/util/nssilckt.h
security/nss/lib/util/nssrwlk.c
security/nss/lib/util/nssrwlk.h
security/nss/lib/util/secerr.h
security/nss/lib/util/secport.c
security/nss/lib/util/secport.h
security/nss/lib/util/sectime.c
security/nss/lib/util/utf8.c
security/nss/tests/all.sh
security/nss/tests/common/init.sh
security/nss/tests/iopr/ssl_iopr.sh
security/nss/tests/memleak/memleak.sh
security/nss/tests/merge/merge.sh
security/nss/tests/ssl/ssl.sh
security/nss/tests/tools/tools.sh
--- a/dbm/include/mcom_db.h
+++ b/dbm/include/mcom_db.h
@@ -151,17 +151,17 @@
 
 #ifdef SNI
 /* #include <sys/hetero.h> */
 #define BYTE_ORDER BIG_ENDIAN
 #define BIG_ENDIAN      4321
 #define LITTLE_ENDIAN   1234
 #endif
 
-#ifdef _WINDOWS
+#if defined(_WINDOWS) || defined(XP_OS2_VACPP)
 #ifdef BYTE_ORDER
 #undef BYTE_ORDER
 #endif
 
 #define BYTE_ORDER LITTLE_ENDIAN
 #define LITTLE_ENDIAN   1234            /* LSB first: i386, vax, all NT risc */
 #define BIG_ENDIAN      4321
 #endif
@@ -183,16 +183,24 @@
 #if defined(_WINDOWS) || defined(XP_OS2)
 #include <stdio.h>
 #include <io.h>
 
 #ifndef XP_OS2 
 #define MAXPATHLEN 	1024               
 #endif
 
+#ifdef XP_OS2_VACPP
+#include <os2.h>
+#define	MAXPATHLEN	CCHMAXPATH
+#define	EPERM		EINVAL
+#define	ENOTDIR		EBADPOS
+#define	S_ISDIR(s)	((s) & S_IFDIR)
+#endif
+
 #define	EFTYPE		EINVAL		/* POSIX 1003.1 format errno. */
 
 #ifndef	STDERR_FILENO
 #define	STDIN_FILENO	0		/* ANSI C #defines */
 #define	STDOUT_FILENO	1
 #define	STDERR_FILENO	2
 #endif
 
--- a/dbm/src/h_bigkey.c
+++ b/dbm/src/h_bigkey.c
@@ -51,17 +51,17 @@ static char sccsid[] = "@(#)hash_bigkey.
  *	__big_return
  *	__big_delete
  *	__find_last_page
  * Internal
  *	collect_key
  *	collect_data
  */
 
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP)
 #include <sys/param.h>
 #endif
 
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
--- a/dbm/src/h_page.c
+++ b/dbm/src/h_page.c
@@ -73,17 +73,17 @@ static char sccsid[] = "@(#)hash_page.c	
 #if defined(_WIN32) || defined(_WINDOWS) 
 #include <io.h>
 #endif
 #include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP)
 #include <unistd.h>
 #endif
 
 #include <assert.h>
 
 #include "mcom_db.h"
 #include "hash.h"
 #include "page.h"
--- a/dbm/src/hash.c
+++ b/dbm/src/hash.c
@@ -33,39 +33,39 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)hash.c	8.9 (Berkeley) 6/16/94";
 #endif /* LIBC_SCCS and not lint */
 
 #include "watcomfx.h"
 
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP)
 #include <sys/param.h>
 #endif
 
 #if !defined(macintosh)
-#ifdef XP_OS2
+#ifdef XP_OS2_EMX
 #include <sys/types.h>
 #endif
 #include <sys/stat.h>
 #endif
 
 #if defined(macintosh)
 #include <unix.h>
 #include <unistd.h>
 #endif
 
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP)
 #include <unistd.h>
 #endif
 #if defined(_WIN32) || defined(_WINDOWS) 
 #include <windows.h>
 #endif
 
 #include <assert.h>
 
--- a/dbm/src/hash_buf.c
+++ b/dbm/src/hash_buf.c
@@ -48,17 +48,17 @@ static char sccsid[] = "@(#)hash_buf.c	8
  * External
  *	__buf_init
  *	__get_buf
  *	__buf_free
  *	__reclaim_buf
  * Internal
  *	newbuf
  */
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP)
 #include <sys/param.h>
 #endif
 
 #include <errno.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
--- a/dbm/src/mktemp.c
+++ b/dbm/src/mktemp.c
@@ -42,20 +42,24 @@ static char sccsid[] = "@(#)mktemp.c	8.1
 #include <sys/stat.h>
 #endif
 #include <fcntl.h>
 #include <errno.h>
 #include <stdio.h>
 #include <ctype.h>
 #include "mcom_db.h"
 
-#ifndef _WINDOWS
+#if !defined(_WINDOWS) && !defined(XP_OS2_VACPP)
 #include <unistd.h>
 #endif
 
+#ifdef XP_OS2_VACPP
+#include <process.h>
+#endif
+
 #ifdef _WINDOWS
 #include <process.h>
 #include "winfile.h"
 #endif
 
 static int _gettemp(char *path, register int *doopen, int extraFlags);
 
 int
--- a/dbm/src/snprintf.c
+++ b/dbm/src/snprintf.c
@@ -11,40 +11,40 @@
 #include "cdefs.h"
 #endif
 
 #include "prtypes.h"
 
 #include <ncompat.h>
 
 /* The OS/2 VAC compiler doesn't appear to define __STDC__ and won't let us define it either */
-#ifdef __STDC__
+#if defined(__STDC__) || defined(XP_OS2_VACPP)
 #include <stdarg.h>
 #else
 #include <varargs.h>
 #endif
 
 int
-#ifdef __STDC__
+#if defined(__STDC__) || defined(XP_OS2_VACPP)
 snprintf(char *str, size_t n, const char *fmt, ...)
 #else
 snprintf(str, n, fmt, va_alist)
 	char *str;
 	size_t n;
 	const char *fmt;
 	va_dcl
 #endif
 {
 	va_list ap;
 #ifdef VSPRINTF_CHARSTAR
 	char *rp;
 #else
 	int rval;
 #endif
-#ifdef __STDC__
+#if defined(__STDC__) || defined(XP_OS2_VACPP)
 	va_start(ap, fmt);
 #else
 	va_start(ap);
 #endif
 #ifdef VSPRINTF_CHARSTAR
 	rp = vsprintf(str, fmt, ap);
 	va_end(ap);
 	return (strlen(rp));
--- a/nsprpub/pkg/linux/Makefile.in
+++ b/nsprpub/pkg/linux/Makefile.in
@@ -33,17 +33,17 @@
 # use your version of this file under the terms of the MPL, indicate your
 # decision by deleting the provisions above and replace them with the notice
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 #
-#ident	"$Id: Makefile.in,v 1.10 2005/11/18 21:50:20 christophe.ravel.bugs%sun.com Exp $"
+#ident	"$Id: Makefile.in,v 1.11 2008/10/20 22:38:45 christophe.ravel.bugs%sun.com Exp $"
 #
 
 MOD_DEPTH = ../..
 topsrcdir   = @top_srcdir@
 srcdir	    = @srcdir@
 VPATH	    = @srcdir@
 
 NAME        = sun-nspr
@@ -69,17 +69,17 @@ endif
 publish:
 	$(MAKE) clean
 	mkdir -p SOURCES SRPMS RPMS BUILD
 	(cd $(dist_libdir) && tar cphf - libnspr4.so libplds4.so libplc4.so) \
 	| (mkdir -p opt/sun/private/$(RPMLIBDIR) && cd opt/sun/private/$(RPMLIBDIR) && tar xvfBp -)
 	(cd $(dist_includedir) && tar cphf - .) \
 	| (mkdir -p opt/sun/private/include/nspr && cd opt/sun/private/include/nspr && tar xvfBp -)
 	(cd opt/sun/private/include/nspr && \
-		rm -rf md private obsolete/pralarm.h obsolete/probslet.h obsolete/prsem.h)
+		rm -rf md)
 	tar czvf SOURCES/$(NAME)-$(VERSION).tar.gz opt
 	echo "%define name $(NAME)" >$(SPECFILE)
 	echo "%define version $(VERSION)" >>$(SPECFILE)
 	echo "%define release $(RPM_RELEASE)" >>$(SPECFILE)
 	echo "%define buildroot `pwd`/$(NAME)-root" >>$(SPECFILE)
 	echo "%define _topdir `pwd`" >>$(SPECFILE)
 	echo "%define _unpackaged_files_terminate_build 0" >>$(SPECFILE)
 	cat $(srcdir)/$(NAME).spec >>$(SPECFILE)
@@ -95,16 +95,17 @@ publish:
 	echo "%files devel" >>$(SPECFILE)
 	echo "%defattr(-,root,root)" >>$(SPECFILE)
 	echo "%dir /opt" >>$(SPECFILE)
 	echo "%dir /opt/sun" >>$(SPECFILE)
 	echo "%dir /opt/sun/private" >>$(SPECFILE)
 	echo "%dir /opt/sun/private/include" >>$(SPECFILE)
 	echo "%dir /opt/sun/private/include/nspr" >>$(SPECFILE)
 	echo "%dir /opt/sun/private/include/nspr/obsolete" >>$(SPECFILE)
+	echo "%dir /opt/sun/private/include/nspr/private" >>$(SPECFILE)
 	find opt -type f \( -name "*.h" \) \
 		| sed -e "s-^-/-" >>$(SPECFILE)
 	rpmbuild $(RPMTARGET) -bb $(SPECFILE)
 
 clean:
 	rm -rf $(TOPDIR)/BUILD/$(NAME)
 	rm -rf SOURCES SRPMS RPMS BUILD
 	rm -rf RPMS SRPMS opt
--- a/nsprpub/pkg/solaris/SUNWprd/prototype
+++ b/nsprpub/pkg/solaris/SUNWprd/prototype
@@ -33,17 +33,17 @@
 # use your version of this file under the terms of the MPL, indicate your
 # decision by deleting the provisions above and replace them with the notice
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 #
-#ident  "$Id: prototype,v 1.4 2006/04/05 20:57:09 wtchang%redhat.com Exp $"
+#ident  "$Id: prototype,v 1.5 2008/10/20 22:38:46 christophe.ravel.bugs%sun.com Exp $"
 #
 # This required package information file contains a list of package contents.
 # The 'pkgmk' command uses this file to identify the contents of a package
 # and their location on the development machine when building the package.
 # Can be created via a text editor or through use of the 'pkgproto' command.
 
 #!search <pathname pathname ...>        # where to find pkg objects
 #!include <filename>                    # include another 'prototype' file
@@ -58,17 +58,21 @@ i depend
 # source locations relative to .h 0644 root bine prototype file
 #
 # SUNWprd
 #
 d none usr 0755 root sys
 d none usr/include 0755 root bin
 d none usr/include/mps 0755 root bin
 d none usr/include/mps/obsolete 0755 root bin
+d none usr/include/mps/private 0755 root bin
+f none usr/include/mps/obsolete/pralarm.h 0644 root bin
+f none usr/include/mps/obsolete/probslet.h 0644 root bin
 f none usr/include/mps/obsolete/protypes.h 0644 root bin
+f none usr/include/mps/obsolete/prsem.h 0644 root bin
 f none usr/include/mps/prcpucfg.h 0644 root bin
 f none usr/include/mps/nspr.h 0644 root bin
 f none usr/include/mps/pratom.h 0644 root bin
 f none usr/include/mps/prbit.h 0644 root bin
 f none usr/include/mps/prclist.h 0644 root bin
 f none usr/include/mps/prcmon.h 0644 root bin
 f none usr/include/mps/prcountr.h 0644 root bin
 f none usr/include/mps/prcvar.h 0644 root bin
@@ -76,16 +80,19 @@ f none usr/include/mps/prdtoa.h 0644 roo
 f none usr/include/mps/prenv.h 0644 root bin
 f none usr/include/mps/prerr.h 0644 root bin
 f none usr/include/mps/prerror.h 0644 root bin
 f none usr/include/mps/prinet.h 0644 root bin
 f none usr/include/mps/prinit.h 0644 root bin
 f none usr/include/mps/prinrval.h 0644 root bin
 f none usr/include/mps/prio.h 0644 root bin
 f none usr/include/mps/pripcsem.h 0644 root bin
+f none usr/include/mps/private/pprio.h 0644 root bin
+f none usr/include/mps/private/pprthred.h 0644 root bin
+f none usr/include/mps/private/prpriv.h 0644 root bin
 f none usr/include/mps/prlink.h 0644 root bin
 f none usr/include/mps/prlock.h 0644 root bin
 f none usr/include/mps/prlog.h 0644 root bin
 f none usr/include/mps/prlong.h 0644 root bin
 f none usr/include/mps/prmem.h 0644 root bin
 f none usr/include/mps/prmon.h 0644 root bin
 f none usr/include/mps/prmwait.h 0644 root bin
 f none usr/include/mps/prnetdb.h 0644 root bin
--- a/nsprpub/pr/include/prinit.h
+++ b/nsprpub/pr/include/prinit.h
@@ -58,21 +58,21 @@ PR_BEGIN_EXTERN_C
 /*
 ** NSPR's version is used to determine the likelihood that the version you
 ** used to build your component is anywhere close to being compatible with
 ** what is in the underlying library.
 **
 ** The format of the version string is
 **     "<major version>.<minor version>[.<patch level>] [<Beta>]"
 */
-#define PR_VERSION  "4.7.2 Beta 4"
+#define PR_VERSION  "4.7.2"
 #define PR_VMAJOR   4
 #define PR_VMINOR   7
 #define PR_VPATCH   2
-#define PR_BETA     PR_TRUE
+#define PR_BETA     PR_FALSE
 
 /*
 ** PRVersionCheck
 **
 ** The basic signature of the function that is called to provide version
 ** checking. The result will be a boolean that indicates the likelihood
 ** that the underling library will perform as the caller expects.
 **
--- a/nsprpub/pr/src/misc/prtime.c
+++ b/nsprpub/pr/src/misc/prtime.c
@@ -1693,39 +1693,47 @@ PR_ParseTimeString(
  *-----------------------------------------------------------------------
  */
 
 PR_IMPLEMENT(PRUint32)
 PR_FormatTime(char *buf, int buflen, const char *fmt, const PRExplodedTime *tm)
 {
     size_t rv;
     struct tm a;
-    a.tm_sec = tm->tm_sec;
-    a.tm_min = tm->tm_min;
-    a.tm_hour = tm->tm_hour;
-    a.tm_mday = tm->tm_mday;
-    a.tm_mon = tm->tm_month;
-    a.tm_wday = tm->tm_wday;
-    a.tm_year = tm->tm_year - 1900;
-    a.tm_yday = tm->tm_yday;
-    a.tm_isdst = tm->tm_params.tp_dst_offset ? 1 : 0;
+    struct tm *ap;
 
-/*
- * On some platforms, for example SunOS 4, struct tm has two additional
- * fields: tm_zone and tm_gmtoff.
- */
+    if (tm) {
+        ap = &a;
+        a.tm_sec = tm->tm_sec;
+        a.tm_min = tm->tm_min;
+        a.tm_hour = tm->tm_hour;
+        a.tm_mday = tm->tm_mday;
+        a.tm_mon = tm->tm_month;
+        a.tm_wday = tm->tm_wday;
+        a.tm_year = tm->tm_year - 1900;
+        a.tm_yday = tm->tm_yday;
+        a.tm_isdst = tm->tm_params.tp_dst_offset ? 1 : 0;
+
+        /*
+         * On some platforms, for example SunOS 4, struct tm has two
+         * additional fields: tm_zone and tm_gmtoff.
+         */
 
 #if defined(SUNOS4) || (__GLIBC__ >= 2) || defined(XP_BEOS) \
         || defined(NETBSD) || defined(OPENBSD) || defined(FREEBSD) \
         || defined(DARWIN) || defined(SYMBIAN)
-    a.tm_zone = NULL;
-    a.tm_gmtoff = tm->tm_params.tp_gmt_offset + tm->tm_params.tp_dst_offset;
+        a.tm_zone = NULL;
+        a.tm_gmtoff = tm->tm_params.tp_gmt_offset +
+                      tm->tm_params.tp_dst_offset;
 #endif
+    } else {
+        ap = NULL;
+    }
 
-    rv = strftime(buf, buflen, fmt, &a);
+    rv = strftime(buf, buflen, fmt, ap);
     if (!rv && buf && buflen > 0) {
         /*
          * When strftime fails, the contents of buf are indeterminate.
          * Some callers don't check the return value from this function,
          * so store an empty string in buf in case they try to print it.
          */
         buf[0] = '\0';
     }
--- a/nsprpub/pr/tests/formattm.c
+++ b/nsprpub/pr/tests/formattm.c
@@ -39,21 +39,44 @@
 
 #include "prtime.h"
 
 #include <stdio.h>
 
 int main()
 {
     char buffer[256];
+    char small_buffer[8];
     PRTime now;
     PRExplodedTime tod;
 
     now = PR_Now();
     PR_ExplodeTime(now, PR_LocalTimeParameters, &tod);
-    (void)PR_FormatTime(buffer, sizeof(buffer),
-        "%a %b %d %H:%M:%S %Z %Y", &tod);
-    printf("%s\n", buffer);
+
+    if (PR_FormatTime(buffer, sizeof(buffer),
+            "%a %b %d %H:%M:%S %Z %Y", &tod) != 0) {
+        printf("%s\n", buffer);
+    } else {
+        fprintf(stderr, "PR_FormatTime(buffer) failed\n");
+        return 1;
+    }
+
+    small_buffer[0] = '?';
+    if (PR_FormatTime(small_buffer, sizeof(small_buffer),
+            "%a %b %d %H:%M:%S %Z %Y", &tod) == 0) {
+        if (small_buffer[0] != '\0') {
+            fprintf(stderr, "PR_FormatTime(small_buffer) did not output "
+                            "an empty string on failure\n");
+            return 1;
+        }
+        printf("%s\n", small_buffer);
+    } else {
+        fprintf(stderr, "PR_FormatTime(small_buffer) succeeded "
+                        "unexpectedly\n");
+        return 1;
+    }
+
     (void)PR_FormatTimeUSEnglish(buffer, sizeof(buffer),
         "%a %b %d %H:%M:%S %Z %Y", &tod);
     printf("%s\n", buffer);
+
     return 0;
 }
old mode 100644
new mode 100755
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -180,8 +180,11 @@ LDFLAGS			+= $(ARCHFLAG)
 
 # INCLUDES += -I/usr/include -Y/usr/include/linux
 G++INCLUDES		= -I/usr/include/g++
 
 #
 # Always set CPU_TAG on Linux, OpenVMS, WINCE.
 #
 CPU_TAG = _$(CPU_ARCH)
+
+USE_SYSTEM_ZLIB = 1
+ZLIB_LIBS = -lz
--- a/security/coreconf/UNIX.mk
+++ b/security/coreconf/UNIX.mk
@@ -41,17 +41,19 @@ DLL_SUFFIX  = so
 AR          = ar cr $@
 LDOPTS     += -L$(SOURCE_LIB_DIR)
 
 ifdef BUILD_OPT
 	OPTIMIZER  += -O
 	DEFINES    += -UDEBUG -DNDEBUG
 else
 	OPTIMIZER  += -g
-	DEFINES    += -DDEBUG -UNDEBUG -DDEBUG_$(shell whoami)
+	USERNAME   := $(shell whoami)
+	USERNAME   := $(subst -,_,$(USERNAME))
+	DEFINES    += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME)
 endif
 
 ifdef BUILD_TREE
 NSINSTALL_DIR  = $(BUILD_TREE)/nss
 NSINSTALL      = $(BUILD_TREE)/nss/nsinstall
 else
 NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
 NSINSTALL      = $(NSINSTALL_DIR)/$(OBJDIR_NAME)/nsinstall
--- a/security/coreconf/WINNT6.0.mk
+++ b/security/coreconf/WINNT6.0.mk
@@ -71,82 +71,8 @@ endif
 
 #
 # Win NT needs -GT so that fibers can work
 #
 OS_CFLAGS += -GT
 DEFINES += -DWINNT
 
 NSPR31_LIB_PREFIX = lib
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#    Robert Longson <longsonr@gmail.com>
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-# Config stuff for WINNT 6.0 (Windows Vista)
-#
-# This makefile defines the following variables:
-# OS_CFLAGS and OS_DLLFLAGS.
-
-include $(CORE_DEPTH)/coreconf/WIN32.mk
-
-ifeq ($(CPU_ARCH), x386)
-	OS_CFLAGS += -W3 -nologo
-	DEFINES += -D_X86_
-else 
-	ifeq ($(CPU_ARCH), MIPS)
-		#OS_CFLAGS += -W3 -nologo
-		#DEFINES += -D_MIPS_
-		OS_CFLAGS += -W3 -nologo
-	else 
-		ifeq ($(CPU_ARCH), ALPHA)
-			OS_CFLAGS += -W3 -nologo
-			DEFINES += -D_ALPHA_=1
-		endif
-	endif
-endif
-
-OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
-ifndef MOZ_DEBUG_SYMBOLS
-	OS_DLLFLAGS += -PDB:NONE
-endif
-
-#
-# Win NT needs -GT so that fibers can work
-#
-OS_CFLAGS += -GT
-DEFINES += -DWINNT
-
-NSPR31_LIB_PREFIX = lib
--- a/security/coreconf/nsinstall/nsinstall.c
+++ b/security/coreconf/nsinstall/nsinstall.c
@@ -354,16 +354,18 @@ retry:
 		if (rmrv < 0) {
 		    fail("destination exists, cannot remove %s", toname);
 		}
 		exists = 0;
 	    }
 	    if (!exists && symlink(name, toname) < 0) {
 		if (errno == EEXIST) {
 		    fprintf(stderr, "symlink creation race: %s\n", toname);
+                    fail("symlink was attempted in working directory %s "
+                         "from %s to %s.\n", cwd, name, toname);
 		    goto retry;
 		}
 		diagnosePath(toname);
 		fail("cannot make symbolic link %s", toname);
 	    }
 #ifdef HAVE_LCHOWN
 	    if ((owner || group) && lchown(toname, uid, gid) < 0)
 		fail("cannot change owner of %s", toname);
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/Makefile
+++ /dev/null
@@ -1,48 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# do these once for each target program
-all default export libs program install release_export::
-	$(MAKE) -f make.client $@
-	$(MAKE) -f make.server $@
-
-# only do these things once for the whole directory
-depend dependclean clean clobber realclean clobber_all release_classes release_clean release_cpdistdir release_export release_jars release_md release_policy show::
-	$(MAKE) -f make.client $@
-
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/README
+++ /dev/null
@@ -1,35 +0,0 @@
-These sample programs can be built in either of two ways:
-1) is the NSS source tree, using the coreconf build system, and 
-2) stand alone (as part of the NSS distribution).
-
-The following makefiles are used only when building in the NSS source tree
-using coreconf.  These are NOT part of the distribution.
-
-Makefile
-client.mn
-server.mn
-config.mk
-make.client
-make.server
-
-The following source files are common to both build environments and are
-part of the distribution.
-
-NSPRerrs.h
-SECerrs.h
-SSLerrs.h
-client.c
-getopt.c
-server.c
-sslerror.h
-
-In the NSS 2.0 distribution, the sample code and makefiles are in a 
-directory named "samples".  The directories relevant to building 
-in the distributed tree are:
-
-./samples
-./include/dbm
-./include/nspr
-./include/security
-./lib
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/client.c
+++ /dev/null
@@ -1,456 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/****************************************************************************
- *  SSL client program that sets up a connection to SSL server, transmits   *
- *  some data and then reads the reply                                      *
- ****************************************************************************/ 
-
-#include <stdio.h>
-#include <string.h>
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include "prerror.h"
-
-#include "pk11func.h"
-#include "secitem.h"
-
-
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-
-#include "nspr.h"
-#include "plgetopt.h"
-#include "prio.h"
-#include "prnetdb.h"
-#include "nss.h"
-
-#include "sslsample.h"
-
-#define RD_BUF_SIZE (60 * 1024)
-
-extern int ssl2CipherSuites[];
-extern int ssl3CipherSuites[];
-
-GlobalThreadMgr threadMGR;
-char *certNickname = NULL;
-char *hostName = NULL;
-char *password = NULL;
-unsigned short port = 0;
-
-static void
-Usage(const char *progName)
-{
-	fprintf(stderr, 
-	  "Usage: %s [-n rsa_nickname] [-p port] [-d dbdir] [-c connections]\n"
-	  "          [-w dbpasswd] [-C cipher(s)] hostname\n",
-	progName);
-	exit(1);
-}
-
-PRFileDesc *
-setupSSLSocket(PRNetAddr *addr)
-{
-	PRFileDesc         *tcpSocket;
-	PRFileDesc         *sslSocket;
-	PRSocketOptionData	socketOption;
-	PRStatus            prStatus;
-	SECStatus           secStatus;
-
-#if 0
-retry:
-#endif
-
-	tcpSocket = PR_NewTCPSocket();
-	if (tcpSocket == NULL) {
-		errWarn("PR_NewTCPSocket");
-	}
-
-	/* Make the socket blocking. */
-	socketOption.option	            = PR_SockOpt_Nonblocking;
-	socketOption.value.non_blocking = PR_FALSE;
-
-	prStatus = PR_SetSocketOption(tcpSocket, &socketOption);
-	if (prStatus != PR_SUCCESS) {
-		errWarn("PR_SetSocketOption");
-		goto loser;
-	} 
-
-#if 0
-	/* Verify that a connection can be made to the socket. */
-	prStatus = PR_Connect(tcpSocket, addr, PR_INTERVAL_NO_TIMEOUT);
-	if (prStatus != PR_SUCCESS) {
-		PRErrorCode err = PR_GetError();
-		if (err == PR_CONNECT_REFUSED_ERROR) {
-			PR_Close(tcpSocket);
-			PR_Sleep(PR_MillisecondsToInterval(10));
-			fprintf(stderr, "Connection to port refused, retrying.\n");
-			goto retry;
-		}
-		errWarn("PR_Connect");
-		goto loser;
-	}
-#endif
-
-	/* Import the socket into the SSL layer. */
-	sslSocket = SSL_ImportFD(NULL, tcpSocket);
-	if (!sslSocket) {
-		errWarn("SSL_ImportFD");
-		goto loser;
-	}
-
-	/* Set configuration options. */
-	secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_SECURITY");
-		goto loser;
-	}
-
-	secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_CLIENT");
-		goto loser;
-	}
-
-	/* Set SSL callback routines. */
-	secStatus = SSL_GetClientAuthDataHook(sslSocket,
-	                          (SSLGetClientAuthData)myGetClientAuthData,
-	                          (void *)certNickname);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_GetClientAuthDataHook");
-		goto loser;
-	}
-
-	secStatus = SSL_AuthCertificateHook(sslSocket,
-	                                   (SSLAuthCertificate)myAuthCertificate,
-                                       (void *)CERT_GetDefaultCertDB());
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_AuthCertificateHook");
-		goto loser;
-	}
-
-	secStatus = SSL_BadCertHook(sslSocket, 
-	                           (SSLBadCertHandler)myBadCertHandler, NULL);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_BadCertHook");
-		goto loser;
-	}
-
-	secStatus = SSL_HandshakeCallback(sslSocket, 
-	                                  myHandshakeCallback,
-	                                  NULL);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_HandshakeCallback");
-		goto loser;
-	}
-
-	return sslSocket;
-
-loser:
-
-	PR_Close(tcpSocket);
-	return NULL;
-}
-
-
-const char requestString[] = {"GET /testfile HTTP/1.0\r\n\r\n" };
-
-SECStatus
-handle_connection(PRFileDesc *sslSocket, int connection)
-{
-	int	     countRead = 0;
-	PRInt32  numBytes;
-	char    *readBuffer;
-
-	readBuffer = PORT_Alloc(RD_BUF_SIZE);
-	if (!readBuffer) {
-		exitErr("PORT_Alloc");
-	}
-
-	/* compose the http request here. */
-
-	numBytes = PR_Write(sslSocket, requestString, strlen(requestString));
-	if (numBytes <= 0) {
-		errWarn("PR_Write");
-		PR_Free(readBuffer);
-		readBuffer = NULL;
-		return SECFailure;
-	}
-
-	/* read until EOF */
-	while (PR_TRUE) {
-		numBytes = PR_Read(sslSocket, readBuffer, RD_BUF_SIZE);
-		if (numBytes == 0) {
-			break;	/* EOF */
-		}
-		if (numBytes < 0) {
-			errWarn("PR_Read");
-			break;
-		}
-		countRead += numBytes;
-		fprintf(stderr, "***** Connection %d read %d bytes (%d total).\n", 
-			connection, numBytes, countRead );
-		readBuffer[numBytes] = '\0';
-		fprintf(stderr, "************\n%s\n************\n", readBuffer);
-	}
-
-	printSecurityInfo(sslSocket);
-	
-	PR_Free(readBuffer);
-	readBuffer = NULL;
-
-	/* Caller closes the socket. */
-
-	fprintf(stderr, 
-	        "***** Connection %d read %d bytes total.\n", 
-	        connection, countRead);
-
-	return SECSuccess;	/* success */
-}
-
-/* one copy of this function is launched in a separate thread for each
-** connection to be made.
-*/
-SECStatus
-do_connects(void *a, int connection)
-{
-	PRNetAddr  *addr = (PRNetAddr *)a;
-	PRFileDesc *sslSocket;
-	PRHostEnt   hostEntry;
-	char        buffer[PR_NETDB_BUF_SIZE];
-	PRStatus    prStatus;
-	PRIntn      hostenum;
-	SECStatus   secStatus;
-
-	/* Set up SSL secure socket. */
-	sslSocket = setupSSLSocket(addr);
-	if (sslSocket == NULL) {
-		errWarn("setupSSLSocket");
-		return SECFailure;
-	}
-
-	secStatus = SSL_SetPKCS11PinArg(sslSocket, password);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_SetPKCS11PinArg");
-		return secStatus;
-	}
-
-	secStatus = SSL_SetURL(sslSocket, hostName);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_SetURL");
-		return secStatus;
-	}
-
-	/* Prepare and setup network connection. */
-	prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry);
-	if (prStatus != PR_SUCCESS) {
-		errWarn("PR_GetHostByName");
-		return SECFailure;
-	}
-
-	hostenum = PR_EnumerateHostEnt(0, &hostEntry, port, addr);
-	if (hostenum == -1) {
-		errWarn("PR_EnumerateHostEnt");
-		return SECFailure;
-	}
-
-	prStatus = PR_Connect(sslSocket, addr, PR_INTERVAL_NO_TIMEOUT);
-	if (prStatus != PR_SUCCESS) {
-		errWarn("PR_Connect");
-		return SECFailure;
-	}
-
-	/* Established SSL connection, ready to send data. */
-#if 0
-	secStatus = SSL_ForceHandshake(sslSocket);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_ForceHandshake");
-		return secStatus;
-	}
-#endif
-
-	secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_ResetHandshake");
-		prStatus = PR_Close(sslSocket);
-		if (prStatus != PR_SUCCESS) {
-			errWarn("PR_Close");
-		}
-		return secStatus;
-	}
-
-	secStatus = handle_connection(sslSocket, connection);
-	if (secStatus != SECSuccess) {
-		errWarn("handle_connection");
-		return secStatus;
-	}
-
-	PR_Close(sslSocket);
-	return SECSuccess;
-}
-
-void
-client_main(unsigned short      port, 
-            int	                connections, 
-            const char *        hostName)
-{
-	int			i;
-	SECStatus	secStatus;
-	PRStatus    prStatus;
-	PRInt32     rv;
-	PRNetAddr	addr;
-	PRHostEnt   hostEntry;
-	char        buffer[256];
-
-	/* Setup network connection. */
-	prStatus = PR_GetHostByName(hostName, buffer, 256, &hostEntry);
-	if (prStatus != PR_SUCCESS) {
-		exitErr("PR_GetHostByName");
-	}
-
-	rv = PR_EnumerateHostEnt(0, &hostEntry, port, &addr);
-	if (rv < 0) {
-		exitErr("PR_EnumerateHostEnt");
-	}
-
-	secStatus = launch_thread(&threadMGR, do_connects, &addr, 1);
-	if (secStatus != SECSuccess) {
-		exitErr("launch_thread");
-	}
-
-	if (connections > 1) {
-		/* wait for the first connection to terminate, then launch the rest. */
-		reap_threads(&threadMGR);
-		/* Start up the connections */
-		for (i = 2; i <= connections; ++i) {
-			secStatus = launch_thread(&threadMGR, do_connects, &addr, i);
-			if (secStatus != SECSuccess) {
-				errWarn("launch_thread");
-			}
-		}
-	}
-
-	reap_threads(&threadMGR);
-	destroy_thread_data(&threadMGR);
-}
-
-int
-main(int argc, char **argv)
-{
-	char *               certDir      = ".";
-	char *               progName     = NULL;
-	int					 connections  = 1;
-	char *               cipherString = NULL;
-	SECStatus            secStatus;
-	PLOptState *         optstate;
-	PLOptStatus          status;
-
-	/* Call the NSPR initialization routines */
-	PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-	progName = PL_strdup(argv[0]);
-
-	hostName = NULL;
-	optstate = PL_CreateOptState(argc, argv, "C:c:d:n:p:w:");
-	while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-		switch(optstate->option) {
-		case 'C' : cipherString = PL_strdup(optstate->value); break;
-		case 'c' : connections = PORT_Atoi(optstate->value);  break;
-		case 'd' : certDir = PL_strdup(optstate->value);      break;
-		case 'n' : certNickname = PL_strdup(optstate->value); break;
-		case 'p' : port = PORT_Atoi(optstate->value);         break;
-		case 'w' : password = PL_strdup(optstate->value);     break;
-		case '\0': hostName = PL_strdup(optstate->value);     break;
-		default  : Usage(progName);
-		}
-	}
-
-	if (port == 0 || hostName == NULL)
-		Usage(progName);
-
-	if (certDir == NULL) {
-		certDir = PR_smprintf("%s/.netscape", getenv("HOME"));
-	}
-
-	/* Set our password function callback. */
-	PK11_SetPasswordFunc(myPasswd);
-
-	/* Initialize the NSS libraries. */
-	secStatus = NSS_Init(certDir);
-	if (secStatus != SECSuccess) {
-		exitErr("NSS_Init");
-	}
-
-	/* All cipher suites except RSA_NULL_MD5 are enabled by Domestic Policy. */
-	NSS_SetDomesticPolicy();
-	SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
-
-	/* all the SSL2 and SSL3 cipher suites are enabled by default. */
-	if (cipherString) {
-	    int ndx;
-
-	    /* disable all the ciphers, then enable the ones we want. */
-	    disableAllSSLCiphers();
-
-	    while (0 != (ndx = *cipherString++)) {
-		int *cptr;
-		int  cipher;
-
-		if (! isalpha(ndx))
-		    Usage(progName);
-		cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
-		for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; )
-		    /* do nothing */;
-		if (cipher) {
-		    SSL_CipherPrefSetDefault(cipher, PR_TRUE);
-		}
-	    }
-	}
-
-	client_main(port, connections, hostName);
-
-	if (NSS_Shutdown() != SECSuccess) {
-            exit(1);
-        }
-	PR_Cleanup();
-	return 0;
-}
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/client.mn
+++ /dev/null
@@ -1,50 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-EXPORTS = 
-
-CSRCS =  client.c \
-	sslsample.c \
-	$(NULL)
-
-PROGRAM = client
-
-IMPORTS = nss/lib/nss
-
deleted file mode 100755
--- a/security/nss/cmd/SSLsample/gencerts
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/bin/sh
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# Directory for db's, use in all subsequent -d flags.
-rm -rf SampleCertDBs
-mkdir SampleCertDBs
-
-# Password to use.
-echo sample > passfile
-
-# Generate the db files, using the above password.
-certutil -N -d SampleCertDBs -f passfile
-
-# Generate the CA cert.  This cert is self-signed and only useful for
-# test purposes.  Set the trust bits to allow it to sign SSL client/server
-# certs.
-certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu" \
-            -s "CN=My Sample Root CA, O=My Organization" \
-            -m 25000 -o ./SampleCertDBs/SampleRootCA.crt \
-            -d SampleCertDBs -f passfile
-
-# Generate the server cert.  This cert is signed by the CA cert generated
-# above.  The CN must be hostname.domain.[com|org|net|...].
-certutil -S -n SampleSSLServerCert -c SampleRootCA -t "u,u,u" \
-            -s "CN=$HOSTNAME.$MYDOMAIN, O=$HOSTNAME Corp." \
-            -m 25001 -o ./SampleCertDBs/SampleSSLServer.crt \
-            -d SampleCertDBs -f passfile
-
-# Generate the client cert.  This cert is signed by the CA cert generated
-# above.
-certutil -S -n SampleSSLClientCert -c SampleRootCA -t "u,u,u" \
-            -s "CN=My Client Cert, O=Client Organization" \
-            -m 25002 -o ./SampleCertDBs/SampleSSLClient.crt \
-            -d SampleCertDBs -f passfile
-
-# Verify the certificates.
-certutil -V -u V -n SampleSSLServerCert -d SampleCertDBs
-certutil -V -u C -n SampleSSLClientCert -d SampleCertDBs
-
-# Remove unneccessary files.
-rm -f passfile
-rm -f tempcert*
-
-# You are now ready to run your client/server!  Example command lines:
-# server -n SampleSSLServerCert -p 8080 -d SampleCertDBs -w sample -c e -R
-# client -n SampleSSLClientCert -p 8080 -d SampleCertDBs -w sample -c 2 trane.mcom.com
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/make.client
+++ /dev/null
@@ -1,81 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include client.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#include $(CORE_DEPTH)/$(MODULE)/config/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-#CC = cc 
-
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/make.server
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include server.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#include $(CORE_DEPTH)/$(MODULE)/config/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/server.c
+++ /dev/null
@@ -1,821 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/****************************************************************************
- *  SSL server program listens on a port, accepts client connection, reads  *
- *  request and responds to it                                              *
- ****************************************************************************/
-
-/* Generic header files */
-
-#include <stdio.h>
-#include <string.h>
-
-/* NSPR header files */
-
-#include "nspr.h"
-#include "plgetopt.h"
-#include "prerror.h"
-#include "prnetdb.h"
-
-/* NSS header files */
-
-#include "pk11func.h"
-#include "secitem.h"
-#include "ssl.h"
-#include "certt.h"
-#include "nss.h"
-#include "secder.h"
-#include "key.h"
-#include "sslproto.h"
-
-/* Custom header files */
-
-#include "sslsample.h"
-
-#ifndef PORT_Sprintf
-#define PORT_Sprintf sprintf
-#endif
-
-#define REQUEST_CERT_ONCE 1
-#define REQUIRE_CERT_ONCE 2
-#define REQUEST_CERT_ALL  3
-#define REQUIRE_CERT_ALL  4
-
-/* Global variables */
-GlobalThreadMgr   threadMGR;
-char             *password = NULL;
-CERTCertificate  *cert = NULL;
-SECKEYPrivateKey *privKey = NULL;
-int               stopping;
-
-static void
-Usage(const char *progName)
-{
-	fprintf(stderr, 
-
-"Usage: %s -n rsa_nickname -p port [-3RFrf] [-w password]\n"
-"					[-c ciphers] [-d dbdir] \n"
-"-3 means disable SSL v3\n"
-"-r means request certificate on first handshake.\n"
-"-f means require certificate on first handshake.\n"
-"-R means request certificate on all handshakes.\n"
-"-F means require certificate on all handshakes.\n"
-"-c ciphers   Letter(s) chosen from the following list\n"
-"A	  SSL2 RC4 128 WITH MD5\n"
-"B	  SSL2 RC4 128 EXPORT40 WITH MD5\n"
-"C	  SSL2 RC2 128 CBC WITH MD5\n"
-"D	  SSL2 RC2 128 CBC EXPORT40 WITH MD5\n"
-"E	  SSL2 DES 64 CBC WITH MD5\n"
-"F	  SSL2 DES 192 EDE3 CBC WITH MD5\n"
-"\n"
-"c	  SSL3 RSA WITH RC4 128 MD5\n"
-"d	  SSL3 RSA WITH 3DES EDE CBC SHA\n"
-"e	  SSL3 RSA WITH DES CBC SHA\n"
-"f	  SSL3 RSA EXPORT WITH RC4 40 MD5\n"
-"g	  SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n"
-"i	  SSL3 RSA WITH NULL MD5\n"
-"j	  SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n"
-"k	  SSL3 RSA FIPS WITH DES CBC SHA\n"
-"l	  SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n"
-"m	  SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n",
-	progName);
-	exit(1);
-}
-
-/* Function:  readDataFromSocket()
- *
- * Purpose:  Parse an HTTP request by reading data from a GET or POST.
- *
- */
-SECStatus
-readDataFromSocket(PRFileDesc *sslSocket, DataBuffer *buffer, char **fileName)
-{
-	char  *post;
-	int    numBytes = 0;
-	int    newln    = 0;  /* # of consecutive newlns */
-
-	/* Read data while it comes in from the socket. */
-	while (PR_TRUE) {
-		buffer->index = 0;
-		newln = 0;
-
-		/* Read the buffer. */
-		numBytes = PR_Read(sslSocket, &buffer->data[buffer->index], 
-		                   buffer->remaining);
-		if (numBytes <= 0) {
-			errWarn("PR_Read");
-			return SECFailure;
-		}
-		buffer->dataEnd = buffer->dataStart + numBytes;
-
-		/* Parse the input, starting at the beginning of the buffer.
-		 * Stop when we detect two consecutive \n's (or \r\n's) 
-		 * as this signifies the end of the GET or POST portion.
-		 * The posted data follows.
-		 */
-		while (buffer->index < buffer->dataEnd && newln < 2) {
-			int octet = buffer->data[buffer->index++];
-			if (octet == '\n') {
-				newln++;
-			} else if (octet != '\r') {
-				newln = 0;
-			}
-		}
-
-		/* Came to the end of the buffer, or second newline.
-		 * If we didn't get an empty line ("\r\n\r\n"), then keep on reading.
-		 */
-		if (newln < 2) 
-			continue;
-
-		/* we're at the end of the HTTP request.
-		 * If the request is a POST, then there will be one more
-		 * line of data.
-		 * This parsing is a hack, but ok for SSL test purposes.
-		 */
-		post = PORT_Strstr(buffer->data, "POST ");
-		if (!post || *post != 'P') 
-			break;
-
-		/* It's a post, so look for the next and final CR/LF. */
-		/* We should parse content length here, but ... */
-		while (buffer->index < buffer->dataEnd && newln < 3) {
-			int octet = buffer->data[buffer->index++];
-			if (octet == '\n') {
-				newln++;
-			}
-		}
-
-		if (newln == 3)
-			break;
-	}
-
-	/* Have either (a) a complete get, (b) a complete post, (c) EOF */
-
-	/*  Execute a "GET " operation. */
-	if (buffer->index > 0 && PORT_Strncmp(buffer->data, "GET ", 4) == 0) {
-		int fnLength;
-
-		/* File name is the part after "GET ". */
-		fnLength = strcspn(buffer->data + 5, " \r\n");
-		*fileName = (char *)PORT_Alloc(fnLength + 1);
-		PORT_Strncpy(*fileName, buffer->data + 5, fnLength);
-		(*fileName)[fnLength] = '\0';
-	}
-
-	return SECSuccess;
-}
-
-/* Function:  authenticateSocket()
- *
- * Purpose:  Configure a socket for SSL.
- *
- *
- */
-PRFileDesc * 
-setupSSLSocket(PRFileDesc *tcpSocket, int requestCert)
-{
-	PRFileDesc *sslSocket;
-	SSLKEAType  certKEA;
-	int         certErr = 0;
-	SECStatus   secStatus;
-
-	/* Set the appropriate flags. */
-
-	sslSocket = SSL_ImportFD(NULL, tcpSocket);
-	if (sslSocket == NULL) {
-		errWarn("SSL_ImportFD");
-		goto loser;
-	}
-   
-	secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet SSL_SECURITY");
-		goto loser;
-	}
-
-	secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_SERVER");
-		goto loser;
-	}
-
-	secStatus = SSL_OptionSet(sslSocket, SSL_REQUEST_CERTIFICATE, 
-	                       (requestCert >= REQUEST_CERT_ONCE));
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_REQUEST_CERTIFICATE");
-		goto loser;
-	}
-
-	secStatus = SSL_OptionSet(sslSocket, SSL_REQUIRE_CERTIFICATE, 
-	                       (requestCert == REQUIRE_CERT_ONCE));
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_REQUIRE_CERTIFICATE");
-		goto loser;
-	}
-
-	/* Set the appropriate callback routines. */
-
-	secStatus = SSL_AuthCertificateHook(sslSocket, myAuthCertificate, 
-	                                    CERT_GetDefaultCertDB());
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_AuthCertificateHook");
-		goto loser;
-	}
-
-	secStatus = SSL_BadCertHook(sslSocket, 
-	                            (SSLBadCertHandler)myBadCertHandler, &certErr);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_BadCertHook");
-		goto loser;
-	}
-
-	secStatus = SSL_HandshakeCallback(sslSocket,
-	                                  myHandshakeCallback,
-									  NULL);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_HandshakeCallback");
-		goto loser;
-	}
-
-	secStatus = SSL_SetPKCS11PinArg(sslSocket, password);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_HandshakeCallback");
-		goto loser;
-	}
-
-	certKEA = NSS_FindCertKEAType(cert);
-
-	secStatus = SSL_ConfigSecureServer(sslSocket, cert, privKey, certKEA);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_ConfigSecureServer");
-		goto loser;
-	}
-
-	return sslSocket;
-
-loser:
-
-	PR_Close(tcpSocket);
-	return NULL;
-}
-
-/* Function:  authenticateSocket()
- *
- * Purpose:  Perform client authentication on the socket.
- *
- */
-SECStatus
-authenticateSocket(PRFileDesc *sslSocket, PRBool requireCert)
-{
-	CERTCertificate *cert;
-	SECStatus secStatus;
-
-	/* Returns NULL if client authentication is not enabled or if the
-	 * client had no certificate. */
-	cert = SSL_PeerCertificate(sslSocket);
-	if (cert) {
-		/* Client had a certificate, so authentication is through. */
-		CERT_DestroyCertificate(cert);
-		return SECSuccess;
-	}
-
-	/* Request client to authenticate itself. */
-	secStatus = SSL_OptionSet(sslSocket, SSL_REQUEST_CERTIFICATE, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_REQUEST_CERTIFICATE");
-		return SECFailure;
-	}
-
-	/* If desired, require client to authenticate itself.  Note
-	 * SSL_REQUEST_CERTIFICATE must also be on, as above.  */
-	secStatus = SSL_OptionSet(sslSocket, SSL_REQUIRE_CERTIFICATE, requireCert);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_REQUIRE_CERTIFICATE");
-		return SECFailure;
-	}
-
-	/* Having changed socket configuration parameters, redo handshake. */
-	secStatus = SSL_ReHandshake(sslSocket, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_ReHandshake");
-		return SECFailure;
-	}
-
-	/* Force the handshake to complete before moving on. */
-	secStatus = SSL_ForceHandshake(sslSocket);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_ForceHandshake");
-		return SECFailure;
-	}
-
-	return SECSuccess;
-}
-
-/* Function:  writeDataToSocket
- *
- * Purpose:  Write the client's request back to the socket.  If the client
- *           requested a file, dump it to the socket.
- *
- */
-SECStatus
-writeDataToSocket(PRFileDesc *sslSocket, DataBuffer *buffer, char *fileName)
-{
-	int headerLength;
-	int numBytes;
-	char messageBuffer[120];
-	PRFileDesc *local_file_fd = NULL;
-	char header[] = "<html><body><h1>Sample SSL server</h1><br><br>";
-	char filehd[] = "<h2>The file you requested:</h2><br>";
-	char reqhd[]  = "<h2>This is your request:</h2><br>";
-	char link[]   = "Try getting a <a HREF=\"../testfile\">file</a><br>";
-	char footer[] = "<br><h2>End of request.</h2><br></body></html>";
-
-	headerLength = PORT_Strlen(defaultHeader);
-
-	/* Write a header to the socket. */
-	numBytes = PR_Write(sslSocket, header, PORT_Strlen(header));
-	if (numBytes < 0) {
-		errWarn("PR_Write");
-		goto loser;
-	}
-
-	if (fileName) {
-		PRFileInfo  info;
-		PRStatus    prStatus;
-
-		/* Try to open the local file named.	
-		 * If successful, then write it to the client.
-		 */
-		prStatus = PR_GetFileInfo(fileName, &info);
-		if (prStatus != PR_SUCCESS ||
-		    info.type != PR_FILE_FILE ||
-		    info.size < 0) {
-			PORT_Free(fileName);
-			/* Maybe a GET not sent from client.c? */
-			goto writerequest;
-		}
-
-		local_file_fd = PR_Open(fileName, PR_RDONLY, 0);
-		if (local_file_fd == NULL) {
-			PORT_Free(fileName);
-			goto writerequest;
-		}
-
-		/* Write a header to the socket. */
-		numBytes = PR_Write(sslSocket, filehd, PORT_Strlen(filehd));
-		if (numBytes < 0) {
-			errWarn("PR_Write");
-			goto loser;
-		}
-
-		/* Transmit the local file prepended by the default header
-		 * across the socket.
-		 */
-		numBytes = PR_TransmitFile(sslSocket, local_file_fd, 
-		                           defaultHeader, headerLength,
-		                           PR_TRANSMITFILE_KEEP_OPEN,
-		                           PR_INTERVAL_NO_TIMEOUT);
-
-		/* Error in transmission. */
-		if (numBytes < 0) {
-			errWarn("PR_TransmitFile");
-			/*
-			i = PORT_Strlen(errString);
-			PORT_Memcpy(buf, errString, i);
-			*/
-		/* Transmitted bytes successfully. */
-		} else {
-			numBytes -= headerLength;
-			fprintf(stderr, "PR_TransmitFile wrote %d bytes from %s\n",
-			        numBytes, fileName);
-		}
-
-		PORT_Free(fileName);
-		PR_Close(local_file_fd);
-	}
-
-writerequest:
-
-	/* Write a header to the socket. */
-	numBytes = PR_Write(sslSocket, reqhd, PORT_Strlen(reqhd));
-	if (numBytes < 0) {
-		errWarn("PR_Write");
-		goto loser;
-	}
-
-	/* Write the buffer data to the socket. */
-	if (buffer->index <= 0) {
-		/* Reached the EOF.  Report incomplete transaction to socket. */
-		PORT_Sprintf(messageBuffer,
-		             "GET or POST incomplete after %d bytes.\r\n",
-		             buffer->dataEnd);
-		numBytes = PR_Write(sslSocket, messageBuffer, 
-		                    PORT_Strlen(messageBuffer));
-		if (numBytes < 0) {
-			errWarn("PR_Write");
-			goto loser;
-		}
-	} else {
-		/* Display the buffer data. */
-		fwrite(buffer->data, 1, buffer->index, stdout);
-		/* Write the buffer data to the socket. */
-		numBytes = PR_Write(sslSocket, buffer->data, buffer->index);
-		if (numBytes < 0) {
-			errWarn("PR_Write");
-			goto loser;
-		}
-		/* Display security information for the socket. */
-		printSecurityInfo(sslSocket);
-		/* Write any discarded data out to the socket. */
-		if (buffer->index < buffer->dataEnd) {
-			PORT_Sprintf(buffer->data, "Discarded %d characters.\r\n", 
-			             buffer->dataEnd - buffer->index);
-			numBytes = PR_Write(sslSocket, buffer->data, 
-			                    PORT_Strlen(buffer->data));
-			if (numBytes < 0) {
-				errWarn("PR_Write");
-				goto loser;
-			}
-		}
-	}
-
-	/* Write a footer to the socket. */
-	numBytes = PR_Write(sslSocket, footer, PORT_Strlen(footer));
-	if (numBytes < 0) {
-		errWarn("PR_Write");
-		goto loser;
-	}
-
-	/* Write a link to the socket. */
-	numBytes = PR_Write(sslSocket, link, PORT_Strlen(link));
-	if (numBytes < 0) {
-		errWarn("PR_Write");
-		goto loser;
-	}
-
-	/* Complete the HTTP transaction. */
-	numBytes = PR_Write(sslSocket, "EOF\r\n\r\n\r\n", 9);
-	if (numBytes < 0) {
-		errWarn("PR_Write");
-		goto loser;
-	}
-
-	/* Do a nice shutdown if asked. */
-	if (!strncmp(buffer->data, stopCmd, strlen(stopCmd))) {
-		stopping = 1;
-	}
-	return SECSuccess;
-
-loser:
-
-	/* Do a nice shutdown if asked. */
-	if (!strncmp(buffer->data, stopCmd, strlen(stopCmd))) {
-		stopping = 1;
-	}
-	return SECFailure;
-}
-
-/* Function:  int handle_connection()
- *
- * Purpose:  Thread to handle a connection to a socket.
- *
- */
-SECStatus
-handle_connection(void *tcp_sock, int requestCert)
-{
-	PRFileDesc *       tcpSocket = (PRFileDesc *)tcp_sock;
-	PRFileDesc *       sslSocket = NULL;
-	SECStatus          secStatus = SECFailure;
-	PRStatus           prStatus;
-	PRSocketOptionData socketOption;
-	DataBuffer         buffer;
-	char *             fileName = NULL;
-
-	/* Initialize the data buffer. */
-	memset(buffer.data, 0, BUFFER_SIZE);
-	buffer.remaining = BUFFER_SIZE;
-	buffer.index = 0;
-	buffer.dataStart = 0;
-	buffer.dataEnd = 0;
-
-	/* Make sure the socket is blocking. */
-	socketOption.option             = PR_SockOpt_Nonblocking;
-	socketOption.value.non_blocking = PR_FALSE;
-	PR_SetSocketOption(tcpSocket, &socketOption);
-
-	sslSocket = setupSSLSocket(tcpSocket, requestCert);
-	if (sslSocket == NULL) {
-		errWarn("setupSSLSocket");
-		goto cleanup;
-	}
-
-	secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_ResetHandshake");
-		goto cleanup;
-	}
-
-	/* Read data from the socket, parse it for HTTP content.
-	 * If the user is requesting/requiring authentication, authenticate
-	 * the socket.  Then write the result back to the socket.  */
-	fprintf(stdout, "\nReading data from socket...\n\n");
-	secStatus = readDataFromSocket(sslSocket, &buffer, &fileName);
-	if (secStatus != SECSuccess) {
-		goto cleanup;
-	}
-	if (requestCert >= REQUEST_CERT_ALL) {
-		fprintf(stdout, "\nAuthentication requested.\n\n");
-		secStatus = authenticateSocket(sslSocket, 
-		                               (requestCert == REQUIRE_CERT_ALL));
-		if (secStatus != SECSuccess) {
-			goto cleanup;
-		}
-	}
-
-	fprintf(stdout, "\nWriting data to socket...\n\n");
-	secStatus = writeDataToSocket(sslSocket, &buffer, fileName);
-
-cleanup:
-
-	/* Close down the socket. */
-	prStatus = PR_Close(tcpSocket);
-	if (prStatus != PR_SUCCESS) {
-		errWarn("PR_Close");
-	}
-
-	return secStatus;
-}
-
-/* Function:  int accept_connection()
- *
- * Purpose:  Thread to accept a connection to the socket.
- *
- */
-SECStatus
-accept_connection(void *listener, int requestCert)
-{
-	PRFileDesc *listenSocket = (PRFileDesc*)listener;
-	PRNetAddr   addr;
-	PRStatus    prStatus;
-
-	/* XXX need an SSL socket here? */
-	while (!stopping) {
-		PRFileDesc *tcpSocket;
-		SECStatus	result;
-
-		fprintf(stderr, "\n\n\nAbout to call accept.\n");
-
-		/* Accept a connection to the socket. */
-		tcpSocket = PR_Accept(listenSocket, &addr, PR_INTERVAL_NO_TIMEOUT);
-		if (tcpSocket == NULL) {
-			errWarn("PR_Accept");
-			break;
-		}
-
-		/* Accepted the connection, now handle it. */
-		result = launch_thread(&threadMGR, handle_connection, 
-		                       tcpSocket, requestCert);
-
-		if (result != SECSuccess) {
-			prStatus = PR_Close(tcpSocket);
-			if (prStatus != PR_SUCCESS) {
-				exitErr("PR_Close");
-			}
-			break;
-		}
-	}
-
-	fprintf(stderr, "Closing listen socket.\n");
-
-	prStatus = PR_Close(listenSocket);
-	if (prStatus != PR_SUCCESS) {
-		exitErr("PR_Close");
-	}
-	return SECSuccess;
-}
-
-/* Function:  void server_main()
- *
- * Purpose:  This is the server's main function.  It configures a socket
- *			 and listens to it.
- *
- */
-void
-server_main(
-	unsigned short      port, 
-	int                 requestCert, 
-	SECKEYPrivateKey *  privKey,
-	CERTCertificate *   cert, 
-	PRBool              disableSSL3)
-{
-	SECStatus           secStatus;
-	PRStatus            prStatus;
-	PRFileDesc *        listenSocket;
-	PRNetAddr           addr;
-	PRSocketOptionData  socketOption;
-
-	/* Create a new socket. */
-	listenSocket = PR_NewTCPSocket();
-	if (listenSocket == NULL) {
-		exitErr("PR_NewTCPSocket");
-	}
-
-	/* Set socket to be blocking -
-	 * on some platforms the default is nonblocking.
-	 */
-	socketOption.option = PR_SockOpt_Nonblocking;
-	socketOption.value.non_blocking = PR_FALSE;
-
-	prStatus = PR_SetSocketOption(listenSocket, &socketOption);
-	if (prStatus != PR_SUCCESS) {
-		exitErr("PR_SetSocketOption");
-	}
-
-	/* This cipher is not on by default. The Acceptance test
-	 * would like it to be. Turn this cipher on.
-	 */
-	secStatus = SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		exitErr("SSL_CipherPrefSetDefault:SSL_RSA_WITH_NULL_MD5");
-	}
-
-	/* Configure the network connection. */
-	addr.inet.family = PR_AF_INET;
-	addr.inet.ip	 = PR_INADDR_ANY;
-	addr.inet.port	 = PR_htons(port);
-
-	/* Bind the address to the listener socket. */
-	prStatus = PR_Bind(listenSocket, &addr);
-	if (prStatus != PR_SUCCESS) {
-		exitErr("PR_Bind");
-	}
-
-	/* Listen for connection on the socket.  The second argument is
-	 * the maximum size of the queue for pending connections.
-	 */
-	prStatus = PR_Listen(listenSocket, 5);
-	if (prStatus != PR_SUCCESS) {
-		exitErr("PR_Listen");
-	}
-
-	/* Launch thread to handle connections to the socket. */
-	secStatus = launch_thread(&threadMGR, accept_connection, 
-                              listenSocket, requestCert);
-	if (secStatus != SECSuccess) {
-		PR_Close(listenSocket);
-	} else {
-		reap_threads(&threadMGR);
-		destroy_thread_data(&threadMGR);
-	}
-}
-
-/* Function: int main()
- *
- * Purpose:  Parses command arguments and configures SSL server.
- *
- */
-int
-main(int argc, char **argv)
-{
-	char *              progName      = NULL;
-	char *              nickName      = NULL;
-	char *              cipherString  = NULL;
-	char *              dir           = ".";
-	int                 requestCert   = 0;
-	unsigned short      port          = 0;
-	SECStatus           secStatus;
-	PRBool              disableSSL3   = PR_FALSE;
-	PLOptState *        optstate;
-	PLOptStatus         status;
-
-	/* Zero out the thread manager. */
-	PORT_Memset(&threadMGR, 0, sizeof(threadMGR));
-
-	progName = PL_strdup(argv[0]);
-
-	optstate = PL_CreateOptState(argc, argv, "3FRc:d:fp:n:rw:");
-	while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-		switch(optstate->option) {
-		case '3': disableSSL3 = PR_TRUE;                      break;
-		case 'F': requestCert = REQUIRE_CERT_ALL;             break;
-		case 'R': requestCert = REQUEST_CERT_ALL;             break;
-		case 'c': cipherString = PL_strdup(optstate->value);  break;
-		case 'd': dir = PL_strdup(optstate->value);           break;
-		case 'f': requestCert = REQUIRE_CERT_ONCE;            break;
-		case 'n': nickName = PL_strdup(optstate->value);      break;
-		case 'p': port = PORT_Atoi(optstate->value);          break;
-		case 'r': requestCert = REQUEST_CERT_ONCE;            break;
-		case 'w': password = PL_strdup(optstate->value);      break;
-		default:
-		case '?': Usage(progName);
-		}
-	}
-
-	if (nickName == NULL || port == 0)
-		Usage(progName);
-
-	/* Call the NSPR initialization routines. */
-	PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-	/* Set the cert database password callback. */
-	PK11_SetPasswordFunc(myPasswd);
-
-	/* Initialize NSS. */
-	secStatus = NSS_Init(dir);
-	if (secStatus != SECSuccess) {
-		exitErr("NSS_Init");
-	}
-
-	/* Set the policy for this server (REQUIRED - no default). */
-	secStatus = NSS_SetDomesticPolicy();
-	if (secStatus != SECSuccess) {
-		exitErr("NSS_SetDomesticPolicy");
-	}
-
-	/* XXX keep this? */
-	/* all the SSL2 and SSL3 cipher suites are enabled by default. */
-	if (cipherString) {
-	    int ndx;
-
-	    /* disable all the ciphers, then enable the ones we want. */
-	    disableAllSSLCiphers();
-
-	    while (0 != (ndx = *cipherString++)) {
-		int *cptr;
-		int  cipher;
-
-		if (! isalpha(ndx))
-			Usage(progName);
-		cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
-		for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
-		    /* do nothing */;
-		if (cipher) {
-		    SECStatus status;
-		    status = SSL_CipherPrefSetDefault(cipher, PR_TRUE);
-		    if (status != SECSuccess) 
-			errWarn("SSL_CipherPrefSetDefault()");
-		}
-	    }
-	}
-
-	/* Get own certificate and private key. */
-	cert = PK11_FindCertFromNickname(nickName, password);
-	if (cert == NULL) {
-		exitErr("PK11_FindCertFromNickname");
-	}
-
-	privKey = PK11_FindKeyByAnyCert(cert, password);
-	if (privKey == NULL) {
-		exitErr("PK11_FindKeyByAnyCert");
-	}
-
-	/* Configure the server's cache for a multi-process application
-	 * using default timeout values (24 hrs) and directory location (/tmp). 
-	 */
-	SSL_ConfigMPServerSIDCache(256, 0, 0, NULL);
-
-	/* Launch server. */
-	server_main(port, requestCert, privKey, cert, disableSSL3);
-
-	/* Shutdown NSS and exit NSPR gracefully. */
-	if (NSS_Shutdown() != SECSuccess) {
-            exit(1);
-        }
-	PR_Cleanup();
-	return 0;
-}
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/server.mn
+++ /dev/null
@@ -1,48 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE  = nss
-
-EXPORTS = 
-
-CSRCS =  server.c	\
-	sslsample.c	\
-	$(NULL)
-
-PROGRAM  = server
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/sslerror.h
+++ /dev/null
@@ -1,113 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-#include <string.h>
-#include "nspr.h"
-
-struct tuple_str {
-    PRErrorCode	 errNum;
-    const char * errString;
-};
-
-typedef struct tuple_str tuple_str;
-
-#define ER2(a,b)   {a, b},
-#define ER3(a,b,c) {a, c},
-
-#include "secerr.h"
-#include "sslerr.h"
-
-const tuple_str errStrings[] = {
-
-/* keep this list in asceding order of error numbers */
-#include "SSLerrs.h"
-#include "SECerrs.h"
-#include "NSPRerrs.h"
-
-};
-
-const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str);
-
-/* Returns a UTF-8 encoded constant error string for "errNum".
- * Returns NULL of errNum is unknown.
- */
-const char *
-SSL_Strerror(PRErrorCode errNum) {
-    PRInt32 low  = 0;
-    PRInt32 high = numStrings - 1;
-    PRInt32 i;
-    PRErrorCode num;
-    static int initDone;
-
-    /* make sure table is in ascending order.
-     * binary search depends on it.
-     */
-    if (!initDone) {
-	PRErrorCode lastNum = (PRInt32)0x80000000;
-    	for (i = low; i <= high; ++i) {
-	    num = errStrings[i].errNum;
-	    if (num <= lastNum) {
-	    	fprintf(stderr, 
-"sequence error in error strings at item %d\n"
-"error %d (%s)\n"
-"should come after \n"
-"error %d (%s)\n",
-		        i, lastNum, errStrings[i-1].errString, 
-			num, errStrings[i].errString);
-	    }
-	    lastNum = num;
-	}
-	initDone = 1;
-    }
-
-    /* Do binary search of table. */
-    while (low + 1 < high) {
-    	i = (low + high) / 2;
-	num = errStrings[i].errNum;
-	if (errNum == num) 
-	    return errStrings[i].errString;
-        if (errNum < num)
-	    high = i;
-	else 
-	    low = i;
-    }
-    if (errNum == errStrings[low].errNum)
-    	return errStrings[low].errString;
-    if (errNum == errStrings[high].errNum)
-    	return errStrings[high].errString;
-    return NULL;
-}
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/sslsample.c
+++ /dev/null
@@ -1,593 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "sslsample.h"
-#include "sslerror.h"
-
-/* Declare SSL cipher suites. */
-
-int ssl2CipherSuites[] = {
-	SSL_EN_RC4_128_WITH_MD5,              /* A */
-	SSL_EN_RC4_128_EXPORT40_WITH_MD5,     /* B */
-	SSL_EN_RC2_128_CBC_WITH_MD5,          /* C */
-	SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, /* D */
-	SSL_EN_DES_64_CBC_WITH_MD5,           /* E */
-	SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     /* F */
-	0
-};
-
-int ssl3CipherSuites[] = {
-	-1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA  a */
-	-1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */
-	SSL_RSA_WITH_RC4_128_MD5,               /* c */
-	SSL_RSA_WITH_3DES_EDE_CBC_SHA,          /* d */
-	SSL_RSA_WITH_DES_CBC_SHA,               /* e */
-	SSL_RSA_EXPORT_WITH_RC4_40_MD5,         /* f */
-	SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     /* g */
-	-1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA,   * h */
-	SSL_RSA_WITH_NULL_MD5,                  /* i */
-	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     /* j */
-	SSL_RSA_FIPS_WITH_DES_CBC_SHA,          /* k */
-	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    /* l */
-	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     /* m */
-	0
-};
-
-/**************************************************************************
-** 
-** SSL callback routines.
-**
-**************************************************************************/
-
-/* Function: char * myPasswd()
- * 
- * Purpose: This function is our custom password handler that is called by
- * SSL when retreiving private certs and keys from the database. Returns a
- * pointer to a string that with a password for the database. Password pointer
- * should point to dynamically allocated memory that will be freed later.
- */
-char *
-myPasswd(PK11SlotInfo *info, PRBool retry, void *arg)
-{
-	char * passwd = NULL;
-
-	if ( (!retry) && arg ) {
-		passwd = PORT_Strdup((char *)arg);
-	}
-
-	return passwd;
-}
-
-/* Function: SECStatus myAuthCertificate()
- *
- * Purpose: This function is our custom certificate authentication handler.
- * 
- * Note: This implementation is essentially the same as the default 
- *       SSL_AuthCertificate().
- */
-SECStatus 
-myAuthCertificate(void *arg, PRFileDesc *socket, 
-                  PRBool checksig, PRBool isServer) 
-{
-
-	SECCertUsage        certUsage;
-	CERTCertificate *   cert;
-	void *              pinArg;
-	char *              hostName;
-	SECStatus           secStatus;
-
-	if (!arg || !socket) {
-		errWarn("myAuthCertificate");
-		return SECFailure;
-	}
-
-	/* Define how the cert is being used based upon the isServer flag. */
-
-	certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
-
-	cert = SSL_PeerCertificate(socket);
-	
-	pinArg = SSL_RevealPinArg(socket);
-
-	secStatus = CERT_VerifyCertNow((CERTCertDBHandle *)arg,
-	                               cert,
-	                               checksig,
-	                               certUsage,
-	                               pinArg);
-
-	/* If this is a server, we're finished. */
-	if (isServer || secStatus != SECSuccess) {
-		CERT_DestroyCertificate(cert);
-		return secStatus;
-	}
-
-	/* Certificate is OK.  Since this is the client side of an SSL
-	 * connection, we need to verify that the name field in the cert
-	 * matches the desired hostname.  This is our defense against
-	 * man-in-the-middle attacks.
-	 */
-
-	/* SSL_RevealURL returns a hostName, not an URL. */
-	hostName = SSL_RevealURL(socket);
-
-	if (hostName && hostName[0]) {
-		secStatus = CERT_VerifyCertName(cert, hostName);
-	} else {
-		PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0);
-		secStatus = SECFailure;
-	}
-
-	if (hostName)
-		PR_Free(hostName);
-
-	CERT_DestroyCertificate(cert);
-	return secStatus;
-}
-
-/* Function: SECStatus myBadCertHandler()
- *
- * Purpose: This callback is called when the incoming certificate is not
- * valid. We define a certain set of parameters that still cause the
- * certificate to be "valid" for this session, and return SECSuccess to cause
- * the server to continue processing the request when any of these conditions
- * are met. Otherwise, SECFailure is return and the server rejects the 
- * request.
- */
-SECStatus 
-myBadCertHandler(void *arg, PRFileDesc *socket) 
-{
-
-    SECStatus	secStatus = SECFailure;
-    PRErrorCode	err;
-
-    /* log invalid cert here */
-
-    if (!arg) {
-		return secStatus;
-    }
-
-    *(PRErrorCode *)arg = err = PORT_GetError();
-
-    /* If any of the cases in the switch are met, then we will proceed   */
-    /* with the processing of the request anyway. Otherwise, the default */	
-    /* case will be reached and we will reject the request.              */
-
-    switch (err) {
-    case SEC_ERROR_INVALID_AVA:
-    case SEC_ERROR_INVALID_TIME:
-    case SEC_ERROR_BAD_SIGNATURE:
-    case SEC_ERROR_EXPIRED_CERTIFICATE:
-    case SEC_ERROR_UNKNOWN_ISSUER:
-    case SEC_ERROR_UNTRUSTED_CERT:
-    case SEC_ERROR_CERT_VALID:
-    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-    case SEC_ERROR_CRL_EXPIRED:
-    case SEC_ERROR_CRL_BAD_SIGNATURE:
-    case SEC_ERROR_EXTENSION_VALUE_INVALID:
-    case SEC_ERROR_CA_CERT_INVALID:
-    case SEC_ERROR_CERT_USAGES_INVALID:
-    case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
-		secStatus = SECSuccess;
-	break;
-    default:
-		secStatus = SECFailure;
-	break;
-    }
-
-	printf("Bad certificate: %d, %s\n", err, SSL_Strerror(err));
-
-    return secStatus;
-}
-
-/* Function: SECStatus ownGetClientAuthData()
- *
- * Purpose: This callback is used by SSL to pull client certificate 
- * information upon server request.
- */
-SECStatus 
-myGetClientAuthData(void *arg,
-                    PRFileDesc *socket,
-                    struct CERTDistNamesStr *caNames,
-                    struct CERTCertificateStr **pRetCert,
-                    struct SECKEYPrivateKeyStr **pRetKey) 
-{
-
-    CERTCertificate *  cert;
-    SECKEYPrivateKey * privKey;
-    char *             chosenNickName = (char *)arg;
-    void *             proto_win      = NULL;
-    SECStatus          secStatus      = SECFailure;
-
-    proto_win = SSL_RevealPinArg(socket);
-
-    if (chosenNickName) {
-		cert = PK11_FindCertFromNickname(chosenNickName, proto_win);
-		if (cert) {
-		    privKey = PK11_FindKeyByAnyCert(cert, proto_win);
-		    if (privKey) {
-				secStatus = SECSuccess;
-		    } else {
-				CERT_DestroyCertificate(cert);
-		    }
-		}
-    } else { /* no nickname given, automatically find the right cert */
-	CERTCertNicknames *names;
-	int                i;
-
-	names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), 
-				      SEC_CERT_NICKNAMES_USER, proto_win);
-
-	if (names != NULL) {
-	    for(i = 0; i < names->numnicknames; i++ ) {
-
-		cert = PK11_FindCertFromNickname(names->nicknames[i], 
-						 proto_win);
-		if (!cert) {
-		    continue;
-		}
-
-		/* Only check unexpired certs */
-		if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE)
-		      != secCertTimeValid ) {
-		    CERT_DestroyCertificate(cert);
-		    continue;
-		}
-
-		secStatus = NSS_CmpCertChainWCANames(cert, caNames);
-		if (secStatus == SECSuccess) {
-		    privKey = PK11_FindKeyByAnyCert(cert, proto_win);
-		    if (privKey) {
-			break;
-		    }
-		    secStatus = SECFailure;
-		    break;
-		}
-	    } /* for loop */
-	    CERT_FreeNicknames(names);
-	}
-    }
-
-    if (secStatus == SECSuccess) {
-		*pRetCert = cert;
-		*pRetKey  = privKey;
-    }
-
-    return secStatus;
-}
-
-/* Function: SECStatus myHandshakeCallback()
- *
- * Purpose: Called by SSL to inform application that the handshake is
- * complete. This function is mostly used on the server side of an SSL
- * connection, although it is provided for a client as well.
- * Useful when a non-blocking SSL_ReHandshake or SSL_ResetHandshake 
- * is used to initiate a handshake.
- *
- * A typical scenario would be:
- *
- * 1. Server accepts an SSL connection from the client without client auth.
- * 2. Client sends a request.
- * 3. Server determines that to service request it needs to authenticate the
- * client and initiates another handshake requesting client auth.
- * 4. While handshake is in progress, server can do other work or spin waiting
- * for the handshake to complete.
- * 5. Server is notified that handshake has been successfully completed by
- * the custom handshake callback function and it can service the client's
- * request.
- *
- * Note: This function is not implemented in this sample, as we are using
- * blocking sockets.
- */
-void
-myHandshakeCallback(PRFileDesc *socket, void *arg) 
-{
-    printf("Handshake has completed, ready to send data securely.\n");
-}
-
-
-/**************************************************************************
-** 
-** Routines for disabling SSL ciphers.
-**
-**************************************************************************/
-
-void
-disableAllSSLCiphers(void)
-{
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
-    SECStatus       rv;
-
-    /* disable all the SSL3 cipher suites */
-    while (--i >= 0) {
-	PRUint16 suite = cipherSuites[i];
-        rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
-	if (rv != SECSuccess) {
-	    printf("SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n",
-	    	   suite, i);
-	    errWarn("SSL_CipherPrefSetDefault");
-	    exit(2);
-	}
-    }
-}
-
-/**************************************************************************
-** 
-** Error and information routines.
-**
-**************************************************************************/
-
-void
-errWarn(char *function)
-{
-	PRErrorCode  errorNumber = PR_GetError();
-	const char * errorString = SSL_Strerror(errorNumber);
-
-	printf("Error in function %s: %d\n - %s\n",
-			function, errorNumber, errorString);
-}
-
-void
-exitErr(char *function)
-{
-	errWarn(function);
-	/* Exit gracefully. */
-	/* ignoring return value of NSS_Shutdown as code exits with 1*/
-	(void) NSS_Shutdown();
-	PR_Cleanup();
-	exit(1);
-}
-
-void 
-printSecurityInfo(PRFileDesc *fd)
-{
-	char * cp;	/* bulk cipher name */
-	char * ip;	/* cert issuer DN */
-	char * sp;	/* cert subject DN */
-	int    op;	/* High, Low, Off */
-	int    kp0;	/* total key bits */
-	int    kp1;	/* secret key bits */
-	int    result;
-	SSL3Statistics * ssl3stats = SSL_GetStatistics();
-
-	result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp);
-	if (result != SECSuccess)
-		return;
-	printf("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n"
-		   "subject DN: %s\n"
-	   "issuer	DN: %s\n", cp, kp1, kp0, op, sp, ip);
-	PR_Free(cp);
-	PR_Free(ip);
-	PR_Free(sp);
-
-	printf("%ld cache hits; %ld cache misses, %ld cache not reusable\n",
-		ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
-	ssl3stats->hch_sid_cache_not_ok);
-
-}
-
-
-/**************************************************************************
-** Begin thread management routines and data.
-**************************************************************************/
-
-void
-thread_wrapper(void * arg)
-{
-	GlobalThreadMgr *threadMGR = (GlobalThreadMgr *)arg;
-	perThread *slot = &threadMGR->threads[threadMGR->index];
-
-	/* wait for parent to finish launching us before proceeding. */
-	PR_Lock(threadMGR->threadLock);
-	PR_Unlock(threadMGR->threadLock);
-
-	slot->rv = (* slot->startFunc)(slot->a, slot->b);
-
-	PR_Lock(threadMGR->threadLock);
-	slot->running = rs_zombie;
-
-	/* notify the thread exit handler. */
-	PR_NotifyCondVar(threadMGR->threadEndQ);
-
-	PR_Unlock(threadMGR->threadLock);
-}
-
-SECStatus
-launch_thread(GlobalThreadMgr *threadMGR,
-              startFn         *startFunc,
-              void            *a,
-              int              b)
-{
-	perThread *slot;
-	int        i;
-
-	if (!threadMGR->threadStartQ) {
-		threadMGR->threadLock   = PR_NewLock();
-		threadMGR->threadStartQ = PR_NewCondVar(threadMGR->threadLock);
-		threadMGR->threadEndQ   = PR_NewCondVar(threadMGR->threadLock);
-	}
-	PR_Lock(threadMGR->threadLock);
-	while (threadMGR->numRunning >= MAX_THREADS) {
-		PR_WaitCondVar(threadMGR->threadStartQ, PR_INTERVAL_NO_TIMEOUT);
-	}
-	for (i = 0; i < threadMGR->numUsed; ++i) {
-		slot = &threadMGR->threads[i];
-		if (slot->running == rs_idle) 
-			break;
-	}
-	if (i >= threadMGR->numUsed) {
-		if (i >= MAX_THREADS) {
-			/* something's really wrong here. */
-			PORT_Assert(i < MAX_THREADS);
-			PR_Unlock(threadMGR->threadLock);
-			return SECFailure;
-		}
-		++(threadMGR->numUsed);
-		PORT_Assert(threadMGR->numUsed == i + 1);
-		slot = &threadMGR->threads[i];
-	}
-
-	slot->a = a;
-	slot->b = b;
-	slot->startFunc = startFunc;
-
-	threadMGR->index = i;
-
-	slot->prThread = PR_CreateThread(PR_USER_THREAD,
-	                                 thread_wrapper, threadMGR,
-	                                 PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
-	                                 PR_JOINABLE_THREAD, 0);
-
-	if (slot->prThread == NULL) {
-		PR_Unlock(threadMGR->threadLock);
-		printf("Failed to launch thread!\n");
-		return SECFailure;
-	} 
-
-	slot->inUse   = 1;
-	slot->running = 1;
-	++(threadMGR->numRunning);
-	PR_Unlock(threadMGR->threadLock);
-	printf("Launched thread in slot %d \n", threadMGR->index);
-
-	return SECSuccess;
-}
-
-SECStatus 
-reap_threads(GlobalThreadMgr *threadMGR)
-{
-	perThread * slot;
-	int			i;
-
-	if (!threadMGR->threadLock)
-		return 0;
-	PR_Lock(threadMGR->threadLock);
-	while (threadMGR->numRunning > 0) {
-	    PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT);
-	    for (i = 0; i < threadMGR->numUsed; ++i) {
-		slot = &threadMGR->threads[i];
-		if (slot->running == rs_zombie)  {
-		    /* Handle cleanup of thread here. */
-		    printf("Thread in slot %d returned %d\n", i, slot->rv);
-
-		    /* Now make sure the thread has ended OK. */
-		    PR_JoinThread(slot->prThread);
-		    slot->running = rs_idle;
-		    --threadMGR->numRunning;
-
-		    /* notify the thread launcher. */
-		    PR_NotifyCondVar(threadMGR->threadStartQ);
-		}
-	    }
-	}
-
-	/* Safety Sam sez: make sure count is right. */
-	for (i = 0; i < threadMGR->numUsed; ++i) {
-		slot = &threadMGR->threads[i];
-		if (slot->running != rs_idle)  {
-			fprintf(stderr, "Thread in slot %d is in state %d!\n", 
-			                 i, slot->running);
-		}
-	}
-	PR_Unlock(threadMGR->threadLock);
-	return 0;
-}
-
-void
-destroy_thread_data(GlobalThreadMgr *threadMGR)
-{
-	PORT_Memset(threadMGR->threads, 0, sizeof(threadMGR->threads));
-
-	if (threadMGR->threadEndQ) {
-		PR_DestroyCondVar(threadMGR->threadEndQ);
-		threadMGR->threadEndQ = NULL;
-	}
-	if (threadMGR->threadStartQ) {
-		PR_DestroyCondVar(threadMGR->threadStartQ);
-		threadMGR->threadStartQ = NULL;
-	}
-	if (threadMGR->threadLock) {
-		PR_DestroyLock(threadMGR->threadLock);
-		threadMGR->threadLock = NULL;
-	}
-}
-
-/**************************************************************************
-** End	 thread management routines.
-**************************************************************************/
-
-void 
-lockedVars_Init( lockedVars * lv)
-{
-	lv->count	= 0;
-	lv->waiters = 0;
-	lv->lock	= PR_NewLock();
-	lv->condVar = PR_NewCondVar(lv->lock);
-}
-
-void
-lockedVars_Destroy( lockedVars * lv)
-{
-	PR_DestroyCondVar(lv->condVar);
-	lv->condVar = NULL;
-
-	PR_DestroyLock(lv->lock);
-	lv->lock = NULL;
-}
-
-void
-lockedVars_WaitForDone(lockedVars * lv)
-{
-	PR_Lock(lv->lock);
-	while (lv->count > 0) {
-		PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT);
-	}
-	PR_Unlock(lv->lock);
-}
-
-int	/* returns count */
-lockedVars_AddToCount(lockedVars * lv, int addend)
-{
-	int rv;
-
-	PR_Lock(lv->lock);
-	rv = lv->count += addend;
-	if (rv <= 0) {
-	PR_NotifyCondVar(lv->condVar);
-	}
-	PR_Unlock(lv->lock);
-	return rv;
-}
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/sslsample.h
+++ /dev/null
@@ -1,180 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef SSLSAMPLE_H
-#define SSLSAMPLE_H
-
-/* Generic header files */
-
-#include <stdio.h>
-#include <string.h>
-
-/* NSPR header files */
-
-#include "nspr.h"
-#include "prerror.h"
-#include "prnetdb.h"
-
-/* NSS header files */
-
-#include "pk11func.h"
-#include "secitem.h"
-#include "ssl.h"
-#include "certt.h"
-#include "nss.h"
-#include "secder.h"
-#include "key.h"
-#include "sslproto.h"
-
-/* Custom header files */
-
-/*
-#include "sslerror.h"
-*/
-
-#define BUFFER_SIZE 10240
-
-/* Declare SSL cipher suites. */
-
-extern int cipherSuites[];
-extern int ssl2CipherSuites[];
-extern int ssl3CipherSuites[];
-
-/* Data buffer read from a socket. */
-typedef struct DataBufferStr {
-	char data[BUFFER_SIZE];
-	int  index;
-	int  remaining;
-	int  dataStart;
-	int  dataEnd;
-} DataBuffer;
-
-/* SSL callback routines. */
-
-char * myPasswd(PK11SlotInfo *info, PRBool retry, void *arg);
-
-SECStatus myAuthCertificate(void *arg, PRFileDesc *socket,
-                            PRBool checksig, PRBool isServer);
-
-SECStatus myBadCertHandler(void *arg, PRFileDesc *socket);
-
-void myHandshakeCallback(PRFileDesc *socket, void *arg);
-
-SECStatus myGetClientAuthData(void *arg, PRFileDesc *socket,
-                              struct CERTDistNamesStr *caNames,
-                              struct CERTCertificateStr **pRetCert,
-                              struct SECKEYPrivateKeyStr **pRetKey);
-
-/* Disable all v2/v3 SSL ciphers. */
-
-void disableAllSSLCiphers(void);
-
-
-/* Error and information utilities. */
-
-void errWarn(char *function);
-
-void exitErr(char *function);
-
-void printSecurityInfo(PRFileDesc *fd);
-
-/* Some simple thread management routines. */
-
-#define MAX_THREADS 32
-
-typedef SECStatus startFn(void *a, int b);
-
-typedef enum { rs_idle = 0, rs_running = 1, rs_zombie = 2 } runState;
-
-typedef struct perThreadStr {
-	PRFileDesc *a;
-	int         b;
-	int         rv;
-	startFn    *startFunc;
-	PRThread   *prThread;
-	PRBool      inUse;
-	runState    running;
-} perThread;
-
-typedef struct GlobalThreadMgrStr {
-	PRLock	  *threadLock;
-	PRCondVar *threadStartQ;
-	PRCondVar *threadEndQ;
-	perThread  threads[MAX_THREADS];
-	int        index;
-	int        numUsed;
-	int        numRunning;
-} GlobalThreadMgr;
-
-void thread_wrapper(void * arg);
-
-SECStatus launch_thread(GlobalThreadMgr *threadMGR, 
-                        startFn *startFunc, void *a, int b);
-
-SECStatus reap_threads(GlobalThreadMgr *threadMGR);
-
-void destroy_thread_data(GlobalThreadMgr *threadMGR);
-
-/* Management of locked variables. */
-
-struct lockedVarsStr {
-	PRLock *    lock;
-	int         count;
-	int         waiters;
-	PRCondVar * condVar;
-};
-
-typedef struct lockedVarsStr lockedVars;
-
-void lockedVars_Init(lockedVars *lv);
-
-void lockedVars_Destroy(lockedVars *lv);
-
-void lockedVars_WaitForDone(lockedVars *lv);
-
-int lockedVars_AddToCount(lockedVars *lv, int addend);
-
-/* Buffer stuff. */
-
-static const char stopCmd[] = { "GET /stop " };
-static const char defaultHeader[] = {
-	"HTTP/1.0 200 OK\r\n"
-	"Server: SSL sample server\r\n"
-	"Content-type: text/plain\r\n"
-	"\r\n"
-};
-
-#endif
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -532,17 +532,17 @@ listCerts(CERTCertDBHandle *handle, char
 }
 
 static SECStatus
 ListCerts(CERTCertDBHandle *handle, char *nickname, PK11SlotInfo *slot,
           PRBool raw, PRBool ascii, PRFileDesc *outfile, secuPWData *pwdata)
 {
     SECStatus rv;
 
-    if (!ascii && !raw) {
+    if (!ascii && !raw && !nickname) {
         PR_fprintf(outfile, "\n%-60s %-5s\n%-60s %-5s\n\n",
                    "Certificate Nickname", "Trust Attributes", "",
                    "SSL,S/MIME,JAR/XPI");
     }
     if (slot == NULL) {
 	CERTCertList *list;
 	CERTCertListNode *node;
 
@@ -2202,17 +2202,17 @@ certutil_main(int argc, char **argv, PRB
 	           "%s: cannot specify both -r and -a when dumping cert.\n",
 	           progName);
 	return 255;
     }
 
     /*  If making a cert request, need a subject.  */
     if ((certutil.commands[cmd_CertReq].activated ||
          certutil.commands[cmd_CreateAndAddCert].activated) &&
-        !certutil.options[opt_Subject].activated) {
+        !(certutil.options[opt_Subject].activated || keysource)) {
 	PR_fprintf(PR_STDERR, 
 	           "%s -%c: subject is required to create a cert request.\n",
 	           progName, commandToRun);
 	return 255;
     }
 
     /*  If making a cert, need a serial number.  */
     if ((certutil.commands[cmd_CreateNewCert].activated ||
@@ -2621,24 +2621,38 @@ merge_fail:
 		    SECU_PrintError(progName,
 			    "%s is neither a key-type nor a nickname", keysource);
 		    return SECFailure;
 		}
 	    }
 	    privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
 	    if (privkey)
 		pubkey = CERT_ExtractPublicKey(keycert);
-	    CERT_DestroyCertificate(keycert);
 	    if (!pubkey) {
 		SECU_PrintError(progName,
 				"Could not get keys from cert %s", keysource);
 		rv = SECFailure;
+		CERT_DestroyCertificate(keycert);
 		goto shutdown;
 	    }
 	    keytype = privkey->keyType;
+	    /* On CertReq for renewal if no subject has been
+	     * specified obtain it from the certificate. 
+	     */
+	    if (certutil.commands[cmd_CertReq].activated && !subject) {
+	        subject = CERT_AsciiToName(keycert->subjectName);
+	        if (!subject) {
+	            SECU_PrintError(progName,
+			"Could not get subject from certificate %s", keysource);
+	            CERT_DestroyCertificate(keycert);
+	            rv = SECFailure;
+	            goto shutdown;
+	        }
+	    }
+	    CERT_DestroyCertificate(keycert);
 	} else {
 	    privkey = 
 		CERTUTIL_GeneratePrivateKey(keytype, slot, keysize,
 					    publicExponent, 
 					    certutil.options[opt_NoiseFile].arg,
 					    &pubkey, 
 					    certutil.options[opt_PQGFile].arg,
 					    &pwdata);
--- a/security/nss/cmd/crlutil/crlutil.c
+++ b/security/nss/cmd/crlutil/crlutil.c
@@ -249,17 +249,17 @@ static SECStatus DeleteCRL (CERTCertDBHa
 
 SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type, 
                      PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions)
 {
     CERTSignedCrl *crl = NULL;
     SECItem crlDER;
     PK11SlotInfo* slot = NULL;
     int rv;
-#if defined(DEBUG_jpierre)
+#if defined(DEBUG_jp96085)
     PRIntervalTime starttime, endtime, elapsed;
     PRUint32 mins, secs, msecs;
 #endif
 
     crlDER.data = NULL;
 
 
     /* Read in the entire file specified with the -f argument */
@@ -268,22 +268,22 @@ SECStatus ImportCRL (CERTCertDBHandle *c
 	SECU_PrintError(progName, "unable to read input file");
 	return (SECFailure);
     }
 
     decodeOptions |= CRL_DECODE_DONT_COPY_DER;
 
     slot = PK11_GetInternalKeySlot();
  
-#if defined(DEBUG_jpierre)
+#if defined(DEBUG_jp96085)
     starttime = PR_IntervalNow();
 #endif
     crl = PK11_ImportCRL(slot, &crlDER, url, type,
           NULL, importOptions, NULL, decodeOptions);
-#if defined(DEBUG_jpierre)
+#if defined(DEBUG_jp96085)
     endtime = PR_IntervalNow();
     elapsed = endtime - starttime;
     mins = PR_IntervalToSeconds(elapsed) / 60;
     secs = PR_IntervalToSeconds(elapsed) % 60;
     msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
     printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
 #endif
     if (!crl) {
--- a/security/nss/cmd/lib/SECerrs.h
+++ b/security/nss/cmd/lib/SECerrs.h
@@ -541,8 +541,17 @@ ER3(SEC_ERROR_BAD_LDAP_RESPONSE,    		(S
 ER3(SEC_ERROR_FAILED_TO_ENCODE_DATA,    		(SEC_ERROR_BASE + 164),
 "Failed to encode data with ASN1 encoder")
 
 ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION,    		(SEC_ERROR_BASE + 165),
 "Bad information access location in cert extension")
 
 ER3(SEC_ERROR_LIBPKIX_INTERNAL,      		(SEC_ERROR_BASE + 166),
 "Libpkix internal error occured during cert validation.")
+
+ER3(SEC_ERROR_PKCS11_GENERAL_ERROR,      		(SEC_ERROR_BASE + 167),
+"A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
+
+ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED,      		(SEC_ERROR_BASE + 168),
+"A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed.  Trying the same operation again might succeed.")
+
+ER3(SEC_ERROR_PKCS11_DEVICE_ERROR,      		(SEC_ERROR_BASE + 169),
+"A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
--- a/security/nss/cmd/lib/ffs.c
+++ b/security/nss/cmd/lib/ffs.c
@@ -28,17 +28,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-#ifdef XP_PC
+#if !defined(XP_UNIX) && !defined(XP_OS2)
 
 int ffs( unsigned int i)
 {
     int rv	= 1;
 
     if (!i) return 0;
 
     while (!(i & 1)) {
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -1052,27 +1052,28 @@ static void
 secu_PrintTime(FILE *out, int64 time, char *m, int level)
 {
     PRExplodedTime printableTime; 
     char *timeString;
 
     /* Convert to local time */
     PR_ExplodeTime(time, PR_GMTParameters, &printableTime);
 
-    timeString = PORT_Alloc(100);
+    timeString = PORT_Alloc(256);
     if (timeString == NULL)
 	return;
 
     if (m != NULL) {
 	SECU_Indent(out, level);
 	fprintf(out, "%s: ", m);
     }
 
-    PR_FormatTime(timeString, 100, "%a %b %d %H:%M:%S %Y", &printableTime);
-    fprintf(out, timeString);
+    if (PR_FormatTime(timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime)) {
+        fprintf(out, timeString);
+    }
 
     if (m != NULL)
 	fprintf(out, "\n");
 
     PORT_Free(timeString);
 }
 
 /*
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -445,16 +445,16 @@ SECU_GetOptionArg(const secuCommand *cmd
 /* Return informative error string */
 char *SECU_ErrorString(int16 err);
 
 /* Return informative error string. Does not call XP_GetString */
 char *SECU_ErrorStringRaw(int16 err);
 
 void printflags(char *trusts, unsigned int flags);
 
-#ifndef XP_UNIX
+#if !defined(XP_UNIX) && !defined(XP_OS2)
 extern int ffs(unsigned int i);
 #endif
 
 #include "secerr.h"
 #include "sslerr.h"
 
 #endif /* _SEC_UTIL_H_ */
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -67,17 +67,16 @@ DIRS = lib  \
  pp  \
  rsaperf \
  sdrtest \
  selfserv  \
  signtool \
  signver \
  shlibsign \
  smimetools  \
- SSLsample \
  ssltap  \
  strsclnt \
  symkeyutil \
  tests \
  tstclnt  \
  vfychain \
  vfyserv \
  modutil \
--- a/security/nss/cmd/modutil/error.h
+++ b/security/nss/cmd/modutil/error.h
@@ -32,16 +32,20 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifndef MODUTIL_ERROR_H
 #define MODUTIL_ERROR_H
 
+/*
+ * The values of these enumerated constants are immutable and must not be
+ * changed.
+ */
 typedef enum {
 	NO_ERR=0,
 	INVALID_USAGE_ERR,
 	UNEXPECTED_ARG_ERR,
 	UNKNOWN_OPTION_ERR,
 	MULTIPLE_COMMAND_ERR,
 	OPTION_NEEDS_ARG_ERR,
 	DUPLICATE_OPTION_ERR,
@@ -56,17 +60,17 @@ typedef enum {
 	FILE_DOESNT_EXIST_ERR,
 	FILE_NOT_READABLE_ERR,
 	FILE_NOT_WRITEABLE_ERR,
 	DIR_DOESNT_EXIST_ERR,
 	DIR_NOT_READABLE_ERR,
 	DIR_NOT_WRITEABLE_ERR,
 	INVALID_CONSTANT_ERR,
 	ADD_MODULE_FAILED_ERR,
-	ADD_MODULE_FAILED_STATUS_ERR,
+	UNUSED_ERR,  /* reserved for future use */
 	OUT_OF_MEM_ERR,
 	DELETE_INTERNAL_ERR,
 	DELETE_FAILED_ERR,
 	NO_LIST_LOCK_ERR,
 	NO_MODULE_LIST_ERR,
 	NO_SUCH_MODULE_ERR,
 	MOD_INFO_ERR,
 	SLOT_INFO_ERR,
@@ -109,18 +113,18 @@ static char *errStrings[] = {
 	"ERROR: File \"%s\" already exists.\n",
 	"ERROR: File \"%s\" does not exist.\n",
 	"ERROR: File \"%s\" is not readable.\n",
 	"ERROR: File \"%s\" is not writeable.\n",
 	"ERROR: Directory \"%s\" does not exist.\n",
 	"ERROR: Directory \"%s\" is not readable.\n",
 	"ERROR: Directory \"%s\" is not writeable.\n",
 	"\"%s\" is not a recognized value.\n",
-	"ERROR: Failed to add module \"%s\".\n",
 	"ERROR: Failed to add module \"%s\". Probable cause : \"%s\".\n",
+	"Unused error string",
 	"ERROR: Out of memory.\n",
 	"ERROR: Cannot delete internal module.\n",
 	"ERROR: Failed to delete module \"%s\".\n",
 	"ERROR: Unable to obtain lock on module list.\n",
 	"ERROR: Unable to obtain module list.\n",
 	"ERROR: Module \"%s\" not found in database.\n",
 	"ERROR: Unable to get information about module \"%s\".\n",
 	"ERROR: Unable to get information about slot \"%s\".\n",
--- a/security/nss/cmd/modutil/pk11.c
+++ b/security/nss/cmd/modutil/pk11.c
@@ -292,22 +292,22 @@ AddModule(char *moduleName, char *libFil
     if(status != SECSuccess) {
 	char* errtxt=NULL;
 	PRInt32 copied = 0;
 	if (PR_GetErrorTextLength()) {
 	    errtxt = PR_Malloc(PR_GetErrorTextLength());
 	    copied = PR_GetErrorText(errtxt);
 	}
 	if (copied && errtxt) {
-	    PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_STATUS_ERR], 
+	    PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR], 
 		       moduleName, errtxt);
 	    PR_Free(errtxt);
 	} else {
 	    PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR], 
-		       moduleName);
+		       moduleName, SECU_Strerror(PORT_GetError()));
 	}
 	return ADD_MODULE_FAILED_ERR;
     } else {
 	PR_fprintf(PR_STDOUT, msgStrings[ADD_MODULE_SUCCESS_MSG], moduleName);
 	return SUCCESS;
     }
 }
 
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -62,18 +62,18 @@ Usage(char *progName)
     FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
 
     FPS "Usage:	 %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname] [-r]\n",
 				 progName);
     FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
 
     FPS "Usage:	 %s -o exportfile -n certname [-d certdir] [-P dbprefix] [-v]\n", 
         progName);
-    FPS "\t\t [-c key_cipher] [-C cert_cipher] [-k key_leng]\n");
-    FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
+    FPS "\t\t [-c key_cipher] [-C cert_cipher] [-m | --key_len keyLen] [-n | --cert_key_len certKeyLen]\n");
+    FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filefilepw]\n");
 
     exit(PK12UERR_USAGE);
 }
 
 static PRBool
 p12u_OpenFile(p12uContext *p12cxt, PRBool fileRead)
 {
     if(!p12cxt || !p12cxt->filename) {
@@ -948,18 +948,18 @@ static secuCommandFlag pk12util_options[
     { /* opt_Export	       */ 'o', PR_TRUE,	 0, PR_FALSE },
     { /* opt_Raw   	       */ 'r', PR_FALSE, 0, PR_FALSE },
     { /* opt_P12FilePWFile     */ 'w', PR_TRUE,	 0, PR_FALSE },
     { /* opt_P12FilePW	       */ 'W', PR_TRUE,	 0, PR_FALSE },
     { /* opt_DBPrefix	       */ 'P', PR_TRUE,	 0, PR_FALSE },
     { /* opt_Debug	       */ 'v', PR_FALSE, 0, PR_FALSE },
     { /* opt_Cipher	       */ 'c', PR_TRUE,  0, PR_FALSE },
     { /* opt_CertCipher	       */ 'C', PR_TRUE,  0, PR_FALSE },
-    { /* opt_KeyLength	       */ 'k', PR_TRUE,  0, PR_FALSE },
-    { /* opt_CertKeyLength     */ 'K', PR_TRUE,  0, PR_FALSE }
+    { /* opt_KeyLength         */ 'm', PR_TRUE,  0, PR_FALSE, "key_len" },
+    { /* opt_CertKeyLength     */ 'n', PR_TRUE,  0, PR_FALSE, "cert_key_len" }
 };
 
 int
 main(int argc, char **argv)
 {
     secuPWData slotPw = { PW_NONE, NULL };
     secuPWData p12FilePw = { PW_NONE, NULL };
     PK11SlotInfo *slot;
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -235,36 +235,16 @@ else
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
 	$(NULL)
 
 ifeq ($(OS_ARCH), AIX) 
 EXTRA_SHARED_LIBS += -brtl 
 endif
 
-# If GNU ld is used, we must use the -rpath-link option to tell
-# the linker where to find libsoftokn3.so, an implicit dependency
-# of libnss3.so.
-ifeq (,$(filter-out BSD_OS FreeBSD Linux NetBSD, $(OS_ARCH)))
-EXTRA_SHARED_LIBS += -Wl,-rpath-link,$(DIST)/lib
-endif
-
-ifeq ($(OS_ARCH), SunOS)
-ifdef NS_USE_GCC
-ifdef GCC_USE_GNU_LD
-EXTRA_SHARED_LIBS += -Wl,-rpath-link,$(DIST)/lib
-endif
-endif
-endif
-
-ifeq ($(OS_ARCH), Darwin)
-EXTRA_SHARED_LIBS += -dylib_file @executable_path/libsoftokn3.dylib:$(DIST)/lib/libsoftokn3.dylib
-endif
-
-
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lssl3 \
 	-lsmime3 \
 	-lnss3 \
 	-lnssutil3 \
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -1761,45 +1761,16 @@ beAGoodParent(int argc, char **argv, int
 	PR_WaitProcess(newProcess, &exitCode);
 	fprintf(stderr, "Child %d exited with exit code %x\n", 
 		numChildren, exitCode);
 	numChildren--;
     }
     exit(0);
 }
 
-#ifdef DEBUG_nelsonb
-
-#if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
-#define SSL_GETPID getpid
-#elif defined(_WIN32_WCE)
-#define SSL_GETPID GetCurrentProcessId
-#elif defined(WIN32)
-extern int __cdecl _getpid(void);
-#define SSL_GETPID _getpid
-#else
-#define SSL_GETPID() 0   
-#endif
-
-void
-WaitForDebugger(void)
-{
-
-    int waiting       = 12;
-    int myPid         = SSL_GETPID();
-    PRIntervalTime    nrval = PR_SecondsToInterval(5);
-
-    while (waiting) {
-    	printf("child %d is waiting to be debugged!\n", myPid);
-	PR_Sleep(nrval); 
-	--waiting;
-    }
-}
-#endif
-
 #define HEXCHAR_TO_INT(c, i) \
     if (((c) >= '0') && ((c) <= '9')) { \
 	i = (c) - '0'; \
     } else if (((c) >= 'a') && ((c) <= 'f')) { \
 	i = (c) - 'a' + 10; \
     } else if (((c) >= 'A') && ((c) <= 'F')) { \
 	i = (c) - 'A' + 10; \
     } else if ((c) == '\0') { \
@@ -2056,19 +2027,16 @@ main(int argc, char **argv)
 	but it is OK for a test server such as selfserv.
 	NSPR should fix it eventually . see bugzilla 101617
 	and 102077
 	*/
 	prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
 	if (prStatus != PR_SUCCESS)
 	    errExit("PR_SetFDInheritable");
 #endif
-#ifdef DEBUG_nelsonb
-	WaitForDebugger();
-#endif
 	rv = SSL_InheritMPServerSIDCache(envString);
 	if (rv != SECSuccess)
 	    errExit("SSL_InheritMPServerSIDCache");
     	hasSidCache = PR_TRUE;
     } else if (maxProcs > 1) {
 	/* we're going to be the parent in a multi-process server.  */
 	listen_sock = getBoundListenSocket(port);
 	rv = SSL_ConfigMPServerSIDCache(NumSidCacheEntries, 0, 0, tmp);
--- a/security/nss/cmd/shlibsign/shlibsign.c
+++ b/security/nss/cmd/shlibsign/shlibsign.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Test program for SDR (Secret Decoder Ring) functions.
  *
- * $Id: shlibsign.c,v 1.16 2008/08/08 23:48:04 julien.pierre.boogz%sun.com Exp $
+ * $Id: shlibsign.c,v 1.17 2008/09/30 04:32:43 nelson%bolyard.com Exp $
  */
 
 #ifdef XP_UNIX
 #define USES_LINKS 1
 #endif
 
 #include "nspr.h"
 #include <stdio.h>
@@ -125,16 +125,110 @@ writeItem(PRFileDesc *fd, SECItem *item,
     bytesWritten = PR_Write(fd, item->data, item->len);
     if (bytesWritten != item->len) {
 	lperror(file);
 	return SECFailure;
     }
     return SECSuccess;
 }
 
+static const unsigned char prime[] = { 0x00,
+   0x97, 0x44, 0x1d, 0xcc, 0x0d, 0x39, 0x0d, 0x8d, 
+   0xcb, 0x75, 0xdc, 0x24, 0x25, 0x6f, 0x01, 0x92, 
+   0xa1, 0x11, 0x07, 0x6b, 0x70, 0xac, 0x73, 0xd7, 
+   0x82, 0x28, 0xdf, 0xab, 0x82, 0x0c, 0x41, 0x0c, 
+   0x95, 0xb3, 0x3c, 0x3d, 0xea, 0x8a, 0xe6, 0x44, 
+   0x0a, 0xb8, 0xab, 0x90, 0x15, 0x41, 0x11, 0xe8, 
+   0x48, 0x7b, 0x8d, 0xb0, 0x9c, 0xd3, 0xf2, 0x69, 
+   0x66, 0xff, 0x66, 0x4b, 0x70, 0x2b, 0xbf, 0xfb, 
+   0xd6, 0x68, 0x85, 0x76, 0x1e, 0x34, 0xaa, 0xc5, 
+   0x57, 0x6e, 0x23, 0x02, 0x08, 0x60, 0x6e, 0xfd, 
+   0x67, 0x76, 0xe1, 0x7c, 0xc8, 0xcb, 0x51, 0x77, 
+   0xcf, 0xb1, 0x3b, 0x00, 0x2e, 0xfa, 0x21, 0xcd, 
+   0x34, 0x76, 0x75, 0x01, 0x19, 0xfe, 0xf8, 0x5d, 
+   0x43, 0xc5, 0x34, 0xf3, 0x7a, 0x95, 0xdc, 0xc2, 
+   0x58, 0x07, 0x19, 0x2f, 0x1d, 0x6f, 0x9a, 0x77, 
+   0x7e, 0x55, 0xaa, 0xe7, 0x5a, 0x50, 0x43, 0xd3 };
+
+static const unsigned char subprime[] = { 0x0,
+   0xd8, 0x16, 0x23, 0x34, 0x8a, 0x9e, 0x3a, 0xf5, 
+   0xd9, 0x10, 0x13, 0x35, 0xaa, 0xf3, 0xf3, 0x54, 
+   0x0b, 0x31, 0x24, 0xf1 };
+
+static const unsigned char base[] = { 
+    0x03, 0x3a, 0xad, 0xfa, 0x3a, 0x0c, 0xea, 0x0a, 
+    0x4e, 0x43, 0x32, 0x92, 0xbb, 0x87, 0xf1, 0x11, 
+    0xc0, 0xad, 0x39, 0x38, 0x56, 0x1a, 0xdb, 0x23, 
+    0x66, 0xb1, 0x08, 0xda, 0xb6, 0x19, 0x51, 0x42, 
+    0x93, 0x4f, 0xc3, 0x44, 0x43, 0xa8, 0x05, 0xc1, 
+    0xf8, 0x71, 0x62, 0x6f, 0x3d, 0xe2, 0xab, 0x6f, 
+    0xd7, 0x80, 0x22, 0x6f, 0xca, 0x0d, 0xf6, 0x9f, 
+    0x45, 0x27, 0x83, 0xec, 0x86, 0x0c, 0xda, 0xaa, 
+    0xd6, 0xe0, 0xd0, 0x84, 0xfd, 0xb1, 0x4f, 0xdc, 
+    0x08, 0xcd, 0x68, 0x3a, 0x77, 0xc2, 0xc5, 0xf1, 
+    0x99, 0x0f, 0x15, 0x1b, 0x6a, 0x8c, 0x3d, 0x18, 
+    0x2b, 0x6f, 0xdc, 0x2b, 0xd8, 0xb5, 0x9b, 0xb8, 
+    0x2d, 0x57, 0x92, 0x1c, 0x46, 0x27, 0xaf, 0x6d, 
+    0xe1, 0x45, 0xcf, 0x0b, 0x3f, 0xfa, 0x07, 0xcc, 
+    0x14, 0x8e, 0xe7, 0xb8, 0xaa, 0xd5, 0xd1, 0x36, 
+    0x1d, 0x7e, 0x5e, 0x7d, 0xfa, 0x5b, 0x77, 0x1f };
+
+static const unsigned char h[] = { 
+    0x41, 0x87, 0x47, 0x79, 0xd8, 0xba, 0x4e, 0xac, 
+    0x44, 0x4f, 0x6b, 0xd2, 0x16, 0x5e, 0x04, 0xc6, 
+    0xc2, 0x29, 0x93, 0x5e, 0xbd, 0xc7, 0xa9, 0x8f, 
+    0x23, 0xa1, 0xc8, 0xee, 0x80, 0x64, 0xd5, 0x67, 
+    0x3c, 0xba, 0x59, 0x9a, 0x06, 0x0c, 0xcc, 0x29, 
+    0x56, 0xc0, 0xb2, 0x21, 0xe0, 0x5b, 0x52, 0xcd, 
+    0x84, 0x73, 0x57, 0xfd, 0xd8, 0xc3, 0x5b, 0x13, 
+    0x54, 0xd7, 0x4a, 0x06, 0x86, 0x63, 0x09, 0xa5, 
+    0xb0, 0x59, 0xe2, 0x32, 0x9e, 0x09, 0xa3, 0x9f, 
+    0x49, 0x62, 0xcc, 0xa6, 0xf9, 0x54, 0xd5, 0xb2, 
+    0xc3, 0x08, 0x71, 0x7e, 0xe3, 0x37, 0x50, 0xd6, 
+    0x7b, 0xa7, 0xc2, 0x60, 0xc1, 0xeb, 0x51, 0x32, 
+    0xfa, 0xad, 0x35, 0x25, 0x17, 0xf0, 0x7f, 0x23, 
+    0xe5, 0xa8, 0x01, 0x52, 0xcf, 0x2f, 0xd9, 0xa9, 
+    0xf6, 0x00, 0x21, 0x15, 0xf1, 0xf7, 0x70, 0xb7, 
+    0x57, 0x8a, 0xd0, 0x59, 0x6a, 0x82, 0xdc, 0x9c };
+
+static const unsigned char seed[] = { 0x00,
+    0xcc, 0x4c, 0x69, 0x74, 0xf6, 0x72, 0x24, 0x68, 
+    0x24, 0x4f, 0xd7, 0x50, 0x11, 0x40, 0x81, 0xed, 
+    0x19, 0x3c, 0x8a, 0x25, 0xbc, 0x78, 0x0a, 0x85, 
+    0x82, 0x53, 0x70, 0x20, 0xf6, 0x54, 0xa5, 0x1b, 
+    0xf4, 0x15, 0xcd, 0xff, 0xc4, 0x88, 0xa7, 0x9d, 
+    0xf3, 0x47, 0x1c, 0x0a, 0xbe, 0x10, 0x29, 0x83, 
+    0xb9, 0x0f, 0x4c, 0xdf, 0x90, 0x16, 0x83, 0xa2, 
+    0xb3, 0xe3, 0x2e, 0xc1, 0xc2, 0x24, 0x6a, 0xc4, 
+    0x9d, 0x57, 0xba, 0xcb, 0x0f, 0x18, 0x75, 0x00, 
+    0x33, 0x46, 0x82, 0xec, 0xd6, 0x94, 0x77, 0xc3, 
+    0x4f, 0x4c, 0x58, 0x1c, 0x7f, 0x61, 0x3c, 0x36, 
+    0xd5, 0x2f, 0xa5, 0x66, 0xd8, 0x2f, 0xce, 0x6e, 
+    0x8e, 0x20, 0x48, 0x4a, 0xbb, 0xe3, 0xe0, 0xb2, 
+    0x50, 0x33, 0x63, 0x8a, 0x5b, 0x2d, 0x6a, 0xbe, 
+    0x4c, 0x28, 0x81, 0x53, 0x5b, 0xe4, 0xf6, 0xfc, 
+    0x64, 0x06, 0x13, 0x51, 0xeb, 0x4a, 0x91, 0x9c };
+
+#define MK_SECITEM(bb) { siBuffer, (unsigned char *)(bb), sizeof(bb) }
+
+static PQGParams pqgParams = {
+    NULL,                   /* arena */
+    MK_SECITEM(prime),      /* P     */
+    MK_SECITEM(subprime),   /* Q     */
+    MK_SECITEM(base)        /* G     */
+};
+
+static PQGVerify pqgVerify = {
+    NULL,              /* arena   */
+    1496,              /* counter */
+    MK_SECITEM(seed),  /* seed    */
+    MK_SECITEM(h)      /* h       */
+};
+
+
 
 int
 main (int argc, char **argv)
 {
     int		 retval = 1;  /* 0 - test succeeded.  1 - test failed */
     SECStatus	 rv;
     PLOptState	*optstate;
     char	*program_name;
@@ -147,20 +241,18 @@ main (int argc, char **argv)
     PRFileDesc *fd;
     int bytesRead;
     int bytesWritten;
     unsigned char file_buf[512];
     unsigned char hash_buf[SHA1_LENGTH];
     unsigned char sign_buf[40]; /* DSA_LENGTH */
     SECItem hash,sign;
     PK11Context *hashcx = NULL;
-    int ks, count=0;
+    int count=0;
     int keySize = 1024;
-    PQGParams *pqgParams = NULL;
-    PQGVerify *pqgVerify = NULL;
     const char *nssDir = NULL;
     secuPWData  pwdata = { PW_NONE, 0 };
 #ifdef USES_LINKS
     int ret;
     struct stat stat_buf;
     char link_buf[MAXPATHLEN+1];
     char *link_file = NULL;
 #endif
@@ -244,23 +336,17 @@ main (int argc, char **argv)
     /* Generate a DSA Key pair */
     slot = PK11_GetBestSlot(CKM_DSA,&pwdata);
     if (slot == NULL) {
 	lperror("CKM_DSA");
 	goto loser;
 	
     }
     printf("Generating DSA Key Pair...."); fflush(stdout);
-    ks = PQG_PBITS_TO_INDEX(keySize);
-    rv = PK11_PQG_ParamGen(ks,&pqgParams, &pqgVerify);
-    if (rv != SECSuccess) {
-	lperror("Generating PQG Params");
-	goto loser;
-    }
-    privk = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, pqgParams, &pubk, 
+    privk = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, &pqgParams, &pubk, 
 						PR_FALSE, PR_TRUE, &pwdata);
     if (privk == NULL) {
 	lperror("Generating DSA Key");
 	goto loser;
     }
 
     printf("done\n");
 
--- a/security/nss/cmd/signtool/signtool.c
+++ b/security/nss/cmd/signtool/signtool.c
@@ -180,17 +180,17 @@ ProcessCommandFile()
 
     fd = PR_Open(cmdFile, PR_RDONLY, 0777);
     if (!fd) {
 	PR_fprintf(errorFD, "ERROR: Unable to open command file %s.\n");
 	errorCount++;
 	return - 1;
     }
 
-    while (pr_fgets(buf, CMD_FILE_BUFSIZE, fd), buf && *buf != '\0') {
+    while (pr_fgets(buf, CMD_FILE_BUFSIZE, fd)) {
 	char	*eol;
 	linenum++;
 
 	/* Chop off final newline */
 	eol = PL_strchr(buf, '\r');
 	if (!eol) {
 	    eol = PL_strchr(buf, '\n');
 	}
--- a/security/nss/cmd/signtool/util.c
+++ b/security/nss/cmd/signtool/util.c
@@ -1104,20 +1104,23 @@ char*
 pr_fgets(char *buf, int size, PRFileDesc *file)
 {
     int	i;
     int	status;
     char	c;
 
     i = 0;
     while (i < size - 1) {
-	status = PR_Read(file, (void * ) &c, 1);
+	status = PR_Read(file, &c, 1);
 	if (status == -1) {
 	    return NULL;
 	} else if (status == 0) {
+	    if (i == 0) {
+		return NULL;
+	    }
 	    break;
 	}
 	buf[i++] = c;
 	if (c == '\n') {
 	    break;
 	}
     }
     buf[i] = '\0';
--- a/security/nss/cmd/signver/manifest.mn
+++ b/security/nss/cmd/signver/manifest.mn
@@ -49,10 +49,8 @@ PROGRAM = signver
 PACKAGE_FILES = README.txt signedForm.html signedForm.pl form.pl
 ifeq ($(subst /,_,$(shell uname -s)),WINNT)
 PACKAGE_FILES += signedForm.nt.pl signver.exe
 else
 PACKAGE_FILES += signver
 endif
 
 ARCHIVE_NAME  = signver
-
-USE_STATIC_LIBS = 1
--- a/security/nss/cmd/signver/pk7print.c
+++ b/security/nss/cmd/signver/pk7print.c
@@ -114,21 +114,22 @@ sv_PrintTime(FILE *out, SECItem *t, char
     int rv;
 
     rv = DER_DecodeTimeChoice(&time, t);
     if (rv) return rv;
 
     /* Convert to local time */
     PR_ExplodeTime(time, PR_LocalTimeParameters, &printableTime);
 
-    timeString = (char *)PORT_Alloc(100);
+    timeString = (char *)PORT_Alloc(256);
 
     if ( timeString ) {
-        PR_FormatTime( timeString, 100, "%a %b %d %H:%M:%S %Y", &printableTime );
-        fprintf(out, "%s%s\n", m, timeString);
+        if (PR_FormatTime( timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime )) {
+            fprintf(out, "%s%s\n", m, timeString);
+        }
         PORT_Free(timeString);
         return 0;
     }
     return SECFailure;
 }
 
 int
 sv_PrintValidity(FILE *out, CERTValidity *v, char *m)
@@ -356,24 +357,26 @@ sv_PrintSubjectPublicKeyInfo(FILE *out, 
     sv_PrintAlgorithmID(out, &i->algorithm, mm);
 
     pk = (SECKEYPublicKey*) PORT_ZAlloc(sizeof(SECKEYPublicKey));
     if (!pk) return PORT_GetError();
 
     DER_ConvertBitString(&i->subjectPublicKey);
     switch(SECOID_FindOIDTag(&i->algorithm.algorithm)) {
         case SEC_OID_PKCS1_RSA_ENCRYPTION:
-            rv = SEC_ASN1DecodeItem(arena, pk, SECKEY_RSAPublicKeyTemplate,
+            rv = SEC_ASN1DecodeItem(arena, pk,
+                                    SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate),
                                     &i->subjectPublicKey);
             if (rv) return rv;
             sprintf(mm, "%s.rsaPublicKey.", msg);
             sv_PrintRSAPublicKey(out, pk, mm);
             break;
         case SEC_OID_ANSIX9_DSA_SIGNATURE:
-            rv = SEC_ASN1DecodeItem(arena, pk, SECKEY_DSAPublicKeyTemplate,
+            rv = SEC_ASN1DecodeItem(arena, pk,
+                                    SEC_ASN1_GET(SECKEY_DSAPublicKeyTemplate),
                                     &i->subjectPublicKey);
             if (rv) return rv;
             sprintf(mm, "%s.dsaPublicKey.", msg);
             sv_PrintDSAPublicKey(out, pk, mm);
             break;
         default:
             fprintf(out, "%s=bad SPKI algorithm type\n", msg);
             return 0;
@@ -386,17 +389,18 @@ SECStatus
 sv_PrintInvalidDateExten  (FILE *out, SECItem *value, char *msg)
 {
     SECItem decodedValue;
     SECStatus rv;
     int64 invalidTime;
     char *formattedTime = NULL;
 
     decodedValue.data = NULL;
-    rv = SEC_ASN1DecodeItem (NULL, &decodedValue, SEC_GeneralizedTimeTemplate,
+    rv = SEC_ASN1DecodeItem (NULL, &decodedValue,
+                             SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
                              value);
     if (rv == SECSuccess) {
         rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue);
         if (rv == SECSuccess) {
             formattedTime = CERT_GenTime2FormattedAscii(invalidTime, "%a %b %d %H:%M:%S %Y");
             fprintf (out, "%s: %s\n", msg, formattedTime);
             PORT_Free (formattedTime);
         }
@@ -490,17 +494,18 @@ sv_PrintCertificate(FILE *out, SECItem *
     
     /* Decode certificate */
     c = (CERTCertificate*) PORT_ZAlloc(sizeof(CERTCertificate));
     if (!c) return PORT_GetError();
 
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (!arena) return SEC_ERROR_NO_MEMORY;
 
-    rv = SEC_ASN1DecodeItem(arena, c, CERT_CertificateTemplate, der);
+    rv = SEC_ASN1DecodeItem(arena, c, SEC_ASN1_GET(CERT_CertificateTemplate),
+                            der);
     if (rv) {
         PORT_FreeArena(arena, PR_FALSE);
         return rv;
     }
 
     /* Pretty print it out */
     iv = DER_GetInteger(&c->version);
     fprintf(out, "%sversion=%d (0x%x)\n", m, iv + 1, iv);
@@ -536,17 +541,18 @@ sv_PrintSignedData(FILE *out, SECItem *d
 
     /* Strip off the signature */
     sd = (CERTSignedData*) PORT_ZAlloc(sizeof(CERTSignedData));
     if (!sd) return PORT_GetError();
 
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (!arena) return SEC_ERROR_NO_MEMORY;
 
-    rv = SEC_ASN1DecodeItem(arena, sd, CERT_SignedDataTemplate, der);
+    rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate),
+                            der);
     if (rv) {
         PORT_FreeArena(arena, PR_FALSE);
         return rv;
     }
 
 /*    fprintf(out, "%s:\n", m); */
     PORT_Strcat(m, "data.");
 
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/tests/conflict.c
@@ -0,0 +1,58 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2008
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This test verifies that NSS public headers don't conflict with common
+ * identifier names.
+ */
+
+#include "nssilckt.h"
+
+/*
+ * Bug 455424: nssilckt.h used to define the enumeration constant 'Lock',
+ * which conflicts with C++ code that defines a Lock class.  This is a
+ * reduced test case in C for that name conflict.
+ */
+typedef struct {
+    int dummy;
+} Lock;
+
+Lock lock;
+
+int main()
+{
+    return 0;
+}
--- a/security/nss/cmd/tests/manifest.mn
+++ b/security/nss/cmd/tests/manifest.mn
@@ -36,16 +36,17 @@
 # ***** END LICENSE BLOCK *****
 
 CORE_DEPTH = ../../..
 
 # MODULE public and private header  directories are implicitly REQUIRED.
 MODULE = nss
 
 CSRCS = \
+	conflict.c \
 	nonspr10.c \
 	remtest.c \
 	$(NULL)
 
 # The MODULE is always implicitly required.
 # Listing it here in REQUIRES makes it appear twice in the cc command line.
 REQUIRES = seccmd dbm
 
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -33,17 +33,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
 **
-** Sample client side test program that uses SSL and libsec
+** Sample client side test program that uses SSL and NSS
 **
 */
 
 #include "secutil.h"
 
 #if defined(XP_UNIX)
 #include <unistd.h>
 #else
@@ -121,30 +121,17 @@ int ssl3CipherSuites[] = {
 };
 
 unsigned long __cmp_umuls;
 PRBool verbose;
 int renegotiate = 0;
 
 static char *progName;
 
-/* This exists only for the automated test suite. It allows us to
- * pass in a password on the command line. 
- */
-
-char *password = NULL;
-
-char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg)
-{
-	char *passwd = NULL;
-	if ( (!retry) && arg ) {
-		passwd = PL_strdup((char *)arg);
-	}
-	return passwd;
-}
+secuPWData  pwdata          = { PW_NONE, 0 };
 
 void printSecurityInfo(PRFileDesc *fd)
 {
     CERTCertificate * cert;
     SSL3Statistics * ssl3stats = SSL_GetStatistics();
     SECStatus result;
     SSLChannelInfo    channel;
     SSLCipherSuiteInfo suite;
@@ -198,17 +185,17 @@ handshakeCallback(PRFileDesc *fd, void *
 	SSL_ReHandshake(fd, PR_FALSE);
     }
 }
 
 static void Usage(const char *progName)
 {
     fprintf(stderr, 
 "Usage:  %s -h host [-p port] [-d certdir] [-n nickname] [-23BTfosvxr] \n"
-"                   [-c ciphers] [-w passwd] [-q]\n", progName);
+"                   [-c ciphers] [-w passwd] [-W pwfile] [-q]\n", progName);
     fprintf(stderr, "%-20s Hostname to connect with\n", "-h host");
     fprintf(stderr, "%-20s Port number for SSL server\n", "-p port");
     fprintf(stderr, 
             "%-20s Directory with cert database (default is ~/.netscape)\n",
 	    "-d certdir");
     fprintf(stderr, "%-20s Nickname of key and cert for client auth\n", 
                     "-n nickname");
     fprintf(stderr, 
@@ -518,17 +505,16 @@ int main(int argc, char **argv)
     int                disableTLS  = 0;
     int                bypassPKCS11 = 0;
     int                disableLocking = 0;
     int                useExportPolicy = 0;
     int                enableSessionTickets = 0;
     PRSocketOptionData opt;
     PRNetAddr          addr;
     PRPollDesc         pollset[2];
-    PRBool             useCommandLinePassword = PR_FALSE;
     PRBool             pingServerFirst = PR_FALSE;
     PRBool             clientSpeaksFirst = PR_FALSE;
     PRBool             wrStarted = PR_FALSE;
     PRBool             skipProtoHeader = PR_FALSE;
     int                headerSeparatorPtrnId = 0;
     int                error = 0;
     PRUint16           portno = 443;
     PLOptState *optstate;
@@ -543,17 +529,17 @@ int main(int argc, char **argv)
     tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
     if (tmp && tmp[0]) {
        int sec = PORT_Atoi(tmp);
        if (sec > 0) {
            maxInterval = PR_SecondsToInterval(sec);
        }
     }
 
-    optstate = PL_CreateOptState(argc, argv, "23BTSfc:h:p:d:m:n:oqr:suvw:x");
+    optstate = PL_CreateOptState(argc, argv, "23BTSfc:h:p:d:m:n:oqr:suvw:xW:");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch (optstate->option) {
 	  case '?':
 	  default : Usage(progName); 			break;
 
           case '2': disableSSL2 = 1; 			break;
 
           case '3': disableSSL3 = 1; 			break;
@@ -589,41 +575,41 @@ int main(int argc, char **argv)
 	  case 's': disableLocking = 1;                 break;
 
 	  case 'u': enableSessionTickets = PR_TRUE;	break;
 
 	  case 'v': verbose++;	 			break;
 
 	  case 'r': renegotiate = atoi(optstate->value);	break;
 
-	  case 'w':
-		password = PORT_Strdup(optstate->value);
-		useCommandLinePassword = PR_TRUE;
+          case 'w':
+                pwdata.source = PW_PLAINTEXT;
+		pwdata.data = PORT_Strdup(optstate->value);
 		break;
 
+          case 'W':
+                pwdata.source = PW_FROMFILE;
+                pwdata.data = PORT_Strdup(optstate->value);
+                break;
+
 	  case 'x': useExportPolicy = 1; 		break;
 	}
     }
 
     PL_DestroyOptState(optstate);
 
     if (optstatus == PL_OPT_BAD)
 	Usage(progName);
 
     if (!host || !portno) 
     	Usage(progName);
 
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
-    /* set our password function */
-    if ( useCommandLinePassword ) {
-	PK11_SetPasswordFunc(ownPasswd);
-    } else {
-    	PK11_SetPasswordFunc(SECU_GetModulePassword);
-    }
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
 
     /* open the cert DB, the key DB, and the secmod DB. */
     if (!certDir) {
 	certDir = SECU_DefaultSSLDir();	/* Look in $SSL_DIR */
 	certDir = SECU_ConfigDirectory(certDir);
     } else {
 	char *certDirTmp = certDir;
 	certDir = SECU_ConfigDirectory(certDirTmp);
@@ -838,19 +824,17 @@ int main(int argc, char **argv)
 
     /* enable Session Ticket extension. */
     rv = SSL_OptionSet(s, SSL_ENABLE_SESSION_TICKETS, enableSessionTickets);
     if (rv != SECSuccess) {
 	SECU_PrintError(progName, "error enabling Session Ticket extension");
 	return 1;
     }
 
-    if (useCommandLinePassword) {
-	SSL_SetPKCS11PinArg(s, password);
-    }
+    SSL_SetPKCS11PinArg(s, &pwdata);
 
     SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle);
     if (override) {
 	SSL_BadCertHook(s, ownBadCertHandler, NULL);
     }
     SSL_GetClientAuthDataHook(s, own_GetClientAuthData, (void *)nickname);
     SSL_HandshakeCallback(s, handshakeCallback, NULL);
     SSL_SetURL(s, host);
@@ -1059,22 +1043,23 @@ int main(int argc, char **argv)
 	}
 	milliPause(50 * multiplier);
     }
 
   done:
     if (nickname) {
         PORT_Free(nickname);
     }
-    if (password) {
-        PORT_Free(password);
+    if (pwdata.data) {
+        PORT_Free(pwdata.data);
     }
     PORT_Free(host);
 
     PR_Close(s);
     SSL_ClearSessionCache();
     if (NSS_Shutdown() != SECSuccess) {
         exit(1);
     }
 
+    FPRINTF(stderr, "tstclnt: exiting with return code %d\n", error);
     PR_Cleanup();
     return error;
 }
--- a/security/nss/lib/base/nssbaset.h
+++ b/security/nss/lib/base/nssbaset.h
@@ -33,17 +33,17 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifndef NSSBASET_H
 #define NSSBASET_H
 
 #ifdef DEBUG
-static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile: nssbaset.h,v $ $Revision: 1.6 $ $Date: 2005/01/20 02:25:45 $";
+static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile: nssbaset.h,v $ $Revision: 1.7 $ $Date: 2008/10/05 20:59:16 $";
 #endif /* DEBUG */
 
 /*
  * nssbaset.h
  *
  * This file contains the most low-level, fundamental public types.
  */
 
@@ -56,20 +56,20 @@ static const char NSSBASET_CVS_ID[] = "@
  * NSS has its own versions of these NSPR macros, in a form which
  * does not confuse ctags and other related utilities.  NSPR 
  * defines these macros to take the type as an argument, because
  * of a requirement to support win16 dlls.  We do not have that
  * requirement, so we can drop that restriction.
  */
 
 #define DUMMY	/* dummy */
-#define NSS_EXTERN         PR_EXTERN(DUMMY)
-#define NSS_IMPLEMENT      PR_IMPLEMENT(DUMMY)
-#define NSS_EXTERN_DATA    PR_EXTERN_DATA(DUMMY)
-#define NSS_IMPLEMENT_DATA PR_IMPLEMENT_DATA(DUMMY)
+#define NSS_EXTERN         extern
+#define NSS_EXTERN_DATA    extern
+#define NSS_IMPLEMENT      
+#define NSS_IMPLEMENT_DATA 
 
 PR_BEGIN_EXTERN_C
 
 /*
  * NSSError
  *
  * Calls to NSS routines may result in one or more errors being placed
  * on the calling thread's "error stack."  Every possible error that
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -991,38 +991,42 @@ void
     return;
 }
 
 SECStatus
 CERT_OpenCertDBFilename(CERTCertDBHandle *handle, char *certdbname,
                         PRBool readOnly)
 {
     PORT_Assert("CERT_OpenCertDBFilename is Deprecated" == NULL);
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return SECFailure;
 }
 
 SECItem *
 SECKEY_HashPassword(char *pw, SECItem *salt)
 {
     PORT_Assert("SECKEY_HashPassword is Deprecated" == NULL);
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return NULL;
 }
 
 SECStatus
 __CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle,
                                  SECItem *derSubject,
                                  void *cb, void *cbarg)
 {
     PORT_Assert("CERT_TraversePermCertsForSubject is Deprecated" == NULL);
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return SECFailure;
 }
 
 
 SECStatus
 __CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname,
                                   void *cb, void *cbarg)
 {
     PORT_Assert("CERT_TraversePermCertsForNickname is Deprecated" == NULL);
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return SECFailure;
 }
 
 
 
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -34,17 +34,17 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.54 2008/07/08 21:34:32 alexei.volkov.bugs%sun.com Exp $
+ * $Id: ocsp.c,v 1.55 2008/10/06 23:37:55 julien.pierre.boogz%sun.com Exp $
  */
 
 #include "prerror.h"
 #include "prprf.h"
 #include "plarena.h"
 #include "prnetdb.h"
 
 #include "seccomon.h"
@@ -200,24 +200,24 @@ ocsp_Trace(const char *format, ...)
     va_end(args);
     PR_LogPrint("%s", buf);
 }
 
 static void
 ocsp_dumpStringWithTime(const char *str, int64 time)
 {
     PRExplodedTime timePrintable;
-    char timestr[100];
+    char timestr[256];
 
     if (!wantOcspTrace())
         return;
     PR_ExplodeTime(time, PR_GMTParameters, &timePrintable);
-    PR_FormatTime(timestr, 100, "%a %b %d %H:%M:%S %Y", 
-                  &timePrintable);
-    ocsp_Trace("OCSP %s %s\n", str, timestr);
+    if (PR_FormatTime(timestr, 256, "%a %b %d %H:%M:%S %Y", &timePrintable)) {
+        ocsp_Trace("OCSP %s %s\n", str, timestr);
+    }
 }
 
 static void
 printHexString(const char *prefix, SECItem *hexval)
 {
     unsigned int i;
     char *hexbuf = NULL;
 
@@ -240,26 +240,28 @@ dumpCertificate(CERTCertificate *cert)
     if (!wantOcspTrace())
         return;
 
     ocsp_Trace("OCSP ----------------\n");
     ocsp_Trace("OCSP ## SUBJECT:  %s\n", cert->subjectName);
     {
         int64 timeBefore, timeAfter;
         PRExplodedTime beforePrintable, afterPrintable;
-        char beforestr[100], afterstr[100];
+        char beforestr[256], afterstr[256];
+        PRStatus rv1, rv2;
         DER_DecodeTimeChoice(&timeBefore, &cert->validity.notBefore);
         DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter);
         PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable);
         PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable);
-        PR_FormatTime(beforestr, 100, "%a %b %d %H:%M:%S %Y", 
+        rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y", 
                       &beforePrintable);
-        PR_FormatTime(afterstr, 100, "%a %b %d %H:%M:%S %Y", 
+        rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y", 
                       &afterPrintable);
-        ocsp_Trace("OCSP ## VALIDITY:  %s to %s\n", beforestr, afterstr);
+        ocsp_Trace("OCSP ## VALIDITY:  %s to %s\n", rv1 ? beforestr : "",
+                   rv2 ? afterstr : "");
     }
     ocsp_Trace("OCSP ## ISSUER:  %s\n", cert->issuerName);
     printHexString("OCSP ## SERIAL NUMBER:", &cert->serialNumber);
 }
 
 static void
 dumpCertID(CERTOCSPCertID *certID)
 {
--- a/security/nss/lib/ckfw/builtins/certdata.c
+++ b/security/nss/lib/ckfw/builtins/certdata.c
@@ -30,17 +30,17 @@
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.50 $ $Date: 2008/08/14 18:15:56 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.50 $ $Date: 2008/08/14 18:15:56 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $";
 #endif /* DEBUG */
 
 #ifndef BUILTINS_H
 #include "builtins.h"
 #endif /* BUILTINS_H */
 
 static const CK_BBOOL ck_false = CK_FALSE;
 static const CK_BBOOL ck_true = CK_TRUE;
@@ -798,25 +798,31 @@ static const CK_ATTRIBUTE_TYPE nss_built
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_248 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_249 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
 };
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_250 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_251 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
 #ifdef DEBUG
 static const NSSItem nss_builtins_items_0 [] = {
   { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"CVS ID", (PRUint32)7 },
   { (void *)"NSS", (PRUint32)4 },
-  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.50 $ $Date: 2008/08/14 18:15:56 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.50 $ $Date: 2008/08/14 18:15:56 $", (PRUint32)160 }
+  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $", (PRUint32)160 }
 };
 #endif /* DEBUG */
 static const NSSItem nss_builtins_items_1 [] = {
   { (void *)&cko_netscape_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Mozilla Builtin Roots", (PRUint32)22 }
@@ -16863,16 +16869,119 @@ static const NSSItem nss_builtins_items_
 , (PRUint32)136 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
+static const NSSItem nss_builtins_items_250 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"COMODO ECC Certification Authority", (PRUint32)35 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102"
+"\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164"
+"\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060"
+"\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061"
+"\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117"
+"\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006"
+"\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171"
+, (PRUint32)136 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102"
+"\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164"
+"\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060"
+"\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061"
+"\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117"
+"\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006"
+"\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171"
+, (PRUint32)136 },
+  { (void *)"\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143"
+"\231\052"
+, (PRUint32)18 },
+  { (void *)"\060\202\002\211\060\202\002\017\240\003\002\001\002\002\020\037"
+"\107\257\252\142\000\160\120\124\114\001\236\233\143\231\052\060"
+"\012\006\010\052\206\110\316\075\004\003\003\060\201\205\061\013"
+"\060\011\006\003\125\004\006\023\002\107\102\061\033\060\031\006"
+"\003\125\004\010\023\022\107\162\145\141\164\145\162\040\115\141"
+"\156\143\150\145\163\164\145\162\061\020\060\016\006\003\125\004"
+"\007\023\007\123\141\154\146\157\162\144\061\032\060\030\006\003"
+"\125\004\012\023\021\103\117\115\117\104\117\040\103\101\040\114"
+"\151\155\151\164\145\144\061\053\060\051\006\003\125\004\003\023"
+"\042\103\117\115\117\104\117\040\105\103\103\040\103\145\162\164"
+"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
+"\151\164\171\060\036\027\015\060\070\060\063\060\066\060\060\060"
+"\060\060\060\132\027\015\063\070\060\061\061\070\062\063\065\071"
+"\065\071\132\060\201\205\061\013\060\011\006\003\125\004\006\023"
+"\002\107\102\061\033\060\031\006\003\125\004\010\023\022\107\162"
+"\145\141\164\145\162\040\115\141\156\143\150\145\163\164\145\162"
+"\061\020\060\016\006\003\125\004\007\023\007\123\141\154\146\157"
+"\162\144\061\032\060\030\006\003\125\004\012\023\021\103\117\115"
+"\117\104\117\040\103\101\040\114\151\155\151\164\145\144\061\053"
+"\060\051\006\003\125\004\003\023\042\103\117\115\117\104\117\040"
+"\105\103\103\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\060\166\060\020\006"
+"\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003"
+"\142\000\004\003\107\173\057\165\311\202\025\205\373\165\344\221"
+"\026\324\253\142\231\365\076\122\013\006\316\101\000\177\227\341"
+"\012\044\074\035\001\004\356\075\322\215\011\227\014\340\165\344"
+"\372\373\167\212\052\365\003\140\113\066\213\026\043\026\255\011"
+"\161\364\112\364\050\120\264\376\210\034\156\077\154\057\057\011"
+"\131\133\245\133\013\063\231\342\303\075\211\371\152\054\357\262"
+"\323\006\351\243\102\060\100\060\035\006\003\125\035\016\004\026"
+"\004\024\165\161\247\031\110\031\274\235\235\352\101\107\337\224"
+"\304\110\167\231\323\171\060\016\006\003\125\035\017\001\001\377"
+"\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377"
+"\004\005\060\003\001\001\377\060\012\006\010\052\206\110\316\075"
+"\004\003\003\003\150\000\060\145\002\061\000\357\003\133\172\254"
+"\267\170\012\162\267\210\337\377\265\106\024\011\012\372\240\346"
+"\175\010\306\032\207\275\030\250\163\275\046\312\140\014\235\316"
+"\231\237\317\134\017\060\341\276\024\061\352\002\060\024\364\223"
+"\074\111\247\063\172\220\106\107\263\143\175\023\233\116\267\157"
+"\030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346"
+"\334\335\363\377\035\054\072\026\127\331\222\071\326"
+, (PRUint32)653 }
+};
+static const NSSItem nss_builtins_items_251 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"COMODO ECC Certification Authority", (PRUint32)35 },
+  { (void *)"\237\164\116\237\053\115\272\354\017\061\054\120\266\126\073\216"
+"\055\223\303\021"
+, (PRUint32)20 },
+  { (void *)"\174\142\377\164\235\061\123\136\150\112\325\170\252\036\277\043"
+, (PRUint32)16 },
+  { (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102"
+"\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164"
+"\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060"
+"\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061"
+"\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117"
+"\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006"
+"\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171"
+, (PRUint32)136 },
+  { (void *)"\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143"
+"\231\052"
+, (PRUint32)18 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
 
 builtinsInternalObject
 nss_builtins_data[] = {
 #ifdef DEBUG
   { 7, nss_builtins_types_0, nss_builtins_items_0, {NULL} },
 #endif /* DEBUG */
   { 5, nss_builtins_types_1, nss_builtins_items_1, {NULL} },
   { 11, nss_builtins_types_2, nss_builtins_items_2, {NULL} },
@@ -17117,16 +17226,18 @@ nss_builtins_data[] = {
   { 13, nss_builtins_types_241, nss_builtins_items_241, {NULL} },
   { 11, nss_builtins_types_242, nss_builtins_items_242, {NULL} },
   { 13, nss_builtins_types_243, nss_builtins_items_243, {NULL} },
   { 11, nss_builtins_types_244, nss_builtins_items_244, {NULL} },
   { 13, nss_builtins_types_245, nss_builtins_items_245, {NULL} },
   { 11, nss_builtins_types_246, nss_builtins_items_246, {NULL} },
   { 13, nss_builtins_types_247, nss_builtins_items_247, {NULL} },
   { 11, nss_builtins_types_248, nss_builtins_items_248, {NULL} },
-  { 13, nss_builtins_types_249, nss_builtins_items_249, {NULL} }
+  { 13, nss_builtins_types_249, nss_builtins_items_249, {NULL} },
+  { 11, nss_builtins_types_250, nss_builtins_items_250, {NULL} },
+  { 13, nss_builtins_types_251, nss_builtins_items_251, {NULL} }
 };
 const PRUint32
 #ifdef DEBUG
-  nss_builtins_nObjects = 249+1;
+  nss_builtins_nObjects = 251+1;
 #else
-  nss_builtins_nObjects = 249;
+  nss_builtins_nObjects = 251;
 #endif /* DEBUG */
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -29,17 +29,17 @@
 # under the terms of either the GPL or the LGPL, and not to allow others to
 # use your version of this file under the terms of the MPL, indicate your
 # decision by deleting the provisions above and replace them with the notice
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
-CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.49 $ $Date: 2008/08/14 18:15:56 $"
+CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.50 $ $Date: 2008/10/17 23:06:48 $"
 
 #
 # certdata.txt
 #
 # This file contains the object definitions for the certs and other
 # information "built into" NSS.
 #
 # Object definitions:
@@ -17383,8 +17383,121 @@ CKA_ISSUER MULTILINE_OCTAL
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "COMODO ECC Certification Authority"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "COMODO ECC Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143
+\231\052
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\211\060\202\002\017\240\003\002\001\002\002\020\037
+\107\257\252\142\000\160\120\124\114\001\236\233\143\231\052\060
+\012\006\010\052\206\110\316\075\004\003\003\060\201\205\061\013
+\060\011\006\003\125\004\006\023\002\107\102\061\033\060\031\006
+\003\125\004\010\023\022\107\162\145\141\164\145\162\040\115\141
+\156\143\150\145\163\164\145\162\061\020\060\016\006\003\125\004
+\007\023\007\123\141\154\146\157\162\144\061\032\060\030\006\003
+\125\004\012\023\021\103\117\115\117\104\117\040\103\101\040\114
+\151\155\151\164\145\144\061\053\060\051\006\003\125\004\003\023
+\042\103\117\115\117\104\117\040\105\103\103\040\103\145\162\164
+\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\060\036\027\015\060\070\060\063\060\066\060\060\060
+\060\060\060\132\027\015\063\070\060\061\061\070\062\063\065\071
+\065\071\132\060\201\205\061\013\060\011\006\003\125\004\006\023
+\002\107\102\061\033\060\031\006\003\125\004\010\023\022\107\162
+\145\141\164\145\162\040\115\141\156\143\150\145\163\164\145\162
+\061\020\060\016\006\003\125\004\007\023\007\123\141\154\146\157
+\162\144\061\032\060\030\006\003\125\004\012\023\021\103\117\115
+\117\104\117\040\103\101\040\114\151\155\151\164\145\144\061\053
+\060\051\006\003\125\004\003\023\042\103\117\115\117\104\117\040
+\105\103\103\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\060\166\060\020\006
+\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003
+\142\000\004\003\107\173\057\165\311\202\025\205\373\165\344\221
+\026\324\253\142\231\365\076\122\013\006\316\101\000\177\227\341
+\012\044\074\035\001\004\356\075\322\215\011\227\014\340\165\344
+\372\373\167\212\052\365\003\140\113\066\213\026\043\026\255\011
+\161\364\112\364\050\120\264\376\210\034\156\077\154\057\057\011
+\131\133\245\133\013\063\231\342\303\075\211\371\152\054\357\262
+\323\006\351\243\102\060\100\060\035\006\003\125\035\016\004\026
+\004\024\165\161\247\031\110\031\274\235\235\352\101\107\337\224
+\304\110\167\231\323\171\060\016\006\003\125\035\017\001\001\377
+\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
+\004\005\060\003\001\001\377\060\012\006\010\052\206\110\316\075
+\004\003\003\003\150\000\060\145\002\061\000\357\003\133\172\254
+\267\170\012\162\267\210\337\377\265\106\024\011\012\372\240\346
+\175\010\306\032\207\275\030\250\163\275\046\312\140\014\235\316
+\231\237\317\134\017\060\341\276\024\061\352\002\060\024\364\223
+\074\111\247\063\172\220\106\107\263\143\175\023\233\116\267\157
+\030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346
+\334\335\363\377\035\054\072\026\127\331\222\071\326
+END
+
+# Trust for Certificate "COMODO ECC Certification Authority"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "COMODO ECC Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\237\164\116\237\053\115\272\354\017\061\054\120\266\126\073\216
+\055\223\303\021
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\174\142\377\164\235\061\123\136\150\112\325\170\252\036\277\043
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143
+\231\052
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -70,18 +70,18 @@
  *     ...
  *   - NSS 3.30 branch: 250-255
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 71
-#define NSS_BUILTINS_LIBRARY_VERSION "1.71"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 72
+#define NSS_BUILTINS_LIBRARY_VERSION "1.72"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself 
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/ckfw/capi/staticobj.c
+++ b/security/nss/lib/ckfw/capi/staticobj.c
@@ -32,17 +32,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.1 $ $Date: 2005/11/04 02:05:04 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.1 $ $Date: 2005/11/04 02:05:04 $";
+static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.2 $ $Date: 2008/10/05 20:59:19 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.2 $ $Date: 2008/10/05 20:59:19 $";
 #endif /* DEBUG */
 
 #ifndef CKCAPI_H
 #include "ckcapi.h"
 #endif /* CKCAPI_H */
 
 static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
 static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
@@ -62,13 +62,13 @@ static const CK_ATTRIBUTE_TYPE nss_ckcap
 static const NSSItem nss_ckcapi_items_1 [] = {
   { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Mozilla CAPI Access", (PRUint32)20 }
 };
 
-PR_IMPLEMENT_DATA(ckcapiInternalObject) nss_ckcapi_data[] = {
+ckcapiInternalObject nss_ckcapi_data[] = {
   { ckcapiRaw, { 5, nss_ckcapi_types_1, nss_ckcapi_items_1} , {NULL} },
 };
 
-PR_IMPLEMENT_DATA(const PRUint32) nss_ckcapi_nObjects = 1;
+const PRUint32 nss_ckcapi_nObjects = 1;
--- a/security/nss/lib/ckfw/nssmkey/staticobj.c
+++ b/security/nss/lib/ckfw/nssmkey/staticobj.c
@@ -32,17 +32,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $";
+static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.2 $ $Date: 2008/10/05 20:59:22 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.2 $ $Date: 2008/10/05 20:59:22 $";
 #endif /* DEBUG */
 
 #ifndef CKMK_H
 #include "ckmk.h"
 #endif /* CKMK_H */
 
 static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
 static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
@@ -62,13 +62,13 @@ static const CK_ATTRIBUTE_TYPE nss_ckmk_
 static const NSSItem nss_ckmk_items_1 [] = {
   { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Mozilla Mac Key Ring Access", (PRUint32)28 }
 };
 
-PR_IMPLEMENT_DATA(ckmkInternalObject) nss_ckmk_data[] = {
+ckmkInternalObject nss_ckmk_data[] = {
   { ckmkRaw, {{ 5, nss_ckmk_types_1, nss_ckmk_items_1}} , CKO_DATA, {NULL} },
 };
 
-PR_IMPLEMENT_DATA(const PRUint32) nss_ckmk_nObjects = 1;
+const PRUint32 nss_ckmk_nObjects = 1;
--- a/security/nss/lib/ckfw/wrap.c
+++ b/security/nss/lib/ckfw/wrap.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: wrap.c,v $ $Revision: 1.16 $ $Date: 2008/02/25 20:35:23 $";
+static const char CVS_ID[] = "@(#) $RCSfile: wrap.c,v $ $Revision: 1.17 $ $Date: 2008/08/25 22:47:32 $";
 #endif /* DEBUG */
 
 /*
  * wrap.c
  *
  * This file contains the routines that actually implement the cryptoki
  * API, using the internal APIs of the NSS Cryptoki Framework.  There is
  * one routine here for every cryptoki routine.  For linking reasons
@@ -269,16 +269,27 @@ NSSCKFWC_Finalize
   case CKR_GENERAL_ERROR:
   case CKR_HOST_MEMORY:
     break;
   default:
     error = CKR_GENERAL_ERROR;
     break;
   }
 
+  /*
+   * A thread's error stack is automatically destroyed when the thread
+   * terminates or, for the primordial thread, by PR_Cleanup.  On
+   * Windows with MinGW, the thread private data destructor PR_Free
+   * registered by this module is actually a thunk for PR_Free defined
+   * in this module.  When the thread that unloads this module terminates
+   * or calls PR_Cleanup, the thunk for PR_Free is already gone with the
+   * module.  Therefore we need to destroy the error stack before the
+   * module is unloaded.
+   */
+  nss_DestroyErrorStack();
   return error;
 }
 
 /*
  * NSSCKFWC_GetInfo
  *
  */
 NSS_IMPLEMENT CK_RV
--- a/security/nss/lib/dev/ckhelper.c
+++ b/security/nss/lib/dev/ckhelper.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.37 $ $Date: 2008/05/29 17:24:15 $";
+static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.38 $ $Date: 2008/09/30 04:09:02 $";
 #endif /* DEBUG */
 
 #ifndef NSSCKEPV_H
 #include "nssckepv.h"
 #endif /* NSSCKEPV_H */
 
 #ifndef DEVM_H
 #include "devm.h"
@@ -354,16 +354,20 @@ nssCryptokiCertificate_GetAttributes (
     status = nssToken_GetCachedObjectAttributes(certObject->token, arenaOpt,
                                                 certObject, CKO_CERTIFICATE,
                                                 cert_template, template_size);
     if (status != PR_SUCCESS) {
 
 	session = sessionOpt ? 
 	          sessionOpt : 
 	          nssToken_GetDefaultSession(certObject->token);
+	if (!session) {
+	    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+	    return PR_FAILURE;
+	}
 
 	slot = nssToken_GetSlot(certObject->token);
 	status = nssCKObject_GetAttributes(certObject->handle, 
 	                                   cert_template, template_size,
 	                                   arenaOpt, session, slot);
 	nssSlot_Destroy(slot);
 	if (status != PR_SUCCESS) {
 	    return status;
@@ -452,16 +456,20 @@ nssCryptokiTrust_GetAttributes (
     status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
                                                 trustObject, 
                                                 CKO_NETSCAPE_TRUST,
                                                 trust_template, trust_size);
     if (status != PR_SUCCESS) {
 	session = sessionOpt ? 
 	          sessionOpt : 
 	          nssToken_GetDefaultSession(trustObject->token);
+	if (!session) {
+	    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+	    return PR_FAILURE;
+	}
 
 	slot = nssToken_GetSlot(trustObject->token);
 	status = nssCKObject_GetAttributes(trustObject->handle,
 	                                   trust_template, trust_size,
 	                                   NULL, session, slot);
 	nssSlot_Destroy(slot);
 	if (status != PR_SUCCESS) {
 	    return status;
@@ -517,16 +525,20 @@ nssCryptokiCRL_GetAttributes (
     status = nssToken_GetCachedObjectAttributes(crlObject->token, NULL,
                                                 crlObject, 
                                                 CKO_NETSCAPE_CRL,
                                                 crl_template, crl_size);
     if (status != PR_SUCCESS) {
 	session = sessionOpt ? 
 	          sessionOpt : 
 	          nssToken_GetDefaultSession(crlObject->token);
+	if (session == NULL) {
+	    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+	    return PR_FAILURE;
+	}
 
 	slot = nssToken_GetSlot(crlObject->token);
 	status = nssCKObject_GetAttributes(crlObject->handle, 
 	                                   crl_template, crl_size,
 	                                   arenaOpt, session, slot);
 	nssSlot_Destroy(slot);
 	if (status != PR_SUCCESS) {
 	    return status;
@@ -575,20 +587,19 @@ nssCryptokiPrivateKey_SetCertificate (
     NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
     NSS_CK_TEMPLATE_FINISH(key_template, attr, key_size);
 
     if (sessionOpt) {
 	if (!nssSession_IsReadWrite(sessionOpt)) {
 	    return PR_FAILURE;
-	} else {
-	    session = sessionOpt;
-	}
-    } else if (nssSession_IsReadWrite(defaultSession)) {
+	} 
+	session = sessionOpt;
+    } else if (defaultSession && nssSession_IsReadWrite(defaultSession)) {
 	session = defaultSession;
     } else {
 	NSSSlot *slot = nssToken_GetSlot(token);
 	session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
 	nssSlot_Destroy(slot);
 	if (!session) {
 	    return PR_FAILURE;
 	}
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.50 $ $Date: 2008/08/09 01:25:58 $";
+static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.51 $ $Date: 2008/09/30 04:09:02 $";
 #endif /* DEBUG */
 
 #ifndef NSSCKEPV_H
 #include "nssckepv.h"
 #endif /* NSSCKEPV_H */
 
 #ifndef DEVM_H
 #include "devm.h"
@@ -177,17 +177,18 @@ nssToken_DeleteStoredObject (
     PRBool createdSession = PR_FALSE;
     NSSToken *token = instance->token;
     nssSession *session = NULL;
     void *epv = nssToken_GetCryptokiEPV(instance->token);
     if (token->cache) {
 	nssTokenObjectCache_RemoveObject(token->cache, instance);
     }
     if (instance->isTokenObject) {
-       if (nssSession_IsReadWrite(token->defaultSession)) {
+       if (token->defaultSession && 
+           nssSession_IsReadWrite(token->defaultSession)) {
 	   session = token->defaultSession;
        } else {
 	   session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
 	   createdSession = PR_TRUE;
        }
     }
     if (session == NULL) {
 	return PR_FAILURE;
@@ -222,20 +223,20 @@ import_object (
     CK_OBJECT_HANDLE handle;
     CK_RV ckrv;
     void *epv = nssToken_GetCryptokiEPV(tok);
     if (nssCKObject_IsTokenObjectTemplate(objectTemplate, otsize)) {
 	if (sessionOpt) {
 	    if (!nssSession_IsReadWrite(sessionOpt)) {
 		nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
 		return NULL;
-	    } else {
-		session = sessionOpt;
 	    }
-	} else if (nssSession_IsReadWrite(tok->defaultSession)) {
+	    session = sessionOpt;
+	} else if (tok->defaultSession && 
+	           nssSession_IsReadWrite(tok->defaultSession)) {
 	    session = tok->defaultSession;
 	} else {
 	    session = nssSlot_CreateSession(tok->slot, NULL, PR_TRUE);
 	    createdSession = PR_TRUE;
 	}
     } else {
 	session = (sessionOpt) ? sessionOpt : tok->defaultSession;
     }
@@ -302,18 +303,17 @@ find_objects (
     CK_OBJECT_HANDLE *objectHandles = NULL;
     CK_OBJECT_HANDLE staticObjects[OBJECT_STACK_SIZE];
     PRUint32 arraySize, numHandles;
     void *epv = nssToken_GetCryptokiEPV(tok);
     nssCryptokiObject **objects;
     nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
 
     /* Don't ask the module to use an invalid session handle. */
-    PORT_Assert(session->handle != CK_INVALID_SESSION);
-    if (session->handle == CK_INVALID_SESSION) {
+    if (!session || session->handle == CK_INVALID_SESSION) {
 	ckrv = CKR_SESSION_HANDLE_INVALID;
 	goto loser;                
     }
 
     /* the arena is only for the array of object handles */
     if (maximumOpt > 0) {
 	arraySize = maximumOpt;
     } else {
@@ -1142,29 +1142,34 @@ nssToken_FindTrustForCertificate (
   nssTokenSearchType searchType
 )
 {
     CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE tobj_template[5];
     CK_ULONG tobj_size;
     nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
-    nssCryptokiObject *object, **objects;
+    nssCryptokiObject *object = NULL, **objects;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return object;
+    }
 
     NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
     if (searchType == nssTokenSearchType_SessionOnly) {
 	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
     } else if (searchType == nssTokenSearchType_TokenOnly) {
 	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,          tobjc);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         certIssuer);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER , certSerial);
     NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
-    object = NULL;
     objects = find_objects_by_template(token, session,
                                        tobj_template, tobj_size,
                                        1, NULL);
     if (objects) {
 	object = objects[0];
 	nss_ZFreeIf(objects);
     }
     return object;
@@ -1222,19 +1227,25 @@ nssToken_FindCRLsBySubject (
   PRUint32 maximumOpt,
   PRStatus *statusOpt
 )
 {
     CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE crlobj_template[3];
     CK_ULONG crlobj_size;
-    nssCryptokiObject **objects;
+    nssCryptokiObject **objects = NULL;
     nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
 
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return objects;
+    }
+
     NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size);
     if (searchType == nssTokenSearchType_SessionOnly) {
 	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
     } else if (searchType == nssTokenSearchType_TokenOnly ||
                searchType == nssTokenSearchType_TokenForced) {
 	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, crlobjc);
@@ -1275,18 +1286,24 @@ nssToken_Digest (
   NSSArena *arenaOpt
 )
 {
     CK_RV ckrv;
     CK_ULONG digestLen;
     CK_BYTE_PTR digest;
     NSSItem *rvItem = NULL;
     void *epv = nssToken_GetCryptokiEPV(tok);
-    nssSession *session;
-    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return rvItem;
+    }
+
     nssSession_EnterMonitor(session);
     ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism);
     if (ckrv != CKR_OK) {
 	nssSession_ExitMonitor(session);
 	return NULL;
     }
 #if 0
     /* XXX the standard says this should work, but it doesn't */
@@ -1335,36 +1352,48 @@ nssToken_Digest (
 NSS_IMPLEMENT PRStatus
 nssToken_BeginDigest (
   NSSToken *tok,
   nssSession *sessionOpt,
   NSSAlgorithmAndParameters *ap
 )
 {
     CK_RV ckrv;
-    nssSession *session;
     void *epv = nssToken_GetCryptokiEPV(tok);
-    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return PR_FAILURE;
+    }
+
     nssSession_EnterMonitor(session);
     ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism);
     nssSession_ExitMonitor(session);
     return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
 }
 
 NSS_IMPLEMENT PRStatus
 nssToken_ContinueDigest (
   NSSToken *tok,
   nssSession *sessionOpt,
   NSSItem *item
 )
 {
     CK_RV ckrv;
-    nssSession *session;
     void *epv = nssToken_GetCryptokiEPV(tok);
-    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return PR_FAILURE;
+    }
+
     nssSession_EnterMonitor(session);
     ckrv = CKAPI(epv)->C_DigestUpdate(session->handle, 
                                       (CK_BYTE_PTR)item->data, 
                                       (CK_ULONG)item->size);
     nssSession_ExitMonitor(session);
     return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
 }
 
@@ -1376,18 +1405,24 @@ nssToken_FinishDigest (
   NSSArena *arenaOpt
 )
 {
     CK_RV ckrv;
     CK_ULONG digestLen;
     CK_BYTE_PTR digest;
     NSSItem *rvItem = NULL;
     void *epv = nssToken_GetCryptokiEPV(tok);
-    nssSession *session;
-    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return NULL;
+    }
+
     nssSession_EnterMonitor(session);
     ckrv = CKAPI(epv)->C_DigestFinal(session->handle, NULL, &digestLen);
     if (ckrv != CKR_OK || digestLen == 0) {
 	nssSession_ExitMonitor(session);
 	return NULL;
     }
     digest = NULL;
     if (rvOpt) {
@@ -1454,16 +1489,22 @@ nssToken_TraverseCertificates (
     CK_ULONG ctsize;
     NSSArena *arena;
     PRStatus status;
     PRUint32 arraySize, numHandles;
     nssCryptokiObject **objects;
     void *epv = nssToken_GetCryptokiEPV(token);
     nssSession *session = (sessionOpt) ? sessionOpt : token->defaultSession;
 
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return PR_FAILURE;
+    }
+
     /* template for all certs */
     NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
     if (searchType == nssTokenSearchType_SessionOnly) {
 	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
     } else if (searchType == nssTokenSearchType_TokenOnly ||
                searchType == nssTokenSearchType_TokenForced) {
 	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
--- a/security/nss/lib/dev/devutil.c
+++ b/security/nss/lib/dev/devutil.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.31 $ $Date: 2008/05/18 01:51:45 $";
+static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.32 $ $Date: 2008/09/30 04:09:02 $";
 #endif /* DEBUG */
 
 #ifndef DEVM_H
 #include "devm.h"
 #endif /* DEVM_H */
 
 #ifndef CKHELPER_H
 #include "ckhelper.h"
@@ -382,17 +382,20 @@ create_object (
     nssCryptokiObjectAndAttributes *rvCachedObject = NULL;
 
     slot = nssToken_GetSlot(object->token);
     if (!slot) {
         nss_SetError(NSS_ERROR_INVALID_POINTER);
         goto loser;
     }
     session = nssToken_GetDefaultSession(object->token);
-
+    if (!session) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        goto loser;
+    }
     arena = nssArena_Create();
     if (!arena) {
 	goto loser;
     }
     rvCachedObject = nss_ZNEW(arena, nssCryptokiObjectAndAttributes);
     if (!rvCachedObject) {
 	goto loser;
     }
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -450,17 +450,17 @@ ECL_USERS = ec.c
 
 ECL_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_SRCS:.c=$(OBJ_SUFFIX)) $(ECL_ASM_SRCS:$(ASM_SUFFIX)=$(OBJ_SUFFIX)))
 ECL_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_USERS:.c=$(OBJ_SUFFIX)))
 
 $(ECL_OBJS): $(ECL_HDRS)
 
 
 
-$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c mac_rand.c os2_rand.c
+$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c os2_rand.c
 
 $(OBJDIR)/$(PROG_PREFIX)mpprime$(OBJ_SUFFIX): primes.c
 
 $(OBJDIR)/ldvector$(OBJ_SUFFIX) $(OBJDIR)/loader$(OBJ_SUFFIX) : loader.h
 
 ifeq ($(SYSV_SPARC),1)
 
 $(OBJDIR)/mpv_sparcv8.o $(OBJDIR)/mpv_sparcv8x.o $(OBJDIR)/montmulfv8.o : $(OBJDIR)/%.o : %.s
--- a/security/nss/lib/freebl/config.mk
+++ b/security/nss/lib/freebl/config.mk
@@ -85,35 +85,33 @@ SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)
 RES     = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = freebl.rc
 
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 else # ! NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	$(DIST)/lib/nssutil3.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
 	$(NULL)
 endif # NS_USE_GCC
 
 else
 
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 
 endif
 
+ifeq ($(OS_ARCH), Darwin)
+EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib
 endif
+
+endif
deleted file mode 100644
--- a/security/nss/lib/freebl/mac_rand.c
+++ /dev/null
@@ -1,318 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef notdef
-#include "xp_core.h"
-#include "xp_file.h"
-#endif
-#include "secrng.h"
-#include "mcom_db.h"
-#ifdef XP_MAC
-#include <Events.h>
-#include <OSUtils.h>
-#include <QDOffscreen.h>
-#include <PPCToolbox.h>
-#include <Processes.h>
-#include <LowMem.h>
-#include <Scrap.h>
-
-/* Static prototypes */
-static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen);
-void FE_ReadScreen();
-
-static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen)
-{
-    union endianness {
-        int32 i;
-        char c[4];
-    } u;
-
-    if (srclen <= dstlen) {
-        memcpy(dst, src, srclen);
-        return srclen;
-    }
-    u.i = 0x01020304;
-    if (u.c[0] == 0x01) {
-        /* big-endian case */
-        memcpy(dst, (char*)src + (srclen - dstlen), dstlen);
-    } else {
-        /* little-endian case */
-        memcpy(dst, src, dstlen);
-    }
-    return dstlen;
-}
-
-size_t RNG_GetNoise(void *buf, size_t maxbytes)
-{
-    UnsignedWide microTickCount;
-    Microseconds(&microTickCount);
-    return CopyLowBits(buf, maxbytes,  &microTickCount, sizeof(microTickCount));
-}
-
-void RNG_FileForRNG(const char *filename)
-{   
-    unsigned char buffer[BUFSIZ];
-    size_t bytes;
-#ifdef notdef /*sigh*/
-    XP_File file;
-	unsigned long totalFileBytes = 0;
-
-	if (filename == NULL)	/* For now, read in global history if filename is null */
-		file = XP_FileOpen(NULL, xpGlobalHistory,XP_FILE_READ_BIN);
-	else
-		file = XP_FileOpen(NULL, xpURL,XP_FILE_READ_BIN);
-    if (file != NULL) {
-        for (;;) {
-            bytes = XP_FileRead(buffer, sizeof(buffer), file);
-            if (bytes == 0) break;
-            RNG_RandomUpdate( buffer, bytes);
-            totalFileBytes += bytes;
-            if (totalFileBytes > 100*1024) break;	/* No more than 100 K */
-        }
-		XP_FileClose(file);
-    }
-#endif
-    /*
-     * Pass yet another snapshot of our highest resolution clock into
-     * the hash function.
-     */
-    bytes = RNG_GetNoise(buffer, sizeof(buffer));
-    RNG_RandomUpdate(buffer, sizeof(buffer));
-}
-
-void RNG_SystemInfoForRNG()
-{
-/* Time */
-	{
-		unsigned long sec;
-		size_t bytes;
-		GetDateTime(&sec);	/* Current time since 1970 */
-		RNG_RandomUpdate( &sec, sizeof(sec));
-	    bytes = RNG_GetNoise(&sec, sizeof(sec));
-	    RNG_RandomUpdate(&sec, bytes);
-    }
-/* User specific variables */
-	{
-		MachineLocation loc;
-		ReadLocation(&loc);
-		RNG_RandomUpdate( &loc, sizeof(loc));
-	}
-#if !TARGET_CARBON
-/* User name */
-	{
-		unsigned long userRef;
-		Str32 userName;
-		GetDefaultUser(&userRef, userName);
-		RNG_RandomUpdate( &userRef, sizeof(userRef));
-		RNG_RandomUpdate( userName, sizeof(userName));
-	}
-#endif
-/* Mouse location */
-	{
-		Point mouseLoc;
-		GetMouse(&mouseLoc);
-		RNG_RandomUpdate( &mouseLoc, sizeof(mouseLoc));
-	}
-/* Keyboard time threshold */
-	{
-		SInt16 keyTresh = LMGetKeyThresh();
-		RNG_RandomUpdate( &keyTresh, sizeof(keyTresh));
-	}
-/* Last key pressed */
-	{
-		SInt8 keyLast;
-		keyLast = LMGetKbdLast();
-		RNG_RandomUpdate( &keyLast, sizeof(keyLast));
-	}
-/* Volume */
-	{
-		UInt8 volume = LMGetSdVolume();
-		RNG_RandomUpdate( &volume, sizeof(volume));
-	}
-#if !TARGET_CARBON
-/* Current directory */
-	{
-		SInt32 dir = LMGetCurDirStore();
-		RNG_RandomUpdate( &dir, sizeof(dir));
-	}
-#endif
-/* Process information about all the processes in the machine */
-	{
-		ProcessSerialNumber 	process;
-		ProcessInfoRec pi;
-	
-		process.highLongOfPSN = process.lowLongOfPSN  = kNoProcess;
-		
-		while (GetNextProcess(&process) == noErr)
-		{
-			FSSpec fileSpec;
-			pi.processInfoLength = sizeof(ProcessInfoRec);
-			pi.processName = NULL;
-			pi.processAppSpec = &fileSpec;
-			GetProcessInformation(&process, &pi);
-			RNG_RandomUpdate( &pi, sizeof(pi));
-			RNG_RandomUpdate( &fileSpec, sizeof(fileSpec));
-		}
-	}
-	
-#if !TARGET_CARBON
-/* Heap */
-	{
-		THz zone = LMGetTheZone();
-		RNG_RandomUpdate( &zone, sizeof(zone));
-	}
-#endif
-	
-/* Screen */
-	{
-		GDHandle h = GetMainDevice();		/* GDHandle is **GDevice */
-		RNG_RandomUpdate( *h, sizeof(GDevice));
-	}
-
-#if !TARGET_CARBON
-/* Scrap size */
-	{
-		SInt32 scrapSize = LMGetScrapSize();
-		RNG_RandomUpdate( &scrapSize, sizeof(scrapSize));
-	}
-/* Scrap count */
-	{
-		SInt16 scrapCount = LMGetScrapCount();
-		RNG_RandomUpdate( &scrapCount, sizeof(scrapCount));
-	}
-#else
-	{
-	    ScrapRef scrap;
-        if (GetCurrentScrap(&scrap) == noErr) {
-            UInt32 flavorCount;
-            if (GetScrapFlavorCount(scrap, &flavorCount) == noErr) {
-                ScrapFlavorInfo* flavorInfo = (ScrapFlavorInfo*) malloc(flavorCount * sizeof(ScrapFlavorInfo));
-                if (flavorInfo != NULL) {
-                    if (GetScrapFlavorInfoList(scrap, &flavorCount, flavorInfo) == noErr) {
-                        UInt32 i;
-                        RNG_RandomUpdate(&flavorCount, sizeof(flavorCount));
-                        for (i = 0; i < flavorCount; ++i) {
-                            Size flavorSize;
-                            if (GetScrapFlavorSize(scrap, flavorInfo[i].flavorType, &flavorSize) == noErr)
-                                RNG_RandomUpdate(&flavorSize, sizeof(flavorSize));
-                        }
-                    }
-                    free(flavorInfo);
-                }
-            }
-        }
-    }
-#endif
-/*  File stuff, last modified, etc. */
-	{
-		HParamBlockRec			pb;
-		GetVolParmsInfoBuffer	volInfo;
-		pb.ioParam.ioVRefNum = 0;
-		pb.ioParam.ioNamePtr = nil;
-		pb.ioParam.ioBuffer = (Ptr) &volInfo;
-		pb.ioParam.ioReqCount = sizeof(volInfo);
-		PBHGetVolParmsSync(&pb);
-		RNG_RandomUpdate( &volInfo, sizeof(volInfo));
-	}
-#if !TARGET_CARBON
-/* Event queue */
-	{
-		EvQElPtr		eventQ;
-		for (eventQ = (EvQElPtr) LMGetEventQueue()->qHead; 
-				eventQ; 
-				eventQ = (EvQElPtr)eventQ->qLink)
-			RNG_RandomUpdate( &eventQ->evtQWhat, sizeof(EventRecord));
-	}
-#endif
-	FE_ReadScreen();
-	RNG_FileForRNG(NULL);
-}
-
-void FE_ReadScreen()
-{
-	UInt16				coords[4];
-	PixMapHandle 		pmap;
-	GDHandle			gh;	
-	UInt16				screenHeight;
-	UInt16				screenWidth;			/* just what they say */
-	UInt32				bytesToRead;			/* number of bytes we're giving */
-	UInt32				offset;					/* offset into the graphics buffer */
-	UInt16				rowBytes;
-	UInt32				rowsToRead;
-	float				bytesPerPixel;			/* dependent on buffer depth */
-	Ptr					p;						/* temporary */
-	UInt16				x, y, w, h;
-
-	gh = LMGetMainDevice();
-	if ( !gh )
-		return;
-	pmap = (**gh).gdPMap;
-	if ( !pmap )
-		return;
-		
-	RNG_GenerateGlobalRandomBytes( coords, sizeof( coords ) );
-	
-	/* make x and y inside the screen rect */	
-	screenHeight = (**pmap).bounds.bottom - (**pmap).bounds.top;
-	screenWidth = (**pmap).bounds.right - (**pmap).bounds.left;
-	x = coords[0] % screenWidth;
-	y = coords[1] % screenHeight;
-	w = ( coords[2] & 0x7F ) | 0x40;		/* Make sure that w is in the range 64..128 */
-	h = ( coords[3] & 0x7F ) | 0x40;		/* same for h */
-
-	bytesPerPixel = (**pmap).pixelSize / 8;
-	rowBytes = (**pmap).rowBytes & 0x7FFF;
-
-	/* starting address */
-	offset = ( rowBytes * y ) + (UInt32)( (float)x * bytesPerPixel );
-	
-	/* don't read past the end of the pixmap's rowbytes */
-	bytesToRead = PR_MIN(	(UInt32)( w * bytesPerPixel ),
-						(UInt32)( rowBytes - ( x * bytesPerPixel ) ) );
-
-	/* don't read past the end of the graphics device pixmap */
-	rowsToRead = PR_MIN(	h, 
-						( screenHeight - y ) );
-	
-	p = GetPixBaseAddr( pmap ) + offset;
-	
-	while ( rowsToRead-- )
-	{
-		RNG_RandomUpdate( p, bytesToRead );
-		p += rowBytes;
-	}
-}
-#endif
--- a/security/nss/lib/freebl/md2.c
+++ b/security/nss/lib/freebl/md2.c
@@ -95,17 +95,17 @@ MD2_Hash(unsigned char *dest, const char
 {
 	unsigned int len;
 	MD2Context *cx = MD2_NewContext();
 	if (!cx) {
 		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
 		return SECFailure;
 	}
 	MD2_Begin(cx);
-	MD2_Update(cx, (unsigned char *)src, PL_strlen(src));
+	MD2_Update(cx, (const unsigned char *)src, PORT_Strlen(src));
 	MD2_End(cx, dest, &len, MD2_DIGEST_LEN);
 	MD2_DestroyContext(cx, PR_TRUE);
 	return SECSuccess;
 }
 
 MD2Context *
 MD2_NewContext(void)
 {
--- a/security/nss/lib/freebl/md5.c
+++ b/security/nss/lib/freebl/md5.c
@@ -217,17 +217,17 @@ struct MD5ContextStr {
 	} u;
 };
 
 #define inBuf u.b
 
 SECStatus 
 MD5_Hash(unsigned char *dest, const char *src)
 {
-	return MD5_HashBuf(dest, (unsigned char *)src, PL_strlen(src));
+	return MD5_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
 }
 
 SECStatus 
 MD5_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
 {
 	unsigned int len;
 	MD5Context cx;
 
--- a/security/nss/lib/freebl/sysrand.c
+++ b/security/nss/lib/freebl/sysrand.c
@@ -36,14 +36,11 @@
 
 #include "seccomon.h"
 #if defined(XP_UNIX) || defined(XP_BEOS)
 #include "unix_rand.c"
 #endif
 #ifdef XP_WIN
 #include "win_rand.c"
 #endif
-#ifdef XP_MAC
-#include "mac_rand.c"
-#endif
 #ifdef XP_OS2
 #include "os2_rand.c"
 #endif
--- a/security/nss/lib/jar/jarfile.c
+++ b/security/nss/lib/jar/jarfile.c
@@ -355,17 +355,18 @@ static int jar_physical_inflate
 
   long at, chunk;
   char *inbuf, *outbuf;
 
   int status = 0;
 
   unsigned long prev_total, ochunk, tin;
 
-  if ((inbuf = (char *) PORT_ZAlloc (ICHUNK)) == NULL)
+  /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
+  if ((inbuf = (char *) PORT_ZAlloc (ICHUNK + 1)) == NULL)
     return JAR_ERR_MEMORY;
 
   if ((outbuf = (char *) PORT_ZAlloc (OCHUNK)) == NULL)
     {
     PORT_Free (inbuf);
     return JAR_ERR_MEMORY;
     }
 
@@ -395,16 +396,22 @@ static int jar_physical_inflate
         JAR_FCLOSE (out);
         PORT_Free (inbuf);
         PORT_Free (outbuf);
         return JAR_ERR_CORRUPT;
         }
 
       at += chunk;
 
+      if (at == length)
+        {
+        /* add an extra dummy byte at the end */
+        inbuf[chunk++] = 0xDD;
+        }
+
       zs.next_in = (Bytef *) inbuf;
       zs.avail_in = chunk;
       zs.avail_out = OCHUNK;
 
       tin = zs.total_in;
 
       while ((zs.total_in - tin < chunk) || (zs.avail_out == 0))
         {
@@ -626,17 +633,17 @@ static int jar_extract_mf (JAR *jar, jar
   JAR_Item *it;
 
   JAR_Physical *phy;
 
   ZZLink *link;
   ZZList *list;
 
   char *fn, *e;
-  char ZHUGEP *manifest = NULL;
+  char ZHUGEP *manifest;
 
   long length;
   int status, ret = 0, num;
 
   list = jar->phy;
 
   if (ZZ_ListEmpty (list))
     return JAR_ERR_PNF;
@@ -671,42 +678,43 @@ static int jar_extract_mf (JAR *jar, jar
       if (*e == '.') e++;
 
       if (PORT_Strcasecmp (ext, e))
         {
         /* not the right extension */
         continue;
         }
 
-      if (phy->length == 0)
+      if (phy->length == 0 || phy->length > 0xFFFF)
         {
-        /* manifest files cannot be zero length! */
+        /* manifest files cannot be zero length or too big! */
+        /* the 0xFFFF limit is per J2SE SDK */
         return JAR_ERR_CORRUPT;
         }
 
       /* Read in the manifest and parse it */
-      /* limit is per J2SE SDK */
-      if (phy->length <= 0xFFFF) {
-          manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1);
-      }
+      /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
+      manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1);
       if (manifest)
         {
         JAR_FSEEK (fp, phy->offset, (PRSeekWhence)0);
         num = JAR_FREAD (fp, manifest, phy->length);
 
         if (num != phy->length)
           {
           /* corrupt archive file */
           PORT_Free (manifest);
           return JAR_ERR_CORRUPT;
           }
 
         if (phy->compression == 8)
           {
           length = phy->length;
+          /* add an extra dummy byte at the end */
+          manifest[length++] = 0xDD;
 
           status = jar_inflate_memory ((unsigned int) phy->compression, &length,  phy->uncompressed_length, &manifest);
 
           if (status < 0)
             {
             PORT_Free (manifest);
             return status;
             }
--- a/security/nss/lib/libpkix/pkix/checker/manifest.mn
+++ b/security/nss/lib/libpkix/pkix/checker/manifest.mn
@@ -36,27 +36,43 @@
 #
 # ***** END LICENSE BLOCK *****
 CORE_DEPTH = ../../../../..
 
 EXPORTS = \
 	$(NULL)
 
 PRIVATE_EXPORTS = \
+	pkix_basicconstraintschecker.h \
 	pkix_certchainchecker.h \
+	pkix_defaultcrlchecker.h \
 	pkix_defaultrevchecker.h \
+	pkix_expirationchecker.h \
+	pkix_namechainingchecker.h \
+	pkix_nameconstraintschecker.h \
 	pkix_ocspchecker.h \
+	pkix_policychecker.h \
 	pkix_revocationchecker.h \
+	pkix_signaturechecker.h \
+	pkix_targetcertchecker.h \
 	$(NULL)
 
 MODULE = nss
 
 CSRCS = \
+	pkix_basicconstraintschecker.c \
 	pkix_certchainchecker.c \
+	pkix_defaultcrlchecker.c \
 	pkix_defaultrevchecker.c \
+	pkix_expirationchecker.c \
+	pkix_namechainingchecker.c \
+	pkix_nameconstraintschecker.c \
 	pkix_ocspchecker.c \
 	pkix_revocationchecker.c \
+	pkix_policychecker.c \
+	pkix_signaturechecker.c \
+	pkix_targetcertchecker.c \
 	$(NULL)
 
 REQUIRES = dbm
 
 LIBRARY_NAME = pkixchecker
 
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c
@@ -0,0 +1,339 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_basicconstraintschecker.c
+ *
+ * Functions for basic constraints validation
+ *
+ */
+
+#include "pkix_basicconstraintschecker.h"
+
+/* --Private-BasicConstraintsCheckerState-Functions------------------------- */
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BasicConstraintsCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        pkix_BasicConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+                    "pkix_BasicConstraintsCheckerState_Destroy");
+
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a basic constraints checker state */
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTBASICCONSTRAINTSCHECKERSTATE);
+
+        state = (pkix_BasicConstraintsCheckerState *)object;
+
+        PKIX_DECREF(state->basicConstraintsOID);
+
+cleanup:
+
+        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+                "pkix_BasicConstraintsCheckerState_RegisterSelf");
+
+        entry.description = "BasicConstraintsCheckerState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(pkix_BasicConstraintsCheckerState);
+        entry.destructor = pkix_BasicConstraintsCheckerState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new BasicConstraintsCheckerState using the number of certs in
+ *  the chain represented by "certsRemaining" and stores it at "pState".
+ *
+ * PARAMETERS:
+ *  "certsRemaining"
+ *      Number of certificates in the chain.
+ *  "pState"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a BasicConstraintsCheckerState Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_BasicConstraintsCheckerState_Create(
+        PKIX_UInt32 certsRemaining,
+        pkix_BasicConstraintsCheckerState **pState,
+        void *plContext)
+{
+        pkix_BasicConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+                    "pkix_BasicConstraintsCheckerState_Create");
+
+        PKIX_NULLCHECK_ONE(pState);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE,
+                    sizeof (pkix_BasicConstraintsCheckerState),
+                    (PKIX_PL_Object **)&state,
+                    plContext),
+                    PKIX_COULDNOTCREATEBASICCONSTRAINTSSTATEOBJECT);
+
+        /* initialize fields */
+        state->certsRemaining = certsRemaining;
+        state->maxPathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_BASICCONSTRAINTS_OID,
+                    &state->basicConstraintsOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        *pState = state;
+        state = NULL;
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/* --Private-BasicConstraintsChecker-Functions------------------------------ */
+
+/*
+ * FUNCTION: pkix_BasicConstraintsChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_BasicConstraintsChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,  /* list of PKIX_PL_OID */
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
+        pkix_BasicConstraintsCheckerState *state = NULL;
+        PKIX_Boolean caFlag = PKIX_FALSE;
+        PKIX_Int32 pathLength = 0;
+        PKIX_Int32 maxPathLength_now;
+        PKIX_Boolean isSelfIssued = PKIX_FALSE;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        state->certsRemaining--;
+
+        if (state->certsRemaining != 0) {
+
+                PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
+                    (cert, &basicConstraints, plContext),
+                    PKIX_CERTGETBASICCONSTRAINTSFAILED);
+
+                /* get CA Flag and path length */
+                if (basicConstraints != NULL) {
+                        PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
+                            (basicConstraints,
+                            &caFlag,
+                            plContext),
+                            PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
+
+                if (caFlag == PKIX_TRUE) {
+                        PKIX_CHECK
+                            (PKIX_PL_BasicConstraints_GetPathLenConstraint
+                            (basicConstraints,
+                            &pathLength,
+                            plContext),
+                            PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
+                }
+
+                }else{
+                        caFlag = PKIX_FALSE;
+                        pathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
+                }
+
+                PKIX_CHECK(pkix_IsCertSelfIssued
+                        (cert,
+                        &isSelfIssued,
+                        plContext),
+                        PKIX_ISCERTSELFISSUEDFAILED);
+
+                maxPathLength_now = state->maxPathLength;
+
+                if (isSelfIssued != PKIX_TRUE) {
+
+                    /* Not last CA Cert, but maxPathLength is down to zero */
+                    if (maxPathLength_now == 0) {
+                        PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDLN);
+                    }
+
+                    if (caFlag == PKIX_FALSE) {
+                        PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDCA);
+                    }
+
+                    if (maxPathLength_now > 0) { /* can be unlimited (-1) */
+                        maxPathLength_now--;
+                    }
+
+                }
+
+                if (caFlag == PKIX_TRUE) {
+                    if (maxPathLength_now == PKIX_UNLIMITED_PATH_CONSTRAINT){
+                            maxPathLength_now = pathLength;
+                    } else {
+                            /* If pathLength is not specified, don't set */
+                        if (pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) {
+                            maxPathLength_now =
+                                    (maxPathLength_now > pathLength)?
+                                    pathLength:maxPathLength_now;
+                        }
+                    }
+                }
+
+                state->maxPathLength = maxPathLength_now;
+        }
+
+        /* Remove Basic Constraints Extension OID from list */
+        if (unresolvedCriticalExtensions != NULL) {
+
+                PKIX_CHECK(pkix_List_Remove
+                            (unresolvedCriticalExtensions,
+                            (PKIX_PL_Object *) state->basicConstraintsOID,
+                            plContext),
+                            PKIX_LISTREMOVEFAILED);
+        }
+
+
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                    (checker, (PKIX_PL_Object *)state, plContext),
+                    PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+
+cleanup:
+        PKIX_DECREF(state);
+        PKIX_DECREF(basicConstraints);
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsChecker_Initialize
+ * DESCRIPTION:
+ *  Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_BasicConstraintsChecker_Initialize(
+        PKIX_UInt32 certsRemaining,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        pkix_BasicConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Initialize");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(pkix_BasicConstraintsCheckerState_Create
+                    (certsRemaining, &state, plContext),
+                    PKIX_BASICCONSTRAINTSCHECKERSTATECREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_BasicConstraintsChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *)state,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCHECKFAILED);
+
+cleanup:
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.h
@@ -0,0 +1,75 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_basicconstraintschecker.h
+ *
+ * Header file for basic constraints checker.
+ *
+ */
+
+#ifndef _PKIX_BASICCONSTRAINTSCHECKER_H
+#define _PKIX_BASICCONSTRAINTSCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_BasicConstraintsCheckerStateStruct \
+        pkix_BasicConstraintsCheckerState;
+
+struct pkix_BasicConstraintsCheckerStateStruct{
+        PKIX_PL_OID *basicConstraintsOID;
+        PKIX_Int32 certsRemaining;
+        PKIX_Int32 maxPathLength;
+};
+
+PKIX_Error *
+pkix_BasicConstraintsChecker_Initialize(
+        PKIX_UInt32 numCerts,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+PKIX_Error *
+pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_BASICCONSTRAINTSCHECKER_H */
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.c
@@ -0,0 +1,1205 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_defaultcrlchecker.c
+ *
+ * Functions for default CRL Checkers
+ *
+ */
+#define CERTCHAINCHECKERDEBUG 1
+
+#include "pkix_defaultcrlchecker.h"
+
+static char *reasonCodeMsgString[] = {
+	"Certificate is revoked by CRL for unspecified reason"
+	"Certificate is revoked by CRL for key compromise",
+	"Certificate is revoked by CRL for CA compromise",
+	"Certificate is revoked by CRL for affiliation changed",
+	"Certificate is revoked by CRL for being superseded",
+	"Certificate is revoked by CRL for cessation of operation",
+	"Certificate is revoked by CRL for certificate hold",
+	"Certificate is revoked by CRL for undefined reason",
+	"Certificate is revoked by CRL for being removed from CRL",
+	"Certificate is revoked by CRL for privilege withdrawn",
+	"Certificate is revoked by CRL for aACompromise",
+};
+
+static const int numReasonCodes = 
+    sizeof(reasonCodeMsgString) / sizeof(reasonCodeMsgString[0]);
+
+/* --Private-DefaultCRLCheckerState-Functions------------------------------- */
+
+/*
+ * FUNCTION: pkix_DefaultCRLCheckerstate_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_DefaultCRLCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        pkix_DefaultCRLCheckerState *state = NULL;
+
+        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
+                    "pkix_DefaultCRLCheckerState_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a default CRL checker state */
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
+                    PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
+
+        state = (pkix_DefaultCRLCheckerState *)object;
+
+        state->certHasValidCrl = PKIX_FALSE;
+        state->prevCertCrlSign = PKIX_FALSE;
+        state->reasonCodeMask = 0;
+
+        PKIX_DECREF(state->certStores);
+        PKIX_DECREF(state->testDate);
+        PKIX_DECREF(state->prevPublicKey);
+        PKIX_DECREF(state->prevPublicKeyList);
+        PKIX_DECREF(state->crlReasonCodeOID);
+        PKIX_DECREF(state->certIssuer);
+        PKIX_DECREF(state->certSerialNumber);
+        PKIX_DECREF(state->crlSelector);
+        state->crlStoreIndex = 0;
+        state->numCrlStores = 0;
+
+cleanup:
+
+        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLCheckerState_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_DEFAULTCRLCHECKERSTATE_TYPE and its related functions
+ *  with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
+                    "pkix_DefaultCRLCheckerState_RegisterSelf");
+
+        entry.description = "DefaultCRLCheckerState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(pkix_DefaultCRLCheckerState);
+        entry.destructor = pkix_DefaultCRLCheckerState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_DEFAULTCRLCHECKERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLCheckerState_Create
+ *
+ * DESCRIPTION:
+ *  Allocate and initialize DefaultCRLChecker state data.
+ *
+ * PARAMETERS
+ *  "certStores"
+ *      Address of CertStore List to be stored in state. Must be non-NULL.
+ *  "testDate"
+ *      Address of PKIX_PL_Date to be checked. May be NULL.
+ *  "trustedPubKey"
+ *      Trusted Anchor Public Key for verifying first Cert in the chain.
+ *      Must be non-NULL.
+ *  "certsRemaining"
+ *      Number of certificates remaining in the chain.
+ *  "nistCRLPolicyEnabled"
+ *      If enabled, enforce nist crl policy.
+ *  "pCheckerState"
+ *      Address of DefaultCRLCheckerState that is returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a DefaultCrlCheckerState Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLCheckerState_Create(
+    PKIX_List *certStores,
+    PKIX_PL_Date *testDate,
+    PKIX_PL_PublicKey *trustedPubKey,
+    PKIX_UInt32 certsRemaining,
+    PKIX_Boolean nistCRLPolicyEnabled,
+    pkix_DefaultCRLCheckerState **pCheckerState,
+    void *plContext)
+{
+        pkix_DefaultCRLCheckerState *state = NULL;
+
+        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
+                    "pkix_DefaultCRLCheckerState_Create");
+        PKIX_NULLCHECK_TWO(certStores, pCheckerState);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
+                    sizeof (pkix_DefaultCRLCheckerState),
+                    (PKIX_PL_Object **)&state,
+                    plContext),
+                    PKIX_COULDNOTCREATEDEFAULTCRLCHECKERSTATEOBJECT);
+
+        /* Initialize fields */
+
+        PKIX_INCREF(certStores);
+        state->certStores = certStores;
+
+        PKIX_INCREF(testDate);
+        state->testDate = testDate;
+
+        PKIX_INCREF(trustedPubKey);
+        state->prevPublicKey = trustedPubKey;
+
+        state->certHasValidCrl = PKIX_FALSE;
+        state->nistCRLPolicyEnabled = nistCRLPolicyEnabled;
+        state->prevCertCrlSign = PKIX_TRUE;
+        state->prevPublicKeyList = NULL;
+        state->reasonCodeMask = 0;
+        state->certsRemaining = certsRemaining;
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_CRLREASONCODE_OID,
+                    &state->crlReasonCodeOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        state->certIssuer = NULL;
+        state->certSerialNumber = NULL;
+        state->crlSelector = NULL;
+        state->crlStoreIndex = 0;
+        state->numCrlStores = 0;
+
+        *pCheckerState = state;
+        state = NULL;
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
+}
+
+/* --Private-DefaultCRLChecker-Functions------------------------------------ */
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_CheckCRLs
+ *
+ * DESCRIPTION:
+ *  Check validity of "cert" based on CRLs at "crlList" that has correct
+ *  signature verification with "publicKey".
+ *
+ * PARAMETERS
+ *  "cert"
+ *      Address of Cert which has the certificate data. Must be non-NULL.
+ *  "certIssuer"
+ *      Address of Issuer that associates with the Cert. Must be non-NULL.
+ *  "certSerialNumber"
+ *      Address of Serial Number that associates with the Cert. Must be 
+ *      non-NULL.
+ *  "publicKey"
+ *      Address of Public Key that associates with the Cert Issuer.
+ *      Must be non-NULL.
+ *  "crlList"
+ *      A List CRLs that the certificate is verified upon. Must be non-NULL.
+ *  "state"
+ *      Address of DefaultCRLCheckerState which keeps dynamic state data.
+ *      Must be non-NULL.
+ *  "pCrlEntryList"
+ *      Address of PKIX_PL_CrlEntry List that contains valid CrlEntries for
+ *      this Cert. May be NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLChecker_CheckCRLs(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_X500Name *certIssuer,
+        PKIX_PL_BigInt *certSerialNumber,
+        PKIX_PL_PublicKey *publicKey,
+        PKIX_List *crlList,
+        pkix_DefaultCRLCheckerState *state,
+        PKIX_List **pCrlEntryList,
+        void *plContext)
+{
+        PKIX_PL_CRL *crl = NULL;
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+        PKIX_PL_PublicKey *pKey = NULL;
+        PKIX_List *unresCrlCritExtOIDs = NULL;
+        PKIX_List *unresCrlEntryCritExtOIDs = NULL;
+        PKIX_List *crlEntryList = NULL;
+        PKIX_Error *verifyFail = NULL;
+        PKIX_UInt32 numCrls = 0;
+        PKIX_UInt32 numKeys = 0;
+        PKIX_UInt32 numCritExtOIDs = 0;
+        PKIX_Boolean crlVerified = PKIX_FALSE;
+        PKIX_Boolean crlRevoking = PKIX_FALSE;
+        PKIX_Int32 reasonCode = 0;
+        PKIX_UInt32 i;
+        PKIX_Int32 j;
+
+        PKIX_ENTER(CERTCHAINCHECKER,
+                    "pkix_DefaultCRLChecker_CheckCRLs");
+        PKIX_NULLCHECK_FOUR(cert, publicKey, crlList, state);
+
+        PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        if (state->prevPublicKeyList != NULL) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                    (state->prevPublicKeyList, &numKeys, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+        }
+
+        /* Check if Cert is not revoked by any the the CRLs */
+
+        for (i = 0; i < numCrls; i++){
+
+                PKIX_CHECK(PKIX_List_GetItem
+                            (crlList, i, (PKIX_PL_Object **)&crl, plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                /*
+                 * Checking serial number (issuer done in selector) then
+                 * verify signature. If matches, get the CRL reason(s).
+                 */
+
+                if (state->prevCertCrlSign == PKIX_TRUE) {
+                        verifyFail = PKIX_PL_CRL_VerifySignature
+                                (crl, publicKey, plContext);
+                        if (verifyFail == NULL) {
+                                crlVerified = PKIX_TRUE;
+                        } else {
+                                crlVerified = PKIX_FALSE;
+                                PKIX_DECREF(verifyFail);
+                        }
+                }
+
+                if (crlVerified == PKIX_FALSE) {
+
+                    /* Verify from old key(s) on the list */
+                    for (j = numKeys - 1; j >= 0; j--) {
+
+                            PKIX_CHECK(PKIX_List_GetItem
+                                (state->prevPublicKeyList,
+                                j,
+                                (PKIX_PL_Object **) &pKey,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                            verifyFail = PKIX_PL_CRL_VerifySignature
+                                (crl, pKey, plContext);
+
+                            if (verifyFail == NULL) {
+                                crlVerified = PKIX_TRUE;
+                                break;
+                            } else {
+                                crlVerified = PKIX_FALSE;
+                                PKIX_DECREF(verifyFail);
+                            }
+
+                            PKIX_DECREF(pKey);
+                    }
+                }
+
+                if (crlVerified == PKIX_FALSE) {
+                    /* try next one ... */
+                    goto cleanup_loop;
+                }
+
+                state->certHasValidCrl = PKIX_TRUE;
+
+                PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs
+                            (crl, &unresCrlCritExtOIDs, plContext),
+                            PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED);
+
+                /*
+                 * XXX Advanced CRL work - should put a
+                 * Loop here to process and remove critical
+                 * extension oids.
+                 */
+
+                if (unresCrlCritExtOIDs) {
+
+                    PKIX_CHECK(PKIX_List_GetLength(unresCrlCritExtOIDs,
+                        &numCritExtOIDs,
+                        plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                    if (numCritExtOIDs != 0) {
+                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
+                                (PKIX_CRLCRITICALEXTENSIONOIDSNOTPROCESSED);
+                        /*
+                         * Uncomment this after we have implemented
+                         * checkers for all the critical extensions.
+                         *
+                         * PKIX_ERROR
+                         *      ("Unrecognized CRL Critical Extension");
+                         */
+                    }
+                }
+
+                PKIX_CHECK(PKIX_PL_CRL_GetCRLEntryForSerialNumber
+                            (crl, certSerialNumber, &crlEntry, plContext),
+                            PKIX_CRLGETCRLENTRYFORSERIALNUMBERFAILED);
+
+                if (crlEntry == NULL) {
+                    goto cleanup_loop;
+                }
+
+                crlRevoking = PKIX_TRUE;
+
+                PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
+                            (crlEntry,
+                            &reasonCode,
+                            plContext),
+                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
+
+                /* This is a valid CRLEntry, return it for caching */
+                if (crlEntryList == NULL) {
+                    PKIX_CHECK(PKIX_List_Create(&crlEntryList, plContext),
+                            PKIX_LISTCREATEFAILED);
+
+                }
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                        (crlEntryList, (PKIX_PL_Object *) crlEntry, plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+
+                /* Set reason code in state for advance CRL reviewing */
+
+                if (reasonCode >= 0) {
+                    if (reasonCode >= numReasonCodes) 
+		        reasonCode = 0;
+
+                    state->reasonCodeMask |= 1 << reasonCode;
+                    PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
+                        ("CRL revocation Reason: %s\n ",
+                        reasonCodeMsgString[reasonCode]);
+
+                } else {
+                    PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
+                        ("Revoked by Unknown CRL ReasonCode");
+                }
+
+                PKIX_CHECK(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
+                            (crlEntry, &unresCrlEntryCritExtOIDs, plContext),
+                            PKIX_CRLENTRYGETCRITICALEXTENSIONOIDSFAILED);
+                if (unresCrlEntryCritExtOIDs) {
+
+                    PKIX_CHECK(pkix_List_Remove
+                            (unresCrlEntryCritExtOIDs,
+                            (PKIX_PL_Object *) state->crlReasonCodeOID,
+                            plContext),
+                            PKIX_LISTREMOVEFAILED);
+
+                    PKIX_CHECK(PKIX_List_GetLength(unresCrlEntryCritExtOIDs,
+                        &numCritExtOIDs,
+                        plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                    if (numCritExtOIDs != 0) {
+
+                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
+                            (PKIX_CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED);
+                        PKIX_ERROR(PKIX_UNRECOGNIZEDCRLENTRYCRITICALEXTENSION);
+                    }
+                }
+
+        cleanup_loop:
+
+                PKIX_DECREF(pKey);
+                PKIX_DECREF(verifyFail);
+                PKIX_DECREF(pKey);
+                PKIX_DECREF(crlEntry);
+                PKIX_DECREF(crl);
+                PKIX_DECREF(unresCrlCritExtOIDs);
+                PKIX_DECREF(unresCrlEntryCritExtOIDs);
+        }
+
+        *pCrlEntryList = crlEntryList;
+
+        if (crlRevoking == PKIX_TRUE) {
+
+                PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
+        }
+
+cleanup:
+
+        PKIX_DECREF(pKey);
+        PKIX_DECREF(verifyFail);
+        PKIX_DECREF(crlEntry);
+        PKIX_DECREF(crl);
+        PKIX_DECREF(unresCrlCritExtOIDs);
+        PKIX_DECREF(unresCrlEntryCritExtOIDs);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check_SetSelector
+ *
+ * DESCRIPTION:
+ *  This function creates a CRLSelector suitable for finding a CRL for
+ *  the Cert pointed to by "cert", setting the result in the
+ *  defaultCRLCheckerState pointed to by "state".
+ *
+ * PARAMETERS
+ *  "cert"
+ *      Address of Cert for which a CRLSelector is to be constructed. Must be
+ *      non-NULL.
+ *  "state"
+ *      Address of defaultCRLCheckerState whose CRLSelector is to be set. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a DefaultCrlCheckerState Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_SetSelector(
+        PKIX_PL_Cert *cert,
+        pkix_DefaultCRLCheckerState *state,
+        void *plContext)
+{
+        PKIX_PL_X500Name *certIssuer = NULL;
+        PKIX_PL_BigInt *certSerialNumber = NULL;
+        PKIX_PL_Date *nowDate = NULL;
+        PKIX_ComCRLSelParams *comCrlSelParams = NULL;
+        PKIX_CRLSelector *crlSelector = NULL;
+
+        PKIX_ENTER
+                (CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_SetSelector");
+        PKIX_NULLCHECK_TWO(cert, state);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &certIssuer, plContext),
+                PKIX_CERTGETISSUERFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
+                (cert, &certSerialNumber, plContext),
+                PKIX_CERTGETSERIALNUMBERFAILED);
+
+        if (state->testDate != NULL) {
+
+                PKIX_INCREF(state->testDate);
+                nowDate = state->testDate;
+
+        } else {
+
+                PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
+                        (NULL, &nowDate, plContext),
+                        PKIX_DATECREATEUTCTIMEFAILED);
+        }
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_Create
+                (&comCrlSelParams, plContext),
+                PKIX_COMCRLSELPARAMSCREATEFAILED);
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_AddIssuerName
+                (comCrlSelParams, certIssuer, plContext),
+                PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_SetDateAndTime
+                (comCrlSelParams, nowDate, plContext),
+                PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled
+                (comCrlSelParams, state->nistCRLPolicyEnabled, plContext),
+                PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED);
+
+        PKIX_CHECK(PKIX_CRLSelector_Create
+                (NULL,
+                NULL, /* never used? (PKIX_PL_Object *)checker, */
+                &crlSelector,
+                plContext),
+                PKIX_CRLSELECTORCREATEFAILED);
+
+        PKIX_CHECK(PKIX_CRLSelector_SetCommonCRLSelectorParams
+                (crlSelector, comCrlSelParams, plContext),
+                PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
+
+        PKIX_DECREF(state->certIssuer);
+        PKIX_INCREF(certIssuer);
+        state->certIssuer = certIssuer;
+        PKIX_DECREF(state->certSerialNumber);
+        PKIX_INCREF(certSerialNumber);
+        state->certSerialNumber = certSerialNumber;
+        PKIX_DECREF(state->crlSelector);
+        PKIX_INCREF(crlSelector);
+        state->crlSelector = crlSelector;
+
+        state->crlStoreIndex = 0;
+
+        PKIX_CHECK(PKIX_List_GetLength
+                    (state->certStores, &(state->numCrlStores), plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        state->certHasValidCrl = PKIX_FALSE;
+
+cleanup:
+
+        PKIX_DECREF(certIssuer);
+        PKIX_DECREF(certSerialNumber);
+        PKIX_DECREF(nowDate);
+        PKIX_DECREF(comCrlSelParams);
+        PKIX_DECREF(crlSelector);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check_Store
+ *
+ * DESCRIPTION:
+ *  Checks the certStore pointed to by "certStore" for a CRL that may determine
+ *  whether the Cert pointed to by "cert" has been revoked.
+ *
+ * PARAMETERS
+ *  "checker"
+ *      Address of CertChainChecker which has the state data.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Certificate that is to be validated. Must be non-NULL.
+ *  "prevPublicKey"
+ *      Address of previous public key in the backward chain. May be NULL.
+ *  "state"
+ *      Address of DefaultCrlCheckerState. Must be non-NULL.
+ *  "unresolvedCriticalExtensions"
+ *      A List OIDs. Not **yet** used in this checker function.
+ *  "certStore"
+ *      Address of the CertStore to be queried for a relevant CRL. Must be
+ *      non-NULL.
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is stored if processing
+ *      is suspended for non-blocking I/O. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a DefaultCrlCheckerState Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLChecker_Check_Store(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_PL_PublicKey *prevPublicKey,
+        pkix_DefaultCRLCheckerState *state,
+        PKIX_List *unresolvedCriticalExtensions,
+        PKIX_CertStore *certStore,
+        void **pNBIOContext,
+        void *plContext)
+{
+
+        PKIX_Boolean cacheFlag = PKIX_FALSE;
+        PKIX_Boolean cacheHit = PKIX_FALSE;
+        PKIX_UInt32 numEntries = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_Int32 reasonCode = 0;
+        PKIX_UInt32 allReasonCodes = 0;
+        PKIX_List *crlList = NULL;
+        PKIX_List *crlEntryList = NULL;
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+        PKIX_Error *checkCrlFail = NULL;
+        PKIX_CertStore_CRLCallback getCrls = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Store");
+        PKIX_NULLCHECK_TWO(checker, cert);
+        PKIX_NULLCHECK_THREE(state, certStore, pNBIOContext);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        /* Are this CertStore's entries in cache? */
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
+                (certStore, &cacheFlag, plContext),
+                PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
+
+        if (cacheFlag) {
+
+                PKIX_CHECK(pkix_CacheCrlEntry_Lookup
+                        (certStore,
+                        state->certIssuer,
+                        state->certSerialNumber,
+                        &cacheHit,
+                        &crlEntryList,
+                        plContext),
+                        PKIX_CACHECRLENTRYLOOKUPFAILED);
+
+        }
+
+        if (cacheHit) {
+
+                /* Use cached data */
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (crlEntryList, &numEntries, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < numEntries; i++) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                            (crlEntryList,
+                            i,
+                            (PKIX_PL_Object **)&crlEntry,
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                    PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
+                            (crlEntry, &reasonCode, plContext),
+                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
+
+		    if (reasonCode >= 0) {
+			if (reasonCode >= numReasonCodes) 
+			    reasonCode = 0;
+
+			allReasonCodes |= (1 << reasonCode);
+
+			PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
+                                    ("CRL revocation Reason: %s\n ",
+                                    reasonCodeMsgString[reasonCode]);
+
+                    }
+
+                    PKIX_DECREF(crlEntry);
+                }
+
+                state->reasonCodeMask |= allReasonCodes;
+
+                if (allReasonCodes != 0) {
+
+                        PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
+                }
+ 
+                PKIX_DECREF(crlEntryList);
+
+       } else {
+
+                if (nbioContext == NULL) {
+                        PKIX_CHECK(PKIX_CertStore_GetCRLCallback
+                                (certStore, &getCrls, plContext),
+                                PKIX_CERTSTOREGETCRLCALLBACKFAILED);
+
+                        PKIX_CHECK(getCrls
+                                (certStore,
+                                state->crlSelector,
+                                &nbioContext,
+                                &crlList,
+                                plContext),
+                                PKIX_GETCRLSFAILED);
+                } else {
+                        PKIX_CHECK(PKIX_CertStore_CrlContinue
+                                (certStore,
+                                state->crlSelector,
+                                &nbioContext,
+                                &crlList,
+                                plContext),
+                                PKIX_CERTSTORECRLCONTINUEFAILED);
+                }
+
+                /*
+                 * Verify Certificate validity: if one CertStore provides
+                 * reason code, we stop here. Instead of exhausting all
+                 * CertStores to get all possible reason codes associated
+                 *  with the Cert. May be expanded if desire otherwise.
+                 */
+
+                if (crlList == NULL) {
+
+                        *pNBIOContext = nbioContext;
+                } else {
+
+                        *pNBIOContext = NULL;
+
+                        checkCrlFail = pkix_DefaultCRLChecker_CheckCRLs
+                                (cert,
+                                state->certIssuer,
+                                state->certSerialNumber,
+                                prevPublicKey,
+                                crlList,
+                                state,
+                                &crlEntryList,
+                                plContext);
+
+                        if (checkCrlFail) {
+                                if (crlEntryList != NULL) {
+                                        /* Add to cache */
+                                        PKIX_CHECK(pkix_CacheCrlEntry_Add
+                                               (certStore,
+                                               state->certIssuer,
+                                               state->certSerialNumber,
+                                               crlEntryList,
+                                               plContext),
+                                               PKIX_CACHECRLENTRYADDFAILED);
+                                }
+                                PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
+                        }
+                }
+
+                PKIX_DECREF(crlList);
+
+        }
+
+cleanup:
+        PKIX_DECREF(crlEntryList);
+        PKIX_DECREF(crlEntry);
+        PKIX_DECREF(crlList);
+        PKIX_DECREF(checkCrlFail);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check_Helper
+ *
+ * DESCRIPTION:
+ *  Check if the Cert has been revoked based on the CRL's data. It exhausts all
+ *  CertStores and match CRLs at those stores for the certificate. It set the
+ *  current date and issuer in CRLSelector to fetching CRL data from cache.
+ *
+ * PARAMETERS
+ *  "checker"
+ *      Address of CertChainChecker which has the state data.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Certificate that is to be validated. Must be non-NULL.
+ *  "prevPublicKey"
+ *      Address of previous public key in the backward chain. May be NULL.
+ *  "state"
+ *      Address of DefaultCrlCheckerState. Must be non-NULL.
+ *  "unresolvedCriticalExtensions"
+ *      A List OIDs. Not **yet** used in this checker function.
+ *  "useOnlyLocal"
+ *      Boolean value indicating whether to use or bypass remote CertStores
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is stored if processing
+ *      is suspended for non-blocking I/O. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_Helper(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_PL_PublicKey *prevPublicKey,
+        pkix_DefaultCRLCheckerState *state,
+        PKIX_List *unresolvedCriticalExtensions,
+        PKIX_Boolean useOnlyLocal,
+        void **pNBIOContext,
+        void *plContext)
+{
+
+        void *nbioContext = NULL;
+        PKIX_Boolean certStoreCanBeUsed = PKIX_FALSE;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_Error *storeError = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Helper");
+        PKIX_NULLCHECK_THREE(checker, cert, state);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL; /* prepare for Error exit */
+
+        while ((state->crlStoreIndex) < (state->numCrlStores)) {
+
+                /*
+                 * For Basic CRL work, exit the loop when there is a valid
+                 * CRL. For advance CRL, need to exhaust CRL until all
+                 * reason masks are checked or a revocation is found.
+                 */
+
+                if (state->certHasValidCrl == PKIX_TRUE) {
+                        break;
+                }
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (state->certStores,
+                        state->crlStoreIndex,
+                        (PKIX_PL_Object **)&certStore,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                if (useOnlyLocal == PKIX_FALSE) {
+                        certStoreCanBeUsed = PKIX_TRUE;
+                } else {
+                        PKIX_CHECK(PKIX_CertStore_GetLocalFlag
+                                (certStore, &certStoreCanBeUsed, plContext),
+                                PKIX_CERTSTOREGETLOCALFLAGFAILED);
+                }
+
+                if (certStoreCanBeUsed == PKIX_TRUE)
+                {
+			/* Catch and re-throw error to preserve information */
+			storeError = pkix_DefaultCRLChecker_Check_Store
+			        (checker,
+			        cert,
+			        prevPublicKey,
+			        state,
+			        unresolvedCriticalExtensions,
+			        certStore,
+			        &nbioContext,
+			        plContext);
+			PKIX_CHECK
+				(storeError,
+				PKIX_DEFAULTCRLCHECKERCHECKSTOREFAILED);
+
+                        if (nbioContext != NULL) {
+                                /* I/O still pending. Exit and resume later. */
+                                *pNBIOContext = nbioContext;
+                                goto cleanup;
+                        }
+                }
+
+                PKIX_DECREF(certStore);
+                state->crlStoreIndex++;
+        } /* while ((state->crlStoreIndex) < (state->numCrlStores)) */
+
+        if (state->nistCRLPolicyEnabled != PKIX_FALSE &&
+            state->certHasValidCrl == PKIX_FALSE) {
+            PKIX_ERROR(PKIX_CERTIFICATEDOESNTHAVEVALIDCRL);
+        }
+
+cleanup:
+
+        PKIX_DECREF(certStore);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check
+ *
+ * DESCRIPTION:
+ *  Check if the Cert has been revoked based the CRLs data.  This function
+ *  maintains the checker state to be current.
+ *
+ * PARAMETERS
+ *  "checker"
+ *      Address of CertChainChecker which has the state data.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Certificate that is to be validated. Must be non-NULL.
+ *  "unresolvedCriticalExtensions"
+ *      A List OIDs. Not **yet** used in this checker function.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        pkix_DefaultCRLCheckerState *state = NULL;
+        PKIX_PL_PublicKey *publicKey = NULL;
+        PKIX_PL_PublicKey *newPublicKey = NULL;
+        PKIX_Error *checkKeyUsageFail = NULL;
+        PKIX_Boolean selfIssued = PKIX_FALSE;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL; /* prepare for Error exit */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                    (cert, &publicKey, plContext),
+                    PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+        /*
+         * If we already have a selector, we were in the middle of checking
+         * when a certStore returned with non-blocking I/O pendning.
+         */
+        if ((state->crlSelector) == NULL) {
+                state->certsRemaining--;
+
+                PKIX_NULLCHECK_ONE(state->prevPublicKey);
+
+                if (state->prevCertCrlSign == PKIX_FALSE) {
+                        PKIX_ERROR
+                                (PKIX_KEYUSAGEKEYCRLSIGNBITNOTON);
+                }
+
+                /* Set up CRLSelector */
+                PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
+                        (cert, state, plContext),
+                        PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
+
+        }
+
+        PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper
+                    (checker,
+                    cert,
+                    state->prevPublicKey,
+                    state,
+                    unresolvedCriticalExtensions,
+                    PKIX_FALSE,
+                    &nbioContext,
+                    plContext),
+                    PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED);
+
+        if (nbioContext != NULL) {
+                *pNBIOContext = nbioContext;
+                goto cleanup;
+        }
+
+        PKIX_DECREF(state->crlSelector);
+
+        /*
+         * Some NIST test case in 4.5.* use different publicKeys for
+         * Cert and its CRL on the chain. Self-issued Certs are used
+         * to speciy multiple keys for those cases. That is why we apply
+         * the following algorithm:
+         *
+         * Check if Cert is self-issued. If so, the public key of the Cert
+         * that issues this Cert (old key) can be used together with this
+         * current key (new key) for key verification. If there are multiple
+         * self-issued certs, keys of those Certs (old keys) can also be used
+         * for key verification. Old key(s) is saved in a list (PrevPublickKey-
+         * List) and cleared when a Cert is no longer self-issued.
+         * PrevPublicKey keep key of the previous Cert.
+         * PrevPublicKeyList keep key(s) of Cert before the previous one.
+         */
+        PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
+                    PKIX_ISCERTSELFISSUEFAILED);
+
+        if (selfIssued == PKIX_TRUE) {
+
+                if (state->prevPublicKeyList == NULL) {
+
+                        PKIX_CHECK(PKIX_List_Create
+                            (&state->prevPublicKeyList, plContext),
+                            PKIX_LISTCREATEFAILED);
+
+                }
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                            (state->prevPublicKeyList,
+                            (PKIX_PL_Object *) state->prevPublicKey,
+                            plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+
+        } else {
+                /* Not self-issued Cert any more, clear old key(s) saved */
+                PKIX_DECREF(state->prevPublicKeyList);
+        }
+
+        /* Make inheritance and save current Public Key */
+        PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
+                    (publicKey, state->prevPublicKey, &newPublicKey, plContext),
+                    PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED);
+
+        if (newPublicKey == NULL){
+                PKIX_INCREF(publicKey);
+                newPublicKey = publicKey;
+        }
+
+        PKIX_DECREF(state->prevPublicKey);
+        PKIX_INCREF(newPublicKey);
+        state->prevPublicKey = newPublicKey;
+
+        /* Save current Cert's crlSign bit for CRL checking later */
+        if (state->certsRemaining != 0) {
+                checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage
+                        (cert, PKIX_CRL_SIGN, plContext);
+
+                state->prevCertCrlSign = (checkKeyUsageFail == NULL)?
+                        PKIX_TRUE : PKIX_FALSE;
+
+                PKIX_DECREF(checkKeyUsageFail);
+        }
+
+/*
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                (checker, (PKIX_PL_Object *)state, plContext),
+                PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+ */
+
+cleanup:
+
+        PKIX_DECREF(state);
+        PKIX_DECREF(publicKey);
+        PKIX_DECREF(newPublicKey);
+        PKIX_DECREF(checkKeyUsageFail);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Initialize
+ *
+ * DESCRIPTION:
+ *  Create a CertChainChecker with DefaultCRLCheckerState.
+ *
+ * PARAMETERS
+ *  "certStores"
+ *      Address of CertStore List to be stored in state. Must be non-NULL.
+ *  "testDate"
+ *      Address of PKIX_PL_Date to be checked. May be NULL.
+ *  "trustedPubKey"
+ *      Address of Public Key of Trust Anchor. Must be non-NULL.
+ *  "certsRemaining"
+ *      Number of certificates remaining in the chain.
+ *  "nistPolicyEnabled"
+ *      Enable NIST crl policy.
+ *  "pChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_DefaultCRLChecker_Initialize(
+        PKIX_List *certStores,
+        PKIX_PL_Date *testDate,
+        PKIX_PL_PublicKey *trustedPubKey,
+        PKIX_UInt32 certsRemaining,
+        PKIX_Boolean nistPolicyEnabled,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        pkix_DefaultCRLCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Initialize");
+        PKIX_NULLCHECK_TWO(certStores, pChecker);
+
+        PKIX_CHECK(pkix_DefaultCRLCheckerState_Create
+                    (certStores,
+                    testDate,
+                    trustedPubKey,
+                    certsRemaining,
+                    nistPolicyEnabled, 
+                    &state,
+                    plContext),
+                    PKIX_DEFAULTCRLCHECKERSTATECREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_DefaultCRLChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *) state,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.h
@@ -0,0 +1,108 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_defaultcrlchecker.h
+ *
+ * Header file for default CRL function
+ *
+ */
+
+#ifndef _PKIX_DEFAULTCRLCHECKER_H
+#define _PKIX_DEFAULTCRLCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_DefaultCRLCheckerState pkix_DefaultCRLCheckerState;
+
+struct pkix_DefaultCRLCheckerState {
+        PKIX_List *certStores; /* list of CertStore */
+        PKIX_PL_Date *testDate;
+        PKIX_Boolean certHasValidCrl;
+        PKIX_Boolean nistCRLPolicyEnabled;
+        PKIX_Boolean prevCertCrlSign;
+        PKIX_PL_PublicKey *prevPublicKey; /* Subject PubKey of last cert */
+        PKIX_List *prevPublicKeyList; /* of PKIX_PL_PublicKey */
+        PKIX_UInt32 reasonCodeMask;
+        PKIX_UInt32 certsRemaining;
+        PKIX_PL_OID *crlReasonCodeOID;
+
+        PKIX_PL_X500Name *certIssuer;
+        PKIX_PL_BigInt *certSerialNumber;
+        PKIX_CRLSelector *crlSelector;
+        PKIX_UInt32 crlStoreIndex;
+        PKIX_UInt32 numCrlStores;
+};
+
+PKIX_Error *
+pkix_DefaultCRLChecker_Initialize(
+        PKIX_List *certStores,
+        PKIX_PL_Date *testDate,
+        PKIX_PL_PublicKey *trustedPubKey,
+        PKIX_UInt32 certsRemaining,
+        PKIX_Boolean nistCRLPolicyEnabled,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_Helper(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_PL_PublicKey *prevPublicKey,
+        pkix_DefaultCRLCheckerState *state,
+        PKIX_List *unresolvedCriticalExtensions,
+        PKIX_Boolean useOnlyLocal,
+        void **pNBIOContext,
+        void *plContext);
+
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_SetSelector(
+        PKIX_PL_Cert *cert,
+        pkix_DefaultCRLCheckerState *state,
+        void *plContext);
+
+PKIX_Error *
+pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_DEFAULTCRLCHECKER_H */
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.c
@@ -0,0 +1,146 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_expirationchecker.c
+ *
+ * Functions for expiration validation
+ *
+ */
+
+
+#include "pkix_expirationchecker.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_ExpirationChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_ExpirationChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_PL_Date *testDate = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_ExpirationChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&testDate, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_CheckValidity(cert, testDate, plContext),
+                    PKIX_CERTCHECKVALIDITYFAILED);
+
+cleanup:
+
+        PKIX_DECREF(testDate);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_ExpirationChecker_Initialize
+ * DESCRIPTION:
+ *
+ *  Creates a new CertChainChecker and stores it at "pChecker", where it will
+ *  used by pkix_ExpirationChecker_Check to check that the certificate has not
+ *  expired with respect to the Date pointed to by "testDate." If "testDate"
+ *  is NULL, then the CertChainChecker will check that a certificate has not
+ *  expired with respect to the current date and time.
+ *
+ * PARAMETERS:
+ *  "testDate"
+ *      Address of Date representing the point in time at which the cert is to
+ *      be validated. If "testDate" is NULL, the current date and time is used.
+ *  "pChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_ExpirationChecker_Initialize(
+        PKIX_PL_Date *testDate,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        PKIX_PL_Date *myDate = NULL;
+        PKIX_PL_Date *nowDate = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_ExpirationChecker_Initialize");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        /* if testDate is NULL, we use the current time */
+        if (!testDate){
+                PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
+                            (NULL, &nowDate, plContext),
+                            PKIX_DATECREATEUTCTIMEFAILED);
+                myDate = nowDate;
+        } else {
+                myDate = testDate;
+        }
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_ExpirationChecker_Check,
+                    PKIX_TRUE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *)myDate,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(nowDate);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.h
@@ -0,0 +1,63 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_expirationchecker.h
+ *
+ * Header file for validate expiration function
+ *
+ */
+
+#ifndef _PKIX_EXPIRATIONCHECKER_H
+#define _PKIX_EXPIRATIONCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+PKIX_Error *
+pkix_ExpirationChecker_Initialize(
+        PKIX_PL_Date *testDate,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_EXPIRATIONCHECKER_H */
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.c
@@ -0,0 +1,154 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_namechainingchecker.c
+ *
+ * Functions for name chaining validation
+ *
+ */
+
+
+#include "pkix_namechainingchecker.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_NameChainingChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_NameChainingChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_PL_X500Name *prevSubject = NULL;
+        PKIX_PL_X500Name *currIssuer = NULL;
+        PKIX_PL_X500Name *currSubject = NULL;
+        PKIX_Boolean result;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameChainingChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&prevSubject, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &currIssuer, plContext),
+                    PKIX_CERTGETISSUERFAILED);
+
+        if (prevSubject){
+                PKIX_CHECK(PKIX_PL_X500Name_Match
+                            (prevSubject, currIssuer, &result, plContext),
+                            PKIX_X500NAMEMATCHFAILED);
+                if (!result){
+                        PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
+                }
+        } else {
+                PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
+        }
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &currSubject, plContext),
+                    PKIX_CERTGETSUBJECTFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                    (checker, (PKIX_PL_Object *)currSubject, plContext),
+                    PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(prevSubject);
+        PKIX_DECREF(currIssuer);
+        PKIX_DECREF(currSubject);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_NameChainingChecker_Initialize
+ * DESCRIPTION:
+ *
+ *  Creates a new CertChainChecker and stores it at "pChecker", where it will
+ *  be used by pkix_NameChainingChecker_Check to check that the issuer name
+ *  of the certificate matches the subject name in the checker's state. The
+ *  X500Name pointed to by "trustedCAName" is used to initialize the checker's
+ *  state.
+ *
+ * PARAMETERS:
+ *  "trustedCAName"
+ *      Address of X500Name representing the trusted CA Name used to
+ *      initialize the state of this checker. Must be non-NULL.
+ *  "pChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_NameChainingChecker_Initialize(
+        PKIX_PL_X500Name *trustedCAName,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        PKIX_ENTER(CERTCHAINCHECKER, "PKIX_NameChainingChecker_Initialize");
+        PKIX_NULLCHECK_TWO(pChecker, trustedCAName);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_NameChainingChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *)trustedCAName,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.h
@@ -0,0 +1,63 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_namechainingchecker.h
+ *
+ * Header file for name chaining checker.
+ *
+ */
+
+#ifndef _PKIX_NAMECHAININGCHECKER_H
+#define _PKIX_NAMECHAININGCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+PKIX_Error *
+pkix_NameChainingChecker_Initialize(
+        PKIX_PL_X500Name *trustedCAName,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_NAMECHAININGCHECKER_H */
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
@@ -0,0 +1,338 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_nameconstraintschecker.c
+ *
+ * Functions for Name Constraints Checkers
+ *
+ */
+
+#include "pkix_nameconstraintschecker.h"
+
+/* --Private-NameConstraintsCheckerState-Functions---------------------- */
+
+/*
+ * FUNCTION: pkix_NameConstraintsCheckerstate_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_NameConstraintsCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        pkix_NameConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
+                    "pkix_NameConstraintsCheckerState_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that object type */
+        PKIX_CHECK(pkix_CheckType
+            (object, PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE, plContext),
+            PKIX_OBJECTNOTNAMECONSTRAINTSCHECKERSTATE);
+
+        state = (pkix_NameConstraintsCheckerState *)object;
+
+        PKIX_DECREF(state->nameConstraints);
+        PKIX_DECREF(state->nameConstraintsOID);
+
+cleanup:
+
+        PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_NameConstraintsCheckerState_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE and its related
+ *  functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_NameConstraintsCheckerState_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
+                    "pkix_NameConstraintsCheckerState_RegisterSelf");
+
+        entry.description = "NameConstraintsCheckerState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(pkix_NameConstraintsCheckerState);
+        entry.destructor = pkix_NameConstraintsCheckerState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_NameConstraintsCheckerState_Create
+ *
+ * DESCRIPTION:
+ *  Allocate and initialize NameConstraintsChecker state data.
+ *
+ * PARAMETERS
+ *  "nameConstraints"
+ *      Address of NameConstraints to be stored in state. May be NULL.
+ *  "numCerts"
+ *      Number of certificates in the validation chain. This data is used
+ *      to identify end-entity.
+ *  "pCheckerState"
+ *      Address of NameConstraintsCheckerState that is returned. Must be
+ *      non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CERTNAMECONSTRAINTSCHECKERSTATE Error if the function fails in
+ *  a non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_NameConstraintsCheckerState_Create(
+    PKIX_PL_CertNameConstraints *nameConstraints,
+    PKIX_UInt32 numCerts,
+    pkix_NameConstraintsCheckerState **pCheckerState,
+    void *plContext)
+{
+        pkix_NameConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
+                    "pkix_NameConstraintsCheckerState_Create");
+        PKIX_NULLCHECK_ONE(pCheckerState);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE,
+                    sizeof (pkix_NameConstraintsCheckerState),
+                    (PKIX_PL_Object **)&state,
+                    plContext),
+                    PKIX_COULDNOTCREATENAMECONSTRAINTSCHECKERSTATEOBJECT);
+
+        /* Initialize fields */
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_NAMECONSTRAINTS_OID,
+                    &state->nameConstraintsOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        PKIX_INCREF(nameConstraints);
+
+        state->nameConstraints = nameConstraints;
+        state->certsRemaining = numCerts;
+
+        *pCheckerState = state;
+        state = NULL;
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
+}
+
+/* --Private-NameConstraintsChecker-Functions------------------------- */
+
+/*
+ * FUNCTION: pkix_NameConstraintsChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+static PKIX_Error *
+pkix_NameConstraintsChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        pkix_NameConstraintsCheckerState *state = NULL;
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+        PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL;
+        PKIX_Boolean selfIssued = PKIX_FALSE;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        state->certsRemaining--;
+
+        /* Get status of self issued */
+        PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
+                    PKIX_ISCERTSELFISSUEDFAILED);
+
+        /* Check on non self-issued and if so only for last cert */
+        if (selfIssued == PKIX_FALSE ||
+            (selfIssued == PKIX_TRUE && state->certsRemaining == 0)) {
+                PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
+                    (cert, state->nameConstraints, plContext),
+                    PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
+        }
+
+        if (state->certsRemaining != 0) {
+
+            PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
+                    (cert, &nameConstraints, plContext),
+                    PKIX_CERTGETNAMECONSTRAINTSFAILED);
+
+            /* Merge with previous name constraints kept in state */
+
+            if (nameConstraints != NULL) {
+
+                if (state->nameConstraints == NULL) {
+
+                        state->nameConstraints = nameConstraints;
+
+                } else {
+
+                        PKIX_CHECK(PKIX_PL_Cert_MergeNameConstraints
+                                (nameConstraints,
+                                state->nameConstraints,
+                                &mergedNameConstraints,
+                                plContext),
+                                PKIX_CERTMERGENAMECONSTRAINTSFAILED);
+
+                        PKIX_DECREF(nameConstraints);
+                        PKIX_DECREF(state->nameConstraints);
+
+                        state->nameConstraints = mergedNameConstraints;
+                }
+
+                /* Remove Name Constraints Extension OID from list */
+                if (unresolvedCriticalExtensions != NULL) {
+                        PKIX_CHECK(pkix_List_Remove
+                                    (unresolvedCriticalExtensions,
+                                    (PKIX_PL_Object *)state->nameConstraintsOID,
+                                    plContext),
+                                    PKIX_LISTREMOVEFAILED);
+                }
+            }
+        }
+
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                    (checker, (PKIX_PL_Object *)state, plContext),
+                    PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_NameConstraintsChecker_Initialize
+ *
+ * DESCRIPTION:
+ *  Create a CertChainChecker with a NameConstraintsCheckerState. The
+ *  NameConstraintsCheckerState is created with "trustedNC" and "numCerts"
+ *  as its initial state. The CertChainChecker for the NameConstraints is
+ *  returned at address of "pChecker".
+ *
+ * PARAMETERS
+ *  "trustedNC"
+ *      The NameConstraints from trusted anchor Cert is stored at "trustedNC"
+ *      for initialization. May be NULL.
+ *  "numCerts"
+ *      Number of certificates in the validation chain. This data is used
+ *      to identify end-entity.
+ *  "pChecker"
+ *      Address of CertChainChecker to bo created and returned.
+ *      Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CERTCHAINCHECKER Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_NameConstraintsChecker_Initialize(
+        PKIX_PL_CertNameConstraints *trustedNC,
+        PKIX_UInt32 numCerts,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        pkix_NameConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Initialize");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(pkix_NameConstraintsCheckerState_Create
+                    (trustedNC, numCerts, &state, plContext),
+                    PKIX_NAMECONSTRAINTSCHECKERSTATECREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_NameConstraintsChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *) state,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.h
@@ -0,0 +1,76 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_nameconstraintschecker.h
+ *
+ * Header file for validate Name Constraints Checker function
+ *
+ */
+
+#ifndef _PKIX_NAMECONSTRAINTSCHECKER_H
+#define _PKIX_NAMECONSTRAINTSCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_NameConstraintsCheckerState \
+        pkix_NameConstraintsCheckerState;
+
+struct pkix_NameConstraintsCheckerState {
+        PKIX_PL_CertNameConstraints *nameConstraints;
+        PKIX_PL_OID *nameConstraintsOID;
+        PKIX_UInt32 certsRemaining;
+};
+
+PKIX_Error *
+pkix_NameConstraintsChecker_Initialize(
+        PKIX_PL_CertNameConstraints *trustedNC,
+        PKIX_UInt32 numCerts,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+PKIX_Error *
+pkix_NameConstraintsCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_NAMECONSTRAINTSCHECKER_H */
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c
@@ -0,0 +1,2795 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_policychecker.c
+ *
+ * Functions for Policy Checker
+ *
+ */
+#include "pkix_policychecker.h"
+
+/* --Forward declarations----------------------------------------------- */
+
+static PKIX_Error *
+pkix_PolicyChecker_MakeSingleton(
+        PKIX_PL_Object *listItem,
+        PKIX_Boolean immutability,
+        PKIX_List **pList,
+        void *plContext);
+
+/* --Private-PolicyCheckerState-Functions---------------------------------- */
+
+/*
+ * FUNCTION:pkix_PolicyCheckerState_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PolicyCheckerState *checkerState = NULL;
+
+        PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTPOLICYCHECKERSTATE);
+
+        checkerState = (PKIX_PolicyCheckerState *)object;
+
+        PKIX_DECREF(checkerState->certPoliciesExtension);
+        PKIX_DECREF(checkerState->policyMappingsExtension);
+        PKIX_DECREF(checkerState->policyConstraintsExtension);
+        PKIX_DECREF(checkerState->inhibitAnyPolicyExtension);
+        PKIX_DECREF(checkerState->anyPolicyOID);
+        PKIX_DECREF(checkerState->validPolicyTree);
+        PKIX_DECREF(checkerState->userInitialPolicySet);
+        PKIX_DECREF(checkerState->mappedUserInitialPolicySet);
+
+        checkerState->policyQualifiersRejected = PKIX_FALSE;
+        checkerState->explicitPolicy = 0;
+        checkerState->inhibitAnyPolicy = 0;
+        checkerState->policyMapping = 0;
+        checkerState->numCerts = 0;
+        checkerState->certsProcessed = 0;
+        checkerState->certPoliciesCritical = PKIX_FALSE;
+
+        PKIX_DECREF(checkerState->anyPolicyNodeAtBottom);
+        PKIX_DECREF(checkerState->newAnyPolicyNode);
+        PKIX_DECREF(checkerState->mappedPolicyOIDs);
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyCheckerState_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyCheckerState_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pCheckerStateString,
+        void *plContext)
+{
+        PKIX_PolicyCheckerState *state = NULL;
+        PKIX_PL_String *resultString = NULL;
+        PKIX_PL_String *policiesExtOIDString = NULL;
+        PKIX_PL_String *policyMapOIDString = NULL;
+        PKIX_PL_String *policyConstrOIDString = NULL;
+        PKIX_PL_String *inhAnyPolOIDString = NULL;
+        PKIX_PL_String *anyPolicyOIDString = NULL;
+        PKIX_PL_String *validPolicyTreeString = NULL;
+        PKIX_PL_String *userInitialPolicySetString = NULL;
+        PKIX_PL_String *mappedUserPolicySetString = NULL;
+        PKIX_PL_String *mappedPolicyOIDsString = NULL;
+        PKIX_PL_String *anyAtBottomString = NULL;
+        PKIX_PL_String *newAnyPolicyString = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *trueString = NULL;
+        PKIX_PL_String *falseString = NULL;
+        PKIX_PL_String *nullString = NULL;
+        PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
+        PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
+        PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
+        PKIX_Boolean initialIsAnyPolicy = PKIX_FALSE;
+        PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
+        PKIX_Boolean certPoliciesCritical = PKIX_FALSE;
+        char *asciiFormat =
+                "{\n"
+                "\tcertPoliciesExtension:    \t%s\n"
+                "\tpolicyMappingsExtension:  \t%s\n"
+                "\tpolicyConstraintsExtension:\t%s\n"
+                "\tinhibitAnyPolicyExtension:\t%s\n"
+                "\tanyPolicyOID:             \t%s\n"
+                "\tinitialIsAnyPolicy:       \t%s\n"
+                "\tvalidPolicyTree:          \t%s\n"
+                "\tuserInitialPolicySet:     \t%s\n"
+                "\tmappedUserPolicySet:      \t%s\n"
+                "\tpolicyQualifiersRejected: \t%s\n"
+                "\tinitialPolMappingInhibit: \t%s\n"
+                "\tinitialExplicitPolicy:    \t%s\n"
+                "\tinitialAnyPolicyInhibit:  \t%s\n"
+                "\texplicitPolicy:           \t%d\n"
+                "\tinhibitAnyPolicy:         \t%d\n"
+                "\tpolicyMapping:            \t%d\n"
+                "\tnumCerts:                 \t%d\n"
+                "\tcertsProcessed:           \t%d\n"
+                "\tanyPolicyNodeAtBottom:    \t%s\n"
+                "\tnewAnyPolicyNode:         \t%s\n"
+                "\tcertPoliciesCritical:     \t%s\n"
+                "\tmappedPolicyOIDs:         \t%s\n"
+                "}";
+
+        PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_ToString");
+
+        PKIX_NULLCHECK_TWO(object, pCheckerStateString);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTPOLICYCHECKERSTATE);
+
+        state = (PKIX_PolicyCheckerState *)object;
+        PKIX_NULLCHECK_THREE
+                (state->certPoliciesExtension,
+                state->policyMappingsExtension,
+                state->policyConstraintsExtension);
+        PKIX_NULLCHECK_THREE
+                (state->inhibitAnyPolicyExtension,
+                state->anyPolicyOID,
+                state->userInitialPolicySet);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
+                PKIX_STRINGCREATEFAILED);
+        /*
+         * Create TRUE, FALSE, and "NULL" PKIX_PL_Strings. But creating a
+         * PKIX_PL_String is complicated enough, it's worth checking, for
+         * each, to make sure the string is needed.
+         */
+        initialPolicyMappingInhibit = state->initialPolicyMappingInhibit;
+        initialExplicitPolicy = state->initialExplicitPolicy;
+        initialAnyPolicyInhibit = state->initialAnyPolicyInhibit;
+        initialIsAnyPolicy = state->initialIsAnyPolicy;
+        policyQualifiersRejected = state->policyQualifiersRejected;
+        certPoliciesCritical = state->certPoliciesCritical;
+
+        if (initialPolicyMappingInhibit || initialExplicitPolicy ||
+            initialAnyPolicyInhibit || initialIsAnyPolicy ||
+            policyQualifiersRejected || certPoliciesCritical) {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII, "TRUE", 0, &trueString, plContext),
+                        PKIX_STRINGCREATEFAILED);
+        }
+        if (!initialPolicyMappingInhibit || !initialExplicitPolicy ||
+            !initialAnyPolicyInhibit || !initialIsAnyPolicy ||
+            !policyQualifiersRejected || !certPoliciesCritical) {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII, "FALSE", 0, &falseString, plContext),
+                        PKIX_STRINGCREATEFAILED);
+        }
+        if (!(state->anyPolicyNodeAtBottom) || !(state->newAnyPolicyNode)) {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII, "(null)", 0, &nullString, plContext),
+                        PKIX_STRINGCREATEFAILED);
+        }
+
+        PKIX_TOSTRING
+                (state->certPoliciesExtension, &policiesExtOIDString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->policyMappingsExtension,
+                &policyMapOIDString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->policyConstraintsExtension,
+                &policyConstrOIDString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->inhibitAnyPolicyExtension,
+                &inhAnyPolOIDString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING(state->anyPolicyOID, &anyPolicyOIDString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING(state->validPolicyTree, &validPolicyTreeString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->userInitialPolicySet,
+                &userInitialPolicySetString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->mappedUserInitialPolicySet,
+                &mappedUserPolicySetString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        if (state->anyPolicyNodeAtBottom) {
+                PKIX_CHECK(pkix_SinglePolicyNode_ToString
+                        (state->anyPolicyNodeAtBottom,
+                        &anyAtBottomString,
+                        plContext),
+                        PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
+        } else {
+                PKIX_INCREF(nullString);
+                anyAtBottomString = nullString;
+        }
+
+        if (state->newAnyPolicyNode) {
+                PKIX_CHECK(pkix_SinglePolicyNode_ToString
+                        (state->newAnyPolicyNode,
+                        &newAnyPolicyString,
+                        plContext),
+                        PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
+        } else {
+                PKIX_INCREF(nullString);
+                newAnyPolicyString = nullString;
+        }
+
+        PKIX_TOSTRING
+                (state->mappedPolicyOIDs,
+                &mappedPolicyOIDsString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&resultString,
+                plContext,
+                formatString,
+                policiesExtOIDString,
+                policyMapOIDString,
+                policyConstrOIDString,
+                inhAnyPolOIDString,
+                anyPolicyOIDString,
+                initialIsAnyPolicy?trueString:falseString,
+                validPolicyTreeString,
+                userInitialPolicySetString,
+                mappedUserPolicySetString,
+                policyQualifiersRejected?trueString:falseString,
+                initialPolicyMappingInhibit?trueString:falseString,
+                initialExplicitPolicy?trueString:falseString,
+                initialAnyPolicyInhibit?trueString:falseString,
+                state->explicitPolicy,
+                state->inhibitAnyPolicy,
+                state->policyMapping,
+                state->numCerts,
+                state->certsProcessed,
+                anyAtBottomString,
+                newAnyPolicyString,
+                certPoliciesCritical?trueString:falseString,
+                mappedPolicyOIDsString),
+                PKIX_SPRINTFFAILED);
+
+        *pCheckerStateString = resultString;
+
+cleanup:
+        PKIX_DECREF(policiesExtOIDString);
+        PKIX_DECREF(policyMapOIDString);
+        PKIX_DECREF(policyConstrOIDString);
+        PKIX_DECREF(inhAnyPolOIDString);
+        PKIX_DECREF(anyPolicyOIDString);
+        PKIX_DECREF(validPolicyTreeString);
+        PKIX_DECREF(userInitialPolicySetString);
+        PKIX_DECREF(mappedUserPolicySetString);