Bug 1107731 - Upgrade Mozilla 37 to use NSS 3.17.4. a=sledru
authorKai Engert <kaie@kuix.de>
Thu, 22 Jan 2015 12:26:00 -0500
changeset 249408 6b4103d8c3f769d4d97937a9d5a3a9cba8884247
parent 249407 78215cc3ded30f185a7afb10776b39d000221a35
child 249409 f76428627d7957ef39ca7b83c30e7462e9d938cd
push id4489
push userraliiev@mozilla.com
push dateMon, 23 Feb 2015 15:17:55 +0000
treeherdermozilla-beta@fd7c3dc24146 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssledru
bugs1107731
milestone37.0a2
Bug 1107731 - Upgrade Mozilla 37 to use NSS 3.17.4. a=sledru
configure.in
security/nss/TAG-INFO
security/nss/cmd/pp/pp.c
security/nss/coreconf/command.mk
security/nss/coreconf/coreconf.dep
security/nss/coreconf/rules.mk
security/nss/doc/Makefile
security/nss/external_tests/ssl_gtest/ssl_gtest.cc
security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
security/nss/lib/certdb/certt.h
security/nss/lib/ckfw/dbm/db.c
security/nss/lib/ckfw/nssmkey/mobject.c
security/nss/lib/freebl/ecl/README
security/nss/lib/freebl/mpi/README
security/nss/lib/freebl/mpi/doc/LICENSE-MPL
security/nss/lib/freebl/mpi/tests/LICENSE-MPL
security/nss/lib/freebl/mpi/utils/LICENSE-MPL
security/nss/lib/freebl/mpi/utils/README
security/nss/lib/libpkix/include/pkix_revchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
security/nss/lib/libpkix/pkix/top/pkix_build.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.h
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/softoken/fipstokn.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/util/nssutil.h
security/nss/pkg/solaris/common_files/copyright
security/nss/tests/chains/scenarios/scenarios
security/nss/tests/iopr/server_scr/config
security/nss/tests/libpkix/sample_apps/README
--- a/configure.in
+++ b/configure.in
@@ -3607,17 +3607,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.17.3, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.17.4, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -n "$MOZ_NATIVE_NSS"; then
    NSS_LIBS="$NSS_LIBS -lcrmf"
 else
    NSS_CFLAGS='-I$(LIBXUL_DIST)/include/nss'
 
    if test -z "$GNU_CC" -a "$OS_ARCH" = "WINNT"; then
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_18_BETA5
+NSS_3_17_4_RC0
--- a/security/nss/cmd/pp/pp.c
+++ b/security/nss/cmd/pp/pp.c
@@ -26,18 +26,17 @@ static void Usage(char *progName)
 	    progName);
     fprintf(stderr, "Pretty prints a file containing ASN.1 data in DER or ascii format.\n");
     fprintf(stderr, "%-14s Specify input and display type: %s (sk),\n",
 	    "-t type", SEC_CT_PRIVATE_KEY);
     fprintf(stderr, "%-14s %s (pk), %s (c), %s (cr),\n", "", SEC_CT_PUBLIC_KEY,
 	    SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
     fprintf(stderr, "%-14s %s (ci), %s (p7), %s or %s (n).\n", "", SEC_CT_CERTIFICATE_ID,
             SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
-    fprintf(stderr, "%-14s (Use either the long type name or the shortcut.)\n", "", SEC_CT_CERTIFICATE_ID,
-            SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
+    fprintf(stderr, "%-14s (Use either the long type name or the shortcut.)\n", "");
     fprintf(stderr, "%-14s Input is in ascii encoded form (RFC1113)\n",
 	    "-a");
     fprintf(stderr, "%-14s Define an input file to use (default is stdin)\n",
 	    "-i input");
     fprintf(stderr, "%-14s Define an output file to use (default is stdout)\n",
 	    "-o output");
     fprintf(stderr, "%-14s Don't wrap long output lines\n",
 	    "-w");
--- a/security/nss/coreconf/command.mk
+++ b/security/nss/coreconf/command.mk
@@ -6,18 +6,17 @@
 #######################################################################
 # Master "Core Components" default command macros;                    #
 # can be overridden in <arch>.mk                                      #
 #######################################################################
 
 AS            = $(CC)
 ASFLAGS      += $(CFLAGS)
 CCF           = $(CC) $(CFLAGS)
-LINK_DLL      = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS)
-LINK_EXE      = $(LINK) $(OS_LFLAGS) $(LFLAGS)
+LINK_DLL      = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS)
 CFLAGS        = $(OPTIMIZER) $(OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \
 		$(XCFLAGS)
 PERL          = perl
 RANLIB        = echo
 TAR           = /bin/tar
 #
 # For purify
 #
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/coreconf/rules.mk
+++ b/security/nss/coreconf/rules.mk
@@ -236,17 +236,17 @@ endif
 alltags:
 	rm -f TAGS
 	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs etags -a
 	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs ctags -a
 
 $(PROGRAM): $(OBJS) $(EXTRA_LIBS)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
-	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
+	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(XLDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
 ifdef MT
 	if test -f $@.manifest; then \
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $(OBJS) $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
@@ -327,17 +327,17 @@ endif
 	@$(MAKE_OBJDIR)
 	$(PROCESS_MAP_FILE)
 
 
 $(OBJDIR)/$(PROG_PREFIX)%$(PROG_SUFFIX): $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $< -Fe$@ -link \
-	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
+	$(LDFLAGS) $(XLDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 ifdef MT
 	if test -f $@.manifest; then \
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $< \
--- a/security/nss/doc/Makefile
+++ b/security/nss/doc/Makefile
@@ -34,29 +34,16 @@ date.xml:
 
 version.xml:
 	echo -n ${VERSION} > $@
 
 .PHONY : $(MANPAGES)
 .PHONY : $(HTMLPAGES)
 .PHONY : $(TXTPAGES)
 
-#------------------------------------------
-# Package a tar ball for building in fedora
-# Include the makefile and .xml files only
-# man pages will be created at build time
-#------------------------------------------
-
-tarball:
-	rm -rf $(name); \
-	mkdir -p $(name)/nroff; \
-	cp Makefile $(name); \
-	cp *.xml $(name); \
-	tar cvjf $(name)-$(date).tar.bz2 $(name)
-
 #--------------------------------------------------------
 # manpages
 #--------------------------------------------------------
 
 nroff/%.1 : %.xml
 	$(COMPILE.1) $<
 	
 MANPAGES = \
--- a/security/nss/external_tests/ssl_gtest/ssl_gtest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_gtest.cc
@@ -2,31 +2,32 @@
 #include "nss.h"
 #include "ssl.h"
 
 #include "test_io.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
+std::string g_working_dir_path;
+
 int main(int argc, char **argv) {
   // Start the tests
   ::testing::InitGoogleTest(&argc, argv);
-  std::string path = ".";
+  g_working_dir_path = ".";
 
   for (int i = 0; i < argc; i++) {
     if (!strcmp(argv[i], "-d")) {
-      path = argv[i + 1];
+      g_working_dir_path = argv[i + 1];
       ++i;
     }
   }
 
-  NSS_Initialize(path.c_str(), "", "", SECMOD_DB, NSS_INIT_READONLY);
+  NSS_Initialize(g_working_dir_path.c_str(), "", "", SECMOD_DB, NSS_INIT_READONLY);
   NSS_SetDomesticPolicy();
-
   int rv = RUN_ALL_TESTS();
 
   NSS_Shutdown();
 
   nss_test::Poller::Shutdown();
 
   return rv;
 }
--- a/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
@@ -11,16 +11,18 @@
 
 #include "test_io.h"
 #include "tls_parser.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 #include "gtest_utils.h"
 
+extern std::string g_working_dir_path;
+
 namespace nss_test {
 
 #define LOG(a) std::cerr << name_ << ": " << a << std::endl;
 
 // Inspector that parses out DTLS records and passes
 // them on.
 class TlsRecordInspector : public Inspector {
  public:
@@ -206,17 +208,20 @@ class TlsAgent : public PollTarget {
 
   TlsAgent(const std::string& name, Role role, Mode mode)
       : name_(name),
         mode_(mode),
         pr_fd_(nullptr),
         adapter_(nullptr),
         ssl_fd_(nullptr),
         role_(role),
-        state_(INIT) {}
+        state_(INIT) {
+      memset(&info_, 0, sizeof(info_));
+      memset(&csinfo_, 0, sizeof(csinfo_));
+  }
 
   ~TlsAgent() {
     if (pr_fd_) {
       PR_Close(pr_fd_);
     }
 
     if (ssl_fd_) {
       PR_Close(ssl_fd_);
@@ -282,26 +287,46 @@ class TlsAgent : public PollTarget {
       if (!priv) return false;  // Leak cert.
 
       SECStatus rv = SSL_ConfigSecureServer(ssl_fd_, cert, priv, kt_rsa);
       EXPECT_EQ(SECSuccess, rv);
       if (rv != SECSuccess) return false;  // Leak cert and key.
 
       SECKEY_DestroyPrivateKey(priv);
       CERT_DestroyCertificate(cert);
+    } else {
+      SECStatus rv = SSL_SetURL(ssl_fd_, "server");
+      EXPECT_EQ(SECSuccess, rv);
+      if (rv != SECSuccess) return false;
     }
 
     SECStatus rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook,
                                            reinterpret_cast<void*>(this));
     EXPECT_EQ(SECSuccess, rv);
     if (rv != SECSuccess) return false;
 
     return true;
   }
 
+  void SetSessionTicketsEnabled(bool en) {
+    ASSERT_TRUE(EnsureTlsSetup());
+
+    SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS,
+                                  en ? PR_TRUE : PR_FALSE);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+
+  void SetSessionCacheEnabled(bool en) {
+    ASSERT_TRUE(EnsureTlsSetup());
+
+    SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE,
+                                  en ? PR_FALSE : PR_TRUE);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+
   void SetVersionRange(uint16_t minver, uint16_t maxver) {
     SSLVersionRange range = {minver, maxver};
     ASSERT_EQ(SECSuccess, SSL_VersionRangeSet(ssl_fd_, &range));
   }
 
   State state() const { return state_; }
 
   const char* state_str() const { return state_str(state()); }
@@ -369,16 +394,21 @@ class TlsAgent : public PollTarget {
       case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
       default:
         LOG("Handshake failed with error " << err);
         SetState(ERROR);
         return;
     }
   }
 
+  std::vector<uint8_t> GetSessionId() {
+    return std::vector<uint8_t>(info_.sessionID,
+                                info_.sessionID + info_.sessionIDLength);
+  }
+
  private:
   const static char* states[];
 
   void SetState(State state) {
     if (state_ == state) return;
 
     LOG("Changing state from " << state_str(state_) << " to "
                                << state_str(state));
@@ -421,17 +451,29 @@ class TlsConnectTestBase : public ::test
         client_(new TlsAgent("client", TlsAgent::CLIENT, mode_)),
         server_(new TlsAgent("server", TlsAgent::SERVER, mode_)) {}
 
   ~TlsConnectTestBase() {
     delete client_;
     delete server_;
   }
 
-  void SetUp() { Init(); }
+  void SetUp() {
+    // Configure a fresh session cache.
+    SSL_ConfigServerSessionIDCache(1024, 0, 0, g_working_dir_path.c_str());
+
+    Init();
+  }
+
+  void TearDown() {
+    client_ = nullptr;
+    server_ = nullptr;
+
+    SSL_ShutdownServerSessionIDCache();
+  }
 
   void Init() {
     ASSERT_TRUE(client_->Init());
     ASSERT_TRUE(server_->Init());
 
     client_->SetPeer(server_);
     server_->SetPeer(client_);
   }
@@ -466,27 +508,36 @@ class TlsConnectTestBase : public ::test
     bool ret = client_->cipher_suite(&cipher_suite1);
     ASSERT_TRUE(ret);
     ret = server_->cipher_suite(&cipher_suite2);
     ASSERT_TRUE(ret);
     ASSERT_EQ(cipher_suite1, cipher_suite2);
 
     std::cerr << "Connected with cipher suite " << client_->cipher_suite_name()
               << std::endl;
+
+    // Check and store session ids.
+    std::vector<uint8_t> sid_c1 = client_->GetSessionId();
+    ASSERT_EQ(32, sid_c1.size());
+    std::vector<uint8_t> sid_s1 = server_->GetSessionId();
+    ASSERT_EQ(32, sid_s1.size());
+    ASSERT_EQ(sid_c1, sid_s1);
+    session_id_ = sid_c1;
   }
 
   void EnableSomeECDHECiphers() {
     client_->EnableSomeECDHECiphers();
     server_->EnableSomeECDHECiphers();
   }
 
  protected:
   Mode mode_;
   TlsAgent* client_;
   TlsAgent* server_;
+  std::vector<uint8_t> session_id_;
 };
 
 class TlsConnectTest : public TlsConnectTestBase {
  public:
   TlsConnectTest() : TlsConnectTestBase(STREAM) {}
 };
 
 class DtlsConnectTest : public TlsConnectTestBase {
@@ -511,16 +562,36 @@ TEST_P(TlsConnectGeneric, Connect) {
   // Check that we negotiated the expected version.
   if (mode_ == STREAM) {
     client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_0);
   } else {
     client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_1);
   }
 }
 
+TEST_P(TlsConnectGeneric, ConnectResumed) {
+  Connect();
+  std::vector<uint8_t> old_sid = session_id_;
+
+  Reset();
+  Connect();
+  ASSERT_EQ(old_sid, session_id_) << "Session was not resumed when it should have been";
+}
+
+TEST_P(TlsConnectGeneric, ConnectNotResumed) {
+  Connect();
+  std::vector<uint8_t> old_sid = session_id_;
+
+  Reset();
+  client_->SetSessionCacheEnabled(false);
+  Connect();
+
+  ASSERT_NE(old_sid, session_id_) << "Session was resumed when it should not have been";
+}
+
 TEST_P(TlsConnectGeneric, ConnectTLS_1_1_Only) {
   EnsureTlsSetup();
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_1);
 
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_1);
 
@@ -556,16 +627,17 @@ TEST_F(TlsConnectTest, ConnectECDHETwice
   ASSERT_TRUE(dhe1.Parse(i1->buffer().data(), i1->buffer().len()));
 
   // Restart
   Reset();
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
   server_->SetInspector(i2);
   EnableSomeECDHECiphers();
+  client_->SetSessionCacheEnabled(false);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
   TlsServerKeyExchangeECDHE dhe2;
   ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
 
   // Make sure they are the same.
   ASSERT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len());
@@ -589,16 +661,17 @@ TEST_F(TlsConnectTest, ConnectECDHETwice
   // Restart
   Reset();
   EnableSomeECDHECiphers();
   rv = SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
   ASSERT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
   server_->SetInspector(i2);
+  client_->SetSessionCacheEnabled(false);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
   TlsServerKeyExchangeECDHE dhe2;
   ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
 
   // Make sure they are different.
   ASSERT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) &&
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -1172,26 +1172,26 @@ typedef struct {
      *     is not yet aware of the latest revocation methods
      *     (or does not want to use them).
      */ 
     PRUint64 *cert_rev_flags_per_method;
 
     /*
      * How many preferred methods are specified?
      * This is equivalent to the size of the array that 
-     *      preferred_revocation_methods points to.
+     *      preferred_methods points to.
      * It's allowed to set this value to zero,
      *      then NSS will decide which methods to prefer.
      */
     PRUint32 number_of_preferred_methods;
 
     /* Array that may specify an optional order of preferred methods.
      * Each array entry shall contain a method identifier as defined
      *   by CERTRevocationMethodIndex.
-     * The entry at index [0] specifies the method with highest preferrence.
+     * The entry at index [0] specifies the method with highest preference.
      * These methods will be tested first for locally available information.
      * Methods allowed for downloading will be attempted in the same order.
      */
     CERTRevocationMethodIndex *preferred_methods;
 
     /*
      * An integer which defines certain aspects of revocation checking
      * (independent of individual methods) by having individual
--- a/security/nss/lib/ckfw/dbm/db.c
+++ b/security/nss/lib/ckfw/dbm/db.c
@@ -132,17 +132,18 @@ nss_dbm_db_set_label
 
   k.data = PREFIX_METADATA "Label";
   k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
   v.data = label;
   v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
 
   /* Locked region */ 
   {
-    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
+    rv = NSSCKFWMutex_Lock(db->crustylock);
+    if( CKR_OK != rv ) {
       return rv;
     }
 
     dbrv = db->db->put(db->db, &k, &v, 0);
     if( 0 != dbrv ) {
       rv = CKR_DEVICE_ERROR;
     }
 
--- a/security/nss/lib/ckfw/nssmkey/mobject.c
+++ b/security/nss/lib/ckfw/nssmkey/mobject.c
@@ -1875,17 +1875,17 @@ nss_ckmk_CreateObject
 (
   NSSCKFWSession *fwSession,
   CK_ATTRIBUTE_PTR pTemplate,
   CK_ULONG ulAttributeCount,
   CK_RV *pError
 )
 {
   CK_OBJECT_CLASS objClass;
-  ckmkInternalObject *io;
+  ckmkInternalObject *io = NULL;
   CK_BBOOL isToken;
 
   /*
    * only create token objects
    */
   isToken = nss_ckmk_GetBoolAttribute(CKA_TOKEN, pTemplate, 
                                       ulAttributeCount, CK_FALSE);
   if (!isToken) {
--- a/security/nss/lib/freebl/ecl/README
+++ b/security/nss/lib/freebl/ecl/README
@@ -1,44 +1,11 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the elliptic curve math library.
-
-The Initial Developer of the Original Code is Sun Microsystems, Inc.
-Portions created by Sun Microsystems, Inc. are Copyright (C) 2003
-Sun Microsystems, Inc. All Rights Reserved.
-
-Contributor(s):
-    Stephen Fung <fungstep@hotmail.com> and
-    Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
  
 The ECL exposes routines for constructing and converting curve
 parameters for internal use.
 
 
 HEADER FILES
 ============
 
--- a/security/nss/lib/freebl/mpi/README
+++ b/security/nss/lib/freebl/mpi/README
@@ -1,44 +1,11 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1997-2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 About the MPI Library
 ---------------------
 
 The files 'mpi.h' and 'mpi.c' define a simple, arbitrary precision
 signed integer arithmetic package.  The implementation is not the most
 efficient possible, but the code is small and should be fairly easily
 portable to just about any machine that supports an ANSI C compiler,
--- a/security/nss/lib/freebl/mpi/doc/LICENSE-MPL
+++ b/security/nss/lib/freebl/mpi/doc/LICENSE-MPL
@@ -1,35 +1,3 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape
-Communications Corporation.  Portions created by Netscape are 
-Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
--- a/security/nss/lib/freebl/mpi/tests/LICENSE-MPL
+++ b/security/nss/lib/freebl/mpi/tests/LICENSE-MPL
@@ -1,35 +1,3 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape
-Communications Corporation.  Portions created by Netscape are 
-Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
--- a/security/nss/lib/freebl/mpi/utils/LICENSE-MPL
+++ b/security/nss/lib/freebl/mpi/utils/LICENSE-MPL
@@ -1,35 +1,3 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape
-Communications Corporation.  Portions created by Netscape are 
-Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
--- a/security/nss/lib/freebl/mpi/utils/README
+++ b/security/nss/lib/freebl/mpi/utils/README
@@ -1,44 +1,11 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 Additional MPI utilities
 ------------------------
 
 The files 'mpprime.h' and 'mpprime.c' define some useful extensions to
 the MPI library for dealing with prime numbers (in particular, testing
 for divisbility, and the Rabin-Miller probabilistic primality test).
 
--- a/security/nss/lib/libpkix/include/pkix_revchecker.h
+++ b/security/nss/lib/libpkix/include/pkix_revchecker.h
@@ -112,17 +112,17 @@ PKIX_RevocationChecker_Create(
  *      Address of ProcessingParams used to initialize the checker.
  *      Must be non-NULL.
  *  "methodType"
  *      Type of the method. Currently only two types are
  *      supported: crl and ocsp. (See PKIX_RevocationMethodType enum).
  *  "methodFlags"
  *      Set of flags for the method.
  *  "methodPriority"
- *      Method priority. (0 corresponds to a highest priority)
+ *      Method priority. (0 corresponds to the highest priority)
  *  "verificationFn"
  *      User call back function that will perform validation of fetched
  *      revocation information(new crl or ocsp response)
  *  "isLeafMethod"
  *      Boolean flag that if set to true indicates that the method should
  *      should be used for leaf cert revocation test(false for chain set
  *      methods).
  *  "plContext"
@@ -138,17 +138,17 @@ PKIX_RevocationChecker_Create(
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_RevocationChecker_CreateAndAddMethod(
     PKIX_RevocationChecker *revChecker,
     PKIX_ProcessingParams *params,
     PKIX_RevocationMethodType methodType,
     PKIX_UInt32 methodFlags,
-    PKIX_UInt32 mathodPriority,
+    PKIX_UInt32 methodPriority,
     PKIX_PL_VerifyCallback verificationFn,
     PKIX_Boolean isLeafMethod,
     void *plContext);
 
 /*
  * FUNCTION: PKIX_RevocationChecker_Check
  * DESCRIPTION:
  *
--- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
@@ -132,32 +132,38 @@ pkix_RevocationChecker_RegisterSelf(void
         entry.comparator = NULL;
         entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
 
         systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
 
         PKIX_RETURN(REVOCATIONCHECKER);
 }
 
-/* Sort methods by theirs priorities */
+/* Sort methods by their priorities (lower priority = higher preference) */
 static PKIX_Error *
 pkix_RevocationChecker_SortComparator(
         PKIX_PL_Object *obj1,
         PKIX_PL_Object *obj2,
         PKIX_Int32 *pResult,
         void *plContext)
 {
     pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
     
     PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
     
     method1 = (pkix_RevocationMethod *)obj1;
     method2 = (pkix_RevocationMethod *)obj2;
     
-    *pResult = (method1->priority > method2->priority);
+    if (method1->priority < method2->priority) {
+      *pResult = -1;
+    } else if (method1->priority > method2->priority) {
+      *pResult = 1;
+    } else {
+      *pResult = 0;
+    }
     
     PKIX_RETURN(BUILD);
 }
 
 
 /* --Public-Functions--------------------------------------------- */
 
 
--- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
@@ -43,18 +43,19 @@ pkix_ExternalRevocationCheckFn(PKIX_PL_C
                                pkix_RevocationMethod *checkerObject,
                                PKIX_ProcessingParams *procParams,
                                PKIX_UInt32 methodFlags,
                                PKIX_RevocationStatus *pRevStatus,
                                PKIX_UInt32 *reasonCode,
                                void **pNBIOContext, void *plContext);
 
 /* Revocation method structure assosiates revocation types with
- * a set of flags on the method, a priority of the method, and
- * method local/external checker functions. */
+ * a set of flags on the method, a priority of the method (0
+ * corresponds to the highest priority), and method local/external
+ * checker functions. */
 struct pkix_RevocationMethodStruct {
     PKIX_RevocationMethodType methodType;
     PKIX_UInt32 flags;
     PKIX_UInt32 priority;
     pkix_LocalRevocationCheckFn (*localRevChecker);
     pkix_ExternalRevocationCheckFn (*externalRevChecker);
 };
 
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -655,19 +655,21 @@ pkix_ForwardBuilderState_IsIOPending(
 
 /* --Private-BuildChain-Functions------------------------------------------- */
 
 /*
  * FUNCTION: pkix_Build_SortCertComparator
  * DESCRIPTION:
  *
  *  This Function takes two Certificates cast in "obj1" and "obj2",
- *  compares their validity NotAfter dates and returns the result at
- *  "pResult". The comparison key(s) can be expanded by using other
- *  data in the Certificate in the future.
+ *  compares them to determine which is a more preferable certificate
+ *  for chain building. This Function is suitable for use as a
+ *  comparator callback for pkix_List_BubbleSort, setting "*pResult" to
+ *  > 0 if "obj1" is less desirable than "obj2" and < 0 if "obj1"
+ *  is more desirable than "obj2".
  *
  * PARAMETERS:
  *  "obj1"
  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
  *      Must be non-NULL.
  *  "obj2"
  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
  *      Must be non-NULL.
@@ -686,24 +688,24 @@ static PKIX_Error *
 pkix_Build_SortCertComparator(
         PKIX_PL_Object *obj1,
         PKIX_PL_Object *obj2,
         PKIX_Int32 *pResult,
         void *plContext)
 {
         PKIX_PL_Date *date1 = NULL;
         PKIX_PL_Date *date2 = NULL;
-        PKIX_Boolean result = PKIX_FALSE;
+        PKIX_Int32 result = 0;
 
         PKIX_ENTER(BUILD, "pkix_Build_SortCertComparator");
         PKIX_NULLCHECK_THREE(obj1, obj2, pResult);
 
         /*
          * For sorting candidate certificates, we use NotAfter date as the
-         * sorted key for now (can be expanded if desired in the future).
+         * comparison key for now (can be expanded if desired in the future).
          *
          * In PKIX_BuildChain, the List of CertStores was reordered so that
          * trusted CertStores are ahead of untrusted CertStores. That sort, or
          * this one, could be taken out if it is determined that it doesn't help
          * performance, or in some way hinders the solution of choosing desired
          * candidates.
          */
 
@@ -722,17 +724,22 @@ pkix_Build_SortCertComparator(
         
         PKIX_CHECK(PKIX_PL_Object_Compare
                 ((PKIX_PL_Object *)date1,
                 (PKIX_PL_Object *)date2,
                 &result,
                 plContext),
                 PKIX_OBJECTCOMPARATORFAILED);
 
-        *pResult = !result;
+        /*
+         * Invert the result, so that if date1 is greater than date2,
+         * obj1 is sorted before obj2. This is because pkix_List_BubbleSort
+         * sorts in ascending order.
+         */
+        *pResult = -result;
 
 cleanup:
 
         PKIX_DECREF(date1);
         PKIX_DECREF(date2);
 
         PKIX_RETURN(BUILD);
 }
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.h
@@ -40,9 +40,14 @@ pkix_pl_CrlDp_RegisterSelf(void *plConte
 
 /* Parses CRLDistributionPoint structure and creaetes
  * pkix_pl_CrlDp object. */
 PKIX_Error *
 pkix_pl_CrlDp_Create(const CRLDistributionPoint *dp,
                      const CERTName *certIssuerName,
                      pkix_pl_CrlDp **pPkixDP,
                      void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* _PKIX_PL_CRLDP_H */
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -28,22 +28,22 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.18" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.17.4" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
-#define NSS_VMINOR   18
-#define NSS_VPATCH   0
+#define NSS_VMINOR   17
+#define NSS_VPATCH   4
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_TRUE
+#define NSS_BETA     PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
 /*
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -288,31 +288,28 @@ pk11_fastCert(PK11SlotInfo *slot, CK_OBJ
  */
 CERTCertificate *
 PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
 						CK_ATTRIBUTE *privateLabel)
 {
     char * nickname = NULL;
     CERTCertificate *cert = NULL;
     CERTCertTrust *trust;
-    PRBool isFortezzaRootCA = PR_FALSE;
-    PRBool swapNickname = PR_FALSE;
 
     cert = pk11_fastCert(slot,certID,privateLabel, &nickname);
     if (cert == NULL) 
     	goto loser;
-	
+
     if (nickname) {
 	if (cert->nickname != NULL) {
 	    cert->dbnickname = cert->nickname;
 	} 
 	cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
 	PORT_Free(nickname);
 	nickname = NULL;
-	swapNickname = PR_TRUE;
     }
 
     /* remember where this cert came from.... If we have just looked
      * it up from the database and it already has a slot, don't add a new
      * one. */
     if (cert->slot == NULL) {
 	cert->slot = PK11_ReferenceSlot(slot);
 	cert->pkcs11ID = certID;
@@ -338,17 +335,16 @@ PK11_MakeCertFromHandle(PK11SlotInfo *sl
 	    if (pk11_isID0(slot,certID) && 
 		cert->isRoot) {
 		trustflags |= CERTDB_TRUSTED_CA;
 		/* is the slot a fortezza card? allow the user or
 		 * admin to turn on objectSigning, but don't turn
 		 * full trust on explicitly */
 		if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
 		    trust->objectSigningFlags |= CERTDB_VALID_CA;
-		    isFortezzaRootCA = PR_TRUE;
 		}
 	    }
 	    if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
 		trust->sslFlags |= trustflags;
 	    }
 	    if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) {
 		trust->emailFlags |= trustflags;
 	    }
--- a/security/nss/lib/pk11wrap/pk11mech.c
+++ b/security/nss/lib/pk11wrap/pk11mech.c
@@ -1373,36 +1373,35 @@ SECItem *
 pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen) 
 { 
     CK_RC2_CBC_PARAMS *rc2_params;
     CK_RC2_PARAMS *rc2_ecb_params;
     SECItem *mech;
     SECItem iv;
     SECStatus rv;
 
-
     mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
     if (mech == NULL) return NULL;
 
     rv = SECSuccess;
     mech->type = siBuffer;
+    mech->data = NULL;
+    mech->len = 0;
     switch (type) {
     case CKM_RC4:
     case CKM_SEED_ECB:
     case CKM_CAMELLIA_ECB:
     case CKM_AES_ECB:
     case CKM_DES_ECB:
     case CKM_DES3_ECB:
     case CKM_IDEA_ECB:
     case CKM_CDMF_ECB:
     case CKM_CAST_ECB:
     case CKM_CAST3_ECB:
     case CKM_CAST5_ECB:
-	mech->data = NULL;
-	mech->len = 0;
 	break;
     case CKM_RC2_ECB:
 	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
 	if (rc2_ecb_params == NULL) {
 	    rv = SECFailure;
 	    break;
 	}
 	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
@@ -1440,18 +1439,16 @@ pk11_GenerateNewParamWithKeyLen(CK_MECHA
 	rv = pk11_GenIV(type,&iv);
 	if (rv != SECSuccess) {
 	    break;
 	}
         PORT_Free(mech);
 	return PK11_ParamFromIV(type,&iv);
     default:
 	if (pk11_lookup(type)->iv == 0) {
-	    mech->data = NULL;
-	    mech->len = 0;
 	    break;
 	}
     case CKM_SEED_CBC:
     case CKM_CAMELLIA_CBC:
     case CKM_AES_CBC:
     case CKM_DES_CBC:
     case CKM_DES3_CBC:
     case CKM_IDEA_CBC:
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -715,23 +715,32 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, 
 }
 
 
 /* FC_CreateObject creates a new object. */
  CK_RV FC_CreateObject(CK_SESSION_HANDLE hSession,
 		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
 					CK_OBJECT_HANDLE_PTR phObject) {
     CK_OBJECT_CLASS * classptr;
+    CK_RV rv = CKR_OK;
 
-    SFTK_FIPSCHECK();
     CHECK_FORK();
 
     classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate,ulCount,CKA_CLASS);
     if (classptr == NULL) return CKR_TEMPLATE_INCOMPLETE;
 
+    if (*classptr == CKO_NETSCAPE_NEWSLOT || *classptr == CKO_NETSCAPE_DELSLOT) {
+        if (sftk_fatalError)
+            return CKR_DEVICE_ERROR;
+    } else {
+        rv = sftk_fipsCheck();
+        if (rv != CKR_OK)
+            return rv;
+    }
+
     /* FIPS can't create keys from raw key material */
     if (SFTK_IS_NONPUBLIC_KEY_OBJECT(*classptr)) {
 	rv = CKR_ATTRIBUTE_VALUE_INVALID;
     } else {
 	rv = NSC_CreateObject(hSession,pTemplate,ulCount,phObject);
     }
     if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(*classptr)) {
 	sftk_AuditCreateObject(hSession,pTemplate,ulCount,phObject,rv);
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -20,16 +20,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.18" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION  "3.17.4" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
-#define SOFTOKEN_VMINOR   18
-#define SOFTOKEN_VPATCH   0
+#define SOFTOKEN_VMINOR   17
+#define SOFTOKEN_VPATCH   4
 #define SOFTOKEN_VBUILD   0
-#define SOFTOKEN_BETA     PR_TRUE
+#define SOFTOKEN_BETA     PR_FALSE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -8739,21 +8739,21 @@ ssl3_SendServerHello(sslSocket *ss)
 static SECStatus
 ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
 				SSL3SignatureAndHashAlgorithm* out)
 {
     TLSSignatureAlgorithm sigAlg;
     unsigned int i, j;
     /* hashPreference expresses our preferences for hash algorithms, most
      * preferable first. */
-    static const PRUint8 hashPreference[] = {
-	tls_hash_sha256,
-	tls_hash_sha384,
-	tls_hash_sha512,
-	tls_hash_sha1,
+    static const SECOidTag hashPreference[] = {
+        SEC_OID_SHA256,
+        SEC_OID_SHA384,
+        SEC_OID_SHA512,
+        SEC_OID_SHA1,
     };
 
     switch (ss->ssl3.hs.kea_def->kea) {
     case kea_rsa:
     case kea_rsa_export:
     case kea_rsa_export_1024:
     case kea_dh_rsa:
     case kea_dh_rsa_export:
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -2253,17 +2253,17 @@ ssl3_HandleUseSRTPXtn(sslSocket * ss, PR
  * from a client.
  * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
 static SECStatus
 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
 {
     SECStatus rv;
     SECItem algorithms;
     const unsigned char *b;
-    unsigned int numAlgorithms, i;
+    unsigned int numAlgorithms, i, j;
 
     /* Ignore this extension if we aren't doing TLS 1.2 or greater. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
         return SECSuccess;
     }
 
     /* Keep track of negotiated extensions. */
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
@@ -2289,30 +2289,31 @@ ssl3_ServerHandleSigAlgsXtn(sslSocket * 
     ss->ssl3.hs.clientSigAndHash =
             PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms);
     if (!ss->ssl3.hs.clientSigAndHash) {
         return SECFailure;
     }
     ss->ssl3.hs.numClientSigAndHash = 0;
 
     b = algorithms.data;
-    for (i = 0; i < numAlgorithms; i++) {
+    for (i = j = 0; i < numAlgorithms; i++) {
         unsigned char tls_hash = *(b++);
         unsigned char tls_sig = *(b++);
         SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash);
 
         if (hash == SEC_OID_UNKNOWN) {
             /* We ignore formats that we don't understand. */
             continue;
         }
         /* tls_sig support will be checked later in
          * ssl3_PickSignatureHashAlgorithm. */
-        ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash;
-        ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig;
-        ss->ssl3.hs.numClientSigAndHash++;
+        ss->ssl3.hs.clientSigAndHash[j].hashAlg = hash;
+        ss->ssl3.hs.clientSigAndHash[j].sigAlg = tls_sig;
+        ++j;
+        ++ss->ssl3.hs.numClientSigAndHash;
     }
 
     if (!ss->ssl3.hs.numClientSigAndHash) {
         /* We didn't understand any of the client's requested signature
          * formats. We'll use the defaults. */
         PORT_Free(ss->ssl3.hs.clientSigAndHash);
         ss->ssl3.hs.clientSigAndHash = NULL;
     }
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,22 +14,22 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.18 Beta"
+#define NSSUTIL_VERSION  "3.17.4"
 #define NSSUTIL_VMAJOR   3
-#define NSSUTIL_VMINOR   18
-#define NSSUTIL_VPATCH   0
+#define NSSUTIL_VMINOR   17
+#define NSSUTIL_VPATCH   4
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_TRUE
+#define NSSUTIL_BETA     PR_FALSE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
 extern const char *NSSUTIL_GetVersion(void);
 
--- a/security/nss/pkg/solaris/common_files/copyright
+++ b/security/nss/pkg/solaris/common_files/copyright
@@ -1,38 +1,6 @@
 Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 Use is subject to license terms.
 
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this package are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this package except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the Netscape Portable Runtime (NSPR).
-
-The Initial Developer of the Original Code is
-Netscape Communications Corporation.
-Portions created by the Initial Developer are Copyright (C) 1998-2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
--- a/security/nss/tests/chains/scenarios/scenarios
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -1,52 +1,11 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Network Security Services (NSS)
-#
-# The Initial Developer of the Original Code is Sun Microsystems, Inc.
-# Portions created by the Initial Developer are Copyright (C) 2009
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
-#   Ryan Sleevi <ryan.sleevi@gmail.com>, Google
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-#
-# Scenario ocspd.cfg will always be processed first,
-# regardless of its presence in this list.
-#
-# Scenario method.cfg will always be processed, regardless of its presence
-# in this list, and will be processed twice, once with httpserv -O get 
-# and once with -O post. Because method.cfg will be executed with both
-# classic and libpkix engines, it must not contain any policy checks.
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
 #
 bridge.cfg
 megabridge_3_2.cfg
 extension.cfg
 extension2.cfg
 anypolicy.cfg
 anypolicywithlevel.cfg
 explicitPolicy.cfg
--- a/security/nss/tests/iopr/server_scr/config
+++ b/security/nss/tests/iopr/server_scr/config
@@ -1,42 +1,11 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Network Security Services (NSS)
-#
-# The Initial Developer of the Original Code is Sun Microsystems, Inc.
-# Portions created by the Initial Developer are Copyright (C) 2006-2009
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 certDir=/iopr
 caCertName=TestCA
 caCrlName=TestCA
 userCertNames="TestUser510 TestUser511"
 userRevokedCertNames="TestUser510"
 reverseRunCGIScript="/cgi-bin/client.cgi"
 supportedTests="SslSingleHs"
--- a/security/nss/tests/libpkix/sample_apps/README
+++ b/security/nss/tests/libpkix/sample_apps/README
@@ -1,44 +1,11 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 This directory contains both sample applications and performance evaluation
 applications.
 
 SAMPLE APPLICATIONS
 
 Currently, there are two performance applications: libpkix_buildThreads and
 nss_threads. And three sample applications: dumpcert, dumpcrl and