Bug 1107731 - Upgrade Mozilla 36 to use NSS 3.17.4. a=sledru
authorKai Engert <kaie@kuix.de>
Thu, 22 Jan 2015 12:34:00 -0500
changeset 243032 f4e1d64f9ab9
parent 243031 5d7d74f94d6a
child 243033 e6cefc687439
push id4368
push userryanvm@gmail.com
push date2015-01-26 15:37 +0000
treeherdermozilla-beta@e6cefc687439 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssledru
bugs1107731
milestone36.0
Bug 1107731 - Upgrade Mozilla 36 to use NSS 3.17.4. a=sledru
configure.in
security/nss/TAG-INFO
security/nss/cmd/certutil/certutil.c
security/nss/cmd/certutil/keystuff.c
security/nss/cmd/pp/pp.c
security/nss/coreconf/command.mk
security/nss/coreconf/coreconf.dep
security/nss/coreconf/rules.mk
security/nss/doc/Makefile
security/nss/doc/certutil.xml
security/nss/doc/html/certutil.html
security/nss/doc/nroff/certutil.1
security/nss/external_tests/ssl_gtest/ssl_gtest.cc
security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
security/nss/lib/certdb/certt.h
security/nss/lib/ckfw/dbm/db.c
security/nss/lib/ckfw/nssmkey/mobject.c
security/nss/lib/freebl/ecl/README
security/nss/lib/freebl/mpi/README
security/nss/lib/freebl/mpi/doc/LICENSE-MPL
security/nss/lib/freebl/mpi/tests/LICENSE-MPL
security/nss/lib/freebl/mpi/utils/LICENSE-MPL
security/nss/lib/freebl/mpi/utils/README
security/nss/lib/libpkix/include/pkix_errorstrings.h
security/nss/lib/libpkix/include/pkix_revchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
security/nss/lib/libpkix/pkix/top/pkix_build.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.h
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.c
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/pki/pki3hack.c
security/nss/lib/pki/tdcache.c
security/nss/lib/softoken/fipstokn.c
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/util/nssutil.h
security/nss/pkg/solaris/common_files/copyright
security/nss/tests/chains/scenarios/scenarios
security/nss/tests/dbtests/dbtests.sh
security/nss/tests/iopr/server_scr/config
security/nss/tests/libpkix/sample_apps/README
--- a/configure.in
+++ b/configure.in
@@ -3604,17 +3604,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.17.3, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.17.4, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -n "$MOZ_NATIVE_NSS"; then
    NSS_LIBS="$NSS_LIBS -lcrmf"
 else
    NSS_CFLAGS='-I$(LIBXUL_DIST)/include/nss'
 
    if test -z "$GNU_CC" -a "$OS_ARCH" = "WINNT"; then
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_17_3_RTM
+NSS_3_17_4_RC0
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -966,29 +966,29 @@ ListModules(void)
 static void 
 PrintSyntax(char *progName)
 {
 #define FPS fprintf(stderr, 
     FPS "Type %s -H for more detailed descriptions\n", progName);
     FPS "Usage:  %s -N [-d certdir] [-P dbprefix] [-f pwfile] [--empty-password]\n", progName);
     FPS "Usage:  %s -T [-d certdir] [-P dbprefix] [-h token-name]\n"
 	"\t\t [-f pwfile] [-0 SSO-password]\n", progName);
-    FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
+    FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
     	progName);
     FPS "\t%s -B -i batch-file\n", progName);
     FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
 	"\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
-        "\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
+        "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-Z hashAlg]\n"
         "\t\t [-1 | --keyUsage [keyUsageKeyword,..]] [-2] [-3] [-4]\n"
         "\t\t [-5 | --nsCertType [nsCertTypeKeyword,...]]\n"
         "\t\t [-6 | --extKeyUsage [extKeyUsageKeyword,...]] [-7 emailAddrs]\n"
         "\t\t [-8 dns-names] [-a]\n",
 	progName);
     FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
-    FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
+    FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
 	progName);
     FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n", 
 	progName);
     FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n" 
 	"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
 	"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
 #ifndef NSS_DISABLE_ECC
@@ -1005,34 +1005,35 @@ PrintSyntax(char *progName)
 	progName);
     FPS "\t\t [--upgrade-token-name tokenName] [-d targetDBDir]\n");
     FPS "\t\t [-P targetDBPrefix] [--source-prefix upgradeDBPrefix]\n");
     FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n");
     FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n",
 	progName);
     FPS "\t\t [-P targetDBPrefix] [--source-prefix sourceDBPrefix]\n");
     FPS "\t\t [-f targetPWfile] [-@ sourcePWFile]\n");
-    FPS "\t%s -L [-n cert-name] [--email email-address] [-X] [-r] [-a]\n",
+    FPS "\t%s -L [-n cert-name] [-h token-name] [--email email-address]\n",
 	progName);
-    FPS "\t\t [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n");
+    FPS "\t\t [-X] [-r] [-a] [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n");
     FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
 	progName);
     FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
     FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]\n"
-	"\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile] [-g key-size]\n",
+        "\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile]\n"
+        "\t\t [-g key-size] [-Z hashAlg]\n",
 	progName);
     FPS "\t%s -V -n cert-name -u usage [-b time] [-e] [-a]\n"
 	"\t\t[-X] [-d certdir] [-P dbprefix]\n",
 	progName);
     FPS "Usage:  %s -W [-d certdir] [-f pwfile] [-@newpwfile]\n",
 	progName);
     FPS "\t%s -S -n cert-name -s subj [-c issuer-name | -x]  -t trustargs\n"
 	"\t\t [-k key-type-or-id] [-q key-params] [-h token-name] [-g key-size]\n"
         "\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
-	"\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
+        "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-Z hashAlg]\n"
         "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6] [-7 emailAddrs]\n"
         "\t\t [-8 DNS-names]\n"
         "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n"
         "\t\t [--extSKID] [--extNC] [--extSAN type:name[,type:name]...]\n"
 	"\t\t [--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]...]\n", progName);
     FPS "\t%s -U [-X] [-d certdir] [-P dbprefix]\n", progName);
     exit(1);
 }
@@ -1133,16 +1134,21 @@ static void luC(enum usage_level ul, con
         "   -v months-valid");
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
     FPS "%-20s \n"
+              "%-20s Specify the hash algorithm to use. Possible keywords:\n"
+              "%-20s \"MD2\", \"MD4\", \"MD5\", \"SHA1\", \"SHA224\",\n"
+              "%-20s \"SHA256\", \"SHA384\", \"SHA512\"\n",
+        "   -Z hashAlg", "", "", "");
+    FPS "%-20s \n"
               "%-20s Create key usage extension. Possible keywords:\n"
               "%-20s \"digitalSignature\", \"nonRepudiation\", \"keyEncipherment\",\n"
               "%-20s \"dataEncipherment\", \"keyAgreement\", \"certSigning\",\n"
               "%-20s \"crlSigning\", \"critical\"\n",
         "   -1 | --keyUsage keyword,keyword,...", "", "", "", "");
     FPS "%-20s Create basic constraint extension\n",
         "   -2 ");
     FPS "%-20s Create authority key ID extension\n",
@@ -1331,16 +1337,18 @@ static void luK(enum usage_level ul, con
 static void luL(enum usage_level ul, const char *command)
 {
     int is_my_command = (command && 0 == strcmp(command, "L"));
     if (ul == usage_all || !command || is_my_command)
     FPS "%-15s List all certs, or print out a single named cert (or a subset)\n",
         "-L");
     if (ul == usage_selected && !is_my_command)
         return;
+    FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
+        "   -h token-name ");
     FPS "%-20s Pretty print named cert (list all if unspecified)\n",
         "   -n cert-name");
     FPS "%-20s \n"
               "%-20s Pretty print cert with email address (list all if unspecified)\n",
         "   --email email-address", "");
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
@@ -1383,16 +1391,18 @@ static void luN(enum usage_level ul, con
     FPS "%-15s Create a new certificate database\n",
         "-N");
     if (ul == usage_selected && !is_my_command)
         return;
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
+    FPS "%-20s Specify the password file\n",
+        "   -f password-file");
     FPS "%-20s use empty password when creating a new database\n",
         "   --empty-password");
     FPS "\n");
 }
 
 static void luT(enum usage_level ul, const char *command)
 {
     int is_my_command = (command && 0 == strcmp(command, "T"));
@@ -1468,16 +1478,21 @@ static void luR(enum usage_level ul, con
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
     FPS "%-20s Key database directory (default is ~/.netscape)\n",
         "   -d keydir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
     FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
         "   -p phone");
+    FPS "%-20s \n"
+              "%-20s Specify the hash algorithm to use. Possible keywords:\n"
+              "%-20s \"MD2\", \"MD4\", \"MD5\", \"SHA1\", \"SHA224\",\n"
+              "%-20s \"SHA256\", \"SHA384\", \"SHA512\"\n",
+        "   -Z hashAlg", "", "", "");
     FPS "%-20s Output the cert request in ASCII (RFC1113); default is binary\n",
         "   -a");
     FPS "%-20s \n",
         "   See -S for available extension options");
     FPS "%-20s \n",
         "   See -G for available key flag options");
     FPS "\n");
 }
@@ -1629,16 +1644,21 @@ static void luS(enum usage_level ul, con
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
     FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
         "   -p phone");
+    FPS "%-20s \n"
+              "%-20s Specify the hash algorithm to use. Possible keywords:\n"
+              "%-20s \"MD2\", \"MD4\", \"MD5\", \"SHA1\", \"SHA224\",\n"
+              "%-20s \"SHA256\", \"SHA384\", \"SHA512\"\n",
+        "   -Z hashAlg", "", "", "");
     FPS "%-20s Create key usage extension\n",
         "   -1 ");
     FPS "%-20s Create basic constraint extension\n",
         "   -2 ");
     FPS "%-20s Create authority key ID extension\n",
         "   -3 ");
     FPS "%-20s Create crl distribution point extension\n",
         "   -4 ");
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -489,17 +489,16 @@ getECParams(const char *curve)
 SECKEYPrivateKey *
 CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
 			    int publicExponent, const char *noise, 
 			    SECKEYPublicKey **pubkeyp, const char *pqgFile,
 			    PK11AttrFlags attrFlags, CK_FLAGS opFlagsOn,
 			    CK_FLAGS opFlagsOff, secuPWData *pwdata)
 {
     CK_MECHANISM_TYPE  mechanism;
-    SECOidTag          algtag;
     PK11RSAGenParams   rsaparams;
     SECKEYPQGParams  * dsaparams = NULL;
     void             * params;
     SECKEYPrivateKey * privKey = NULL;
 
     if (slot == NULL)
 	return NULL;
 
@@ -524,22 +523,20 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
 	}
     }
 
     switch (keytype) {
     case rsaKey:
 	rsaparams.keySizeInBits = size;
 	rsaparams.pe = publicExponent;
 	mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
-	algtag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
 	params = &rsaparams;
 	break;
     case dsaKey:
 	mechanism = CKM_DSA_KEY_PAIR_GEN;
-	algtag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
 	if (pqgFile) {
 	    dsaparams = getpqgfromfile(size, pqgFile);
 	    if (dsaparams == NULL)
 	    	return NULL;
 	    params = dsaparams;
 	} else {
 	    /* cast away const, and don't set dsaparams */
 	    params = (void *)&default_pqg_params;
--- a/security/nss/cmd/pp/pp.c
+++ b/security/nss/cmd/pp/pp.c
@@ -26,18 +26,17 @@ static void Usage(char *progName)
 	    progName);
     fprintf(stderr, "Pretty prints a file containing ASN.1 data in DER or ascii format.\n");
     fprintf(stderr, "%-14s Specify input and display type: %s (sk),\n",
 	    "-t type", SEC_CT_PRIVATE_KEY);
     fprintf(stderr, "%-14s %s (pk), %s (c), %s (cr),\n", "", SEC_CT_PUBLIC_KEY,
 	    SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
     fprintf(stderr, "%-14s %s (ci), %s (p7), %s or %s (n).\n", "", SEC_CT_CERTIFICATE_ID,
             SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
-    fprintf(stderr, "%-14s (Use either the long type name or the shortcut.)\n", "", SEC_CT_CERTIFICATE_ID,
-            SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
+    fprintf(stderr, "%-14s (Use either the long type name or the shortcut.)\n", "");
     fprintf(stderr, "%-14s Input is in ascii encoded form (RFC1113)\n",
 	    "-a");
     fprintf(stderr, "%-14s Define an input file to use (default is stdin)\n",
 	    "-i input");
     fprintf(stderr, "%-14s Define an output file to use (default is stdout)\n",
 	    "-o output");
     fprintf(stderr, "%-14s Don't wrap long output lines\n",
 	    "-w");
--- a/security/nss/coreconf/command.mk
+++ b/security/nss/coreconf/command.mk
@@ -6,18 +6,17 @@
 #######################################################################
 # Master "Core Components" default command macros;                    #
 # can be overridden in <arch>.mk                                      #
 #######################################################################
 
 AS            = $(CC)
 ASFLAGS      += $(CFLAGS)
 CCF           = $(CC) $(CFLAGS)
-LINK_DLL      = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS)
-LINK_EXE      = $(LINK) $(OS_LFLAGS) $(LFLAGS)
+LINK_DLL      = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS)
 CFLAGS        = $(OPTIMIZER) $(OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \
 		$(XCFLAGS)
 PERL          = perl
 RANLIB        = echo
 TAR           = /bin/tar
 #
 # For purify
 #
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/coreconf/rules.mk
+++ b/security/nss/coreconf/rules.mk
@@ -236,17 +236,17 @@ endif
 alltags:
 	rm -f TAGS
 	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs etags -a
 	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs ctags -a
 
 $(PROGRAM): $(OBJS) $(EXTRA_LIBS)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
-	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
+	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(XLDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
 ifdef MT
 	if test -f $@.manifest; then \
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $(OBJS) $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
@@ -327,17 +327,17 @@ endif
 	@$(MAKE_OBJDIR)
 	$(PROCESS_MAP_FILE)
 
 
 $(OBJDIR)/$(PROG_PREFIX)%$(PROG_SUFFIX): $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $< -Fe$@ -link \
-	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
+	$(LDFLAGS) $(XLDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 ifdef MT
 	if test -f $@.manifest; then \
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $< \
--- a/security/nss/doc/Makefile
+++ b/security/nss/doc/Makefile
@@ -34,29 +34,16 @@ date.xml:
 
 version.xml:
 	echo -n ${VERSION} > $@
 
 .PHONY : $(MANPAGES)
 .PHONY : $(HTMLPAGES)
 .PHONY : $(TXTPAGES)
 
-#------------------------------------------
-# Package a tar ball for building in fedora
-# Include the makefile and .xml files only
-# man pages will be created at build time
-#------------------------------------------
-
-tarball:
-	rm -rf $(name); \
-	mkdir -p $(name)/nroff; \
-	cp Makefile $(name); \
-	cp *.xml $(name); \
-	tar cvjf $(name)-$(date).tar.bz2 $(name)
-
 #--------------------------------------------------------
 # manpages
 #--------------------------------------------------------
 
 nroff/%.1 : %.xml
 	$(COMPILE.1) $<
 	
 MANPAGES = \
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -455,16 +455,33 @@ of the attribute codes:
       </varlistentry>
 
       <varlistentry>
         <term>-z noise-file</term>
         <listitem><para>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</para></listitem>
       </varlistentry>
 
       <varlistentry>
+        <term>-Z hashAlg</term>
+        <listitem>
+        <para>Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:</para>
+        <itemizedlist>
+          <listitem><para>MD2</para></listitem>
+          <listitem><para>MD4</para></listitem>
+          <listitem><para>MD5</para></listitem>
+          <listitem><para>SHA1</para></listitem>
+          <listitem><para>SHA224</para></listitem>
+          <listitem><para>SHA256</para></listitem>
+          <listitem><para>SHA384</para></listitem>
+          <listitem><para>SHA512</para></listitem>
+        </itemizedlist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-0 SSO_password</term>
         <listitem><para>Set a site security officer password on a token.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-1 | --keyUsage keyword,keyword</term>
         <listitem><para>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</para>
 	<itemizedlist>
--- a/security/nss/doc/html/certutil.html
+++ b/security/nss/doc/html/certutil.html
@@ -1,9 +1,9 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm226659332128"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idp47645360"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
     </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
 <code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. 
 </p><p>
 When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
 Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
 
 Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge two databases into one.</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
 For certificate requests, ASCII output defaults to standard output unless redirected.</p></dd><dt><span class="term">-b validity-time</span></dt><dd><p>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <code class="option">-V</code> option. The format of the <span class="emphasis"><em>validity-time</em></span> argument is <span class="emphasis"><em>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</em></span>, which allows offsets to be set relative to the validity end time. Specifying seconds (<span class="emphasis"><em>SS</em></span>) is optional. When specifying an explicit time, use a Z at the end of the term, <span class="emphasis"><em>YYMMDDHHMMSSZ</em></span>, to close it. When specifying an offset time, use <span class="emphasis"><em>YYMMDDHHMMSS+HHMM</em></span> or <span class="emphasis"><em>YYMMDDHHMMSS-HHMM</em></span> for adding or subtracting time, respectively.
@@ -56,17 +56,17 @@ of the attribute codes:
 	</p></li></ul></div><p>
 		The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
 	</p><p><span class="command"><strong>-t "TCu,Cu,Tu"</strong></span></p><p>
 	Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Specify a usage context to apply when validating a certificate with the -V option.</p><p>The contexts are the following:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>C</strong></span> (as an SSL client)</p></li><li class="listitem"><p><span class="command"><strong>V</strong></span> (as an SSL server)</p></li><li class="listitem"><p><span class="command"><strong>L</strong></span> (as an SSL CA)</p></li><li class="listitem"><p><span class="command"><strong>A</strong></span> (as Any CA)</p></li><li class="listitem"><p><span class="command"><strong>Y</strong></span> (Verify CA)</p></li><li class="listitem"><p><span class="command"><strong>S</strong></span> (as an email signer)</p></li><li class="listitem"><p><span class="command"><strong>R</strong></span> (as an email recipient)</p></li><li class="listitem"><p><span class="command"><strong>O</strong></span> (as an OCSP status responder)</p></li><li class="listitem"><p><span class="command"><strong>J</strong></span> (as an object signer)</p></li></ul></div></dd><dt><span class="term">-v valid-months</span></dt><dd><p>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <code class="option">-w</code> option. If this argument is not used, the default validity period is three months. </p></dd><dt><span class="term">-w offset-months</span></dt><dd><p>Set an offset from the current system time, in months, 
  for the beginning of a certificate's validity period. Use when creating 
  the certificate or adding it to a database. Express the offset in integers, 
  using a minus sign (-) to indicate a negative offset. If this argument is 
  not used, the validity period begins at the current system time. The length 
- of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-Z hashAlg</span></dt><dd><p>Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>MD2</p></li><li class="listitem"><p>MD4</p></li><li class="listitem"><p>MD5</p></li><li class="listitem"><p>SHA1</p></li><li class="listitem"><p>SHA224</p></li><li class="listitem"><p>SHA256</p></li><li class="listitem"><p>SHA384</p></li><li class="listitem"><p>SHA512</p></li></ul></div></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 		digitalSignature
 	</p></li><li class="listitem"><p>
 		nonRepudiation
 	</p></li><li class="listitem"><p>
 		keyEncipherment
 	</p></li><li class="listitem"><p>
 		dataEncipherment
 	</p></li><li class="listitem"><p>
--- a/security/nss/doc/nroff/certutil.1
+++ b/security/nss/doc/nroff/certutil.1
@@ -1,18 +1,18 @@
 '\" t
 .\"     Title: CERTUTIL
 .\"    Author: [see the "Authors" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 29 July 2014
+.\"      Date:  7 January 2015
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "CERTUTIL" "1" "29 July 2014" "nss-tools" "NSS Security Tools"
+.TH "CERTUTIL" "1" "7 January 2015" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .\" http://bugs.debian.org/507673
 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .ie \n(.g .ds Aq \(aq
@@ -614,16 +614,109 @@ to generate the signature for a certific
 Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537\&. The available alternate values are 3 and 17\&.
 .RE
 .PP
 \-z noise\-file
 .RS 4
 Read a seed value from the specified file to generate a new private and public key pair\&. This argument makes it possible to use hardware\-generated seed values or manually create a value from the keyboard\&. The minimum file size is 20 bytes\&.
 .RE
 .PP
+\-Z hashAlg
+.RS 4
+Specify the hash algorithm to use with the \-C, \-S or \-R command options\&. Possible keywords:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+MD2
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+MD4
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+MD5
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SHA1
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SHA224
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SHA256
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SHA384
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SHA512
+.RE
+.RE
+.PP
 \-0 SSO_password
 .RS 4
 Set a site security officer password on a token\&.
 .RE
 .PP
 \-1 | \-\-keyUsage keyword,keyword
 .RS 4
 Set an X\&.509 V3 Certificate Type Extension in the certificate\&. There are several available keywords:
--- a/security/nss/external_tests/ssl_gtest/ssl_gtest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_gtest.cc
@@ -2,31 +2,32 @@
 #include "nss.h"
 #include "ssl.h"
 
 #include "test_io.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
+std::string g_working_dir_path;
+
 int main(int argc, char **argv) {
   // Start the tests
   ::testing::InitGoogleTest(&argc, argv);
-  std::string path = ".";
+  g_working_dir_path = ".";
 
   for (int i = 0; i < argc; i++) {
     if (!strcmp(argv[i], "-d")) {
-      path = argv[i + 1];
+      g_working_dir_path = argv[i + 1];
       ++i;
     }
   }
 
-  NSS_Initialize(path.c_str(), "", "", SECMOD_DB, NSS_INIT_READONLY);
+  NSS_Initialize(g_working_dir_path.c_str(), "", "", SECMOD_DB, NSS_INIT_READONLY);
   NSS_SetDomesticPolicy();
-
   int rv = RUN_ALL_TESTS();
 
   NSS_Shutdown();
 
   nss_test::Poller::Shutdown();
 
   return rv;
 }
--- a/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
@@ -11,16 +11,18 @@
 
 #include "test_io.h"
 #include "tls_parser.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 #include "gtest_utils.h"
 
+extern std::string g_working_dir_path;
+
 namespace nss_test {
 
 #define LOG(a) std::cerr << name_ << ": " << a << std::endl;
 
 // Inspector that parses out DTLS records and passes
 // them on.
 class TlsRecordInspector : public Inspector {
  public:
@@ -206,17 +208,20 @@ class TlsAgent : public PollTarget {
 
   TlsAgent(const std::string& name, Role role, Mode mode)
       : name_(name),
         mode_(mode),
         pr_fd_(nullptr),
         adapter_(nullptr),
         ssl_fd_(nullptr),
         role_(role),
-        state_(INIT) {}
+        state_(INIT) {
+      memset(&info_, 0, sizeof(info_));
+      memset(&csinfo_, 0, sizeof(csinfo_));
+  }
 
   ~TlsAgent() {
     if (pr_fd_) {
       PR_Close(pr_fd_);
     }
 
     if (ssl_fd_) {
       PR_Close(ssl_fd_);
@@ -282,26 +287,46 @@ class TlsAgent : public PollTarget {
       if (!priv) return false;  // Leak cert.
 
       SECStatus rv = SSL_ConfigSecureServer(ssl_fd_, cert, priv, kt_rsa);
       EXPECT_EQ(SECSuccess, rv);
       if (rv != SECSuccess) return false;  // Leak cert and key.
 
       SECKEY_DestroyPrivateKey(priv);
       CERT_DestroyCertificate(cert);
+    } else {
+      SECStatus rv = SSL_SetURL(ssl_fd_, "server");
+      EXPECT_EQ(SECSuccess, rv);
+      if (rv != SECSuccess) return false;
     }
 
     SECStatus rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook,
                                            reinterpret_cast<void*>(this));
     EXPECT_EQ(SECSuccess, rv);
     if (rv != SECSuccess) return false;
 
     return true;
   }
 
+  void SetSessionTicketsEnabled(bool en) {
+    ASSERT_TRUE(EnsureTlsSetup());
+
+    SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS,
+                                  en ? PR_TRUE : PR_FALSE);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+
+  void SetSessionCacheEnabled(bool en) {
+    ASSERT_TRUE(EnsureTlsSetup());
+
+    SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE,
+                                  en ? PR_FALSE : PR_TRUE);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+
   void SetVersionRange(uint16_t minver, uint16_t maxver) {
     SSLVersionRange range = {minver, maxver};
     ASSERT_EQ(SECSuccess, SSL_VersionRangeSet(ssl_fd_, &range));
   }
 
   State state() const { return state_; }
 
   const char* state_str() const { return state_str(state()); }
@@ -369,16 +394,21 @@ class TlsAgent : public PollTarget {
       case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
       default:
         LOG("Handshake failed with error " << err);
         SetState(ERROR);
         return;
     }
   }
 
+  std::vector<uint8_t> GetSessionId() {
+    return std::vector<uint8_t>(info_.sessionID,
+                                info_.sessionID + info_.sessionIDLength);
+  }
+
  private:
   const static char* states[];
 
   void SetState(State state) {
     if (state_ == state) return;
 
     LOG("Changing state from " << state_str(state_) << " to "
                                << state_str(state));
@@ -421,17 +451,29 @@ class TlsConnectTestBase : public ::test
         client_(new TlsAgent("client", TlsAgent::CLIENT, mode_)),
         server_(new TlsAgent("server", TlsAgent::SERVER, mode_)) {}
 
   ~TlsConnectTestBase() {
     delete client_;
     delete server_;
   }
 
-  void SetUp() { Init(); }
+  void SetUp() {
+    // Configure a fresh session cache.
+    SSL_ConfigServerSessionIDCache(1024, 0, 0, g_working_dir_path.c_str());
+
+    Init();
+  }
+
+  void TearDown() {
+    client_ = nullptr;
+    server_ = nullptr;
+
+    SSL_ShutdownServerSessionIDCache();
+  }
 
   void Init() {
     ASSERT_TRUE(client_->Init());
     ASSERT_TRUE(server_->Init());
 
     client_->SetPeer(server_);
     server_->SetPeer(client_);
   }
@@ -466,27 +508,36 @@ class TlsConnectTestBase : public ::test
     bool ret = client_->cipher_suite(&cipher_suite1);
     ASSERT_TRUE(ret);
     ret = server_->cipher_suite(&cipher_suite2);
     ASSERT_TRUE(ret);
     ASSERT_EQ(cipher_suite1, cipher_suite2);
 
     std::cerr << "Connected with cipher suite " << client_->cipher_suite_name()
               << std::endl;
+
+    // Check and store session ids.
+    std::vector<uint8_t> sid_c1 = client_->GetSessionId();
+    ASSERT_EQ(32, sid_c1.size());
+    std::vector<uint8_t> sid_s1 = server_->GetSessionId();
+    ASSERT_EQ(32, sid_s1.size());
+    ASSERT_EQ(sid_c1, sid_s1);
+    session_id_ = sid_c1;
   }
 
   void EnableSomeECDHECiphers() {
     client_->EnableSomeECDHECiphers();
     server_->EnableSomeECDHECiphers();
   }
 
  protected:
   Mode mode_;
   TlsAgent* client_;
   TlsAgent* server_;
+  std::vector<uint8_t> session_id_;
 };
 
 class TlsConnectTest : public TlsConnectTestBase {
  public:
   TlsConnectTest() : TlsConnectTestBase(STREAM) {}
 };
 
 class DtlsConnectTest : public TlsConnectTestBase {
@@ -511,16 +562,36 @@ TEST_P(TlsConnectGeneric, Connect) {
   // Check that we negotiated the expected version.
   if (mode_ == STREAM) {
     client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_0);
   } else {
     client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_1);
   }
 }
 
+TEST_P(TlsConnectGeneric, ConnectResumed) {
+  Connect();
+  std::vector<uint8_t> old_sid = session_id_;
+
+  Reset();
+  Connect();
+  ASSERT_EQ(old_sid, session_id_) << "Session was not resumed when it should have been";
+}
+
+TEST_P(TlsConnectGeneric, ConnectNotResumed) {
+  Connect();
+  std::vector<uint8_t> old_sid = session_id_;
+
+  Reset();
+  client_->SetSessionCacheEnabled(false);
+  Connect();
+
+  ASSERT_NE(old_sid, session_id_) << "Session was resumed when it should not have been";
+}
+
 TEST_P(TlsConnectGeneric, ConnectTLS_1_1_Only) {
   EnsureTlsSetup();
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_1);
 
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_1);
 
@@ -556,16 +627,17 @@ TEST_F(TlsConnectTest, ConnectECDHETwice
   ASSERT_TRUE(dhe1.Parse(i1->buffer().data(), i1->buffer().len()));
 
   // Restart
   Reset();
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
   server_->SetInspector(i2);
   EnableSomeECDHECiphers();
+  client_->SetSessionCacheEnabled(false);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
   TlsServerKeyExchangeECDHE dhe2;
   ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
 
   // Make sure they are the same.
   ASSERT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len());
@@ -589,16 +661,17 @@ TEST_F(TlsConnectTest, ConnectECDHETwice
   // Restart
   Reset();
   EnableSomeECDHECiphers();
   rv = SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
   ASSERT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
   server_->SetInspector(i2);
+  client_->SetSessionCacheEnabled(false);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
   TlsServerKeyExchangeECDHE dhe2;
   ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
 
   // Make sure they are different.
   ASSERT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) &&
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -1172,26 +1172,26 @@ typedef struct {
      *     is not yet aware of the latest revocation methods
      *     (or does not want to use them).
      */ 
     PRUint64 *cert_rev_flags_per_method;
 
     /*
      * How many preferred methods are specified?
      * This is equivalent to the size of the array that 
-     *      preferred_revocation_methods points to.
+     *      preferred_methods points to.
      * It's allowed to set this value to zero,
      *      then NSS will decide which methods to prefer.
      */
     PRUint32 number_of_preferred_methods;
 
     /* Array that may specify an optional order of preferred methods.
      * Each array entry shall contain a method identifier as defined
      *   by CERTRevocationMethodIndex.
-     * The entry at index [0] specifies the method with highest preferrence.
+     * The entry at index [0] specifies the method with highest preference.
      * These methods will be tested first for locally available information.
      * Methods allowed for downloading will be attempted in the same order.
      */
     CERTRevocationMethodIndex *preferred_methods;
 
     /*
      * An integer which defines certain aspects of revocation checking
      * (independent of individual methods) by having individual
--- a/security/nss/lib/ckfw/dbm/db.c
+++ b/security/nss/lib/ckfw/dbm/db.c
@@ -132,17 +132,18 @@ nss_dbm_db_set_label
 
   k.data = PREFIX_METADATA "Label";
   k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
   v.data = label;
   v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
 
   /* Locked region */ 
   {
-    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
+    rv = NSSCKFWMutex_Lock(db->crustylock);
+    if( CKR_OK != rv ) {
       return rv;
     }
 
     dbrv = db->db->put(db->db, &k, &v, 0);
     if( 0 != dbrv ) {
       rv = CKR_DEVICE_ERROR;
     }
 
--- a/security/nss/lib/ckfw/nssmkey/mobject.c
+++ b/security/nss/lib/ckfw/nssmkey/mobject.c
@@ -1875,17 +1875,17 @@ nss_ckmk_CreateObject
 (
   NSSCKFWSession *fwSession,
   CK_ATTRIBUTE_PTR pTemplate,
   CK_ULONG ulAttributeCount,
   CK_RV *pError
 )
 {
   CK_OBJECT_CLASS objClass;
-  ckmkInternalObject *io;
+  ckmkInternalObject *io = NULL;
   CK_BBOOL isToken;
 
   /*
    * only create token objects
    */
   isToken = nss_ckmk_GetBoolAttribute(CKA_TOKEN, pTemplate, 
                                       ulAttributeCount, CK_FALSE);
   if (!isToken) {
--- a/security/nss/lib/freebl/ecl/README
+++ b/security/nss/lib/freebl/ecl/README
@@ -1,44 +1,11 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the elliptic curve math library.
-
-The Initial Developer of the Original Code is Sun Microsystems, Inc.
-Portions created by Sun Microsystems, Inc. are Copyright (C) 2003
-Sun Microsystems, Inc. All Rights Reserved.
-
-Contributor(s):
-    Stephen Fung <fungstep@hotmail.com> and
-    Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
  
 The ECL exposes routines for constructing and converting curve
 parameters for internal use.
 
 
 HEADER FILES
 ============
 
--- a/security/nss/lib/freebl/mpi/README
+++ b/security/nss/lib/freebl/mpi/README
@@ -1,44 +1,11 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1997-2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 About the MPI Library
 ---------------------
 
 The files 'mpi.h' and 'mpi.c' define a simple, arbitrary precision
 signed integer arithmetic package.  The implementation is not the most
 efficient possible, but the code is small and should be fairly easily
 portable to just about any machine that supports an ANSI C compiler,
--- a/security/nss/lib/freebl/mpi/doc/LICENSE-MPL
+++ b/security/nss/lib/freebl/mpi/doc/LICENSE-MPL
@@ -1,35 +1,3 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape
-Communications Corporation.  Portions created by Netscape are 
-Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
--- a/security/nss/lib/freebl/mpi/tests/LICENSE-MPL
+++ b/security/nss/lib/freebl/mpi/tests/LICENSE-MPL
@@ -1,35 +1,3 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape
-Communications Corporation.  Portions created by Netscape are 
-Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
--- a/security/nss/lib/freebl/mpi/utils/LICENSE-MPL
+++ b/security/nss/lib/freebl/mpi/utils/LICENSE-MPL
@@ -1,35 +1,3 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape
-Communications Corporation.  Portions created by Netscape are 
-Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
--- a/security/nss/lib/freebl/mpi/utils/README
+++ b/security/nss/lib/freebl/mpi/utils/README
@@ -1,44 +1,11 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 Additional MPI utilities
 ------------------------
 
 The files 'mpprime.h' and 'mpprime.c' define some useful extensions to
 the MPI library for dealing with prime numbers (in particular, testing
 for divisbility, and the Rabin-Miller probabilistic primality test).
 
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -1088,12 +1088,11 @@ PKIX_ERRORENTRY(X500NAMECREATEFROMUTF8FA
 PKIX_ERRORENTRY(X500NAMEEQUALSFAILED,PKIX_PL_X500Name_Equals failed,0),
 PKIX_ERRORENTRY(X500NAMEGETCOMMONNAMEFAILED,pkix_pl_X500Name_GetCommonName failed,0),
 PKIX_ERRORENTRY(X500NAMEGETCOUNTRYNAMEFAILED,pkix_pl_X500Name_GetCountryName failed,0),
 PKIX_ERRORENTRY(X500NAMEGETORGNAMEFAILED,pkix_pl_X500Name_GetOrgName failed,0),
 PKIX_ERRORENTRY(X500NAMEGETSECNAMEFAILED,pkix_pl_X500Name_GetSECName failed,0),
 PKIX_ERRORENTRY(X500NAMEHASHCODEFAILED,PKIX_PL_X500Name_Hashcode failed,0),
 PKIX_ERRORENTRY(X500NAMEMATCHFAILED,PKIX_PL_X500Name_Match failed,0),
 PKIX_ERRORENTRY(X500NAMETOSTRINGFAILED,PKIX_PL_X500Name_ToString failed,0),
-PKIX_ERRORENTRY(X500NAMETOSTRINGHELPERFAILED,pkix_pl_X500Name_ToString_Helper failed,0),
 PKIX_ERRORENTRY(ZEROLENGTHBYTEARRAYFORCRLENCODING,Zero-length ByteArray for CRL encoding,0),
 PKIX_ERRORENTRY(INVALIDOCSPHTTPMETHOD,Unsupported HTTP Method for OCSP retrieval,0),
 PKIX_ERRORENTRY(OCSPGETREQUESTTOOBIG,OCSP request too big for HTTP GET method,0)
--- a/security/nss/lib/libpkix/include/pkix_revchecker.h
+++ b/security/nss/lib/libpkix/include/pkix_revchecker.h
@@ -112,17 +112,17 @@ PKIX_RevocationChecker_Create(
  *      Address of ProcessingParams used to initialize the checker.
  *      Must be non-NULL.
  *  "methodType"
  *      Type of the method. Currently only two types are
  *      supported: crl and ocsp. (See PKIX_RevocationMethodType enum).
  *  "methodFlags"
  *      Set of flags for the method.
  *  "methodPriority"
- *      Method priority. (0 corresponds to a highest priority)
+ *      Method priority. (0 corresponds to the highest priority)
  *  "verificationFn"
  *      User call back function that will perform validation of fetched
  *      revocation information(new crl or ocsp response)
  *  "isLeafMethod"
  *      Boolean flag that if set to true indicates that the method should
  *      should be used for leaf cert revocation test(false for chain set
  *      methods).
  *  "plContext"
@@ -138,17 +138,17 @@ PKIX_RevocationChecker_Create(
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_RevocationChecker_CreateAndAddMethod(
     PKIX_RevocationChecker *revChecker,
     PKIX_ProcessingParams *params,
     PKIX_RevocationMethodType methodType,
     PKIX_UInt32 methodFlags,
-    PKIX_UInt32 mathodPriority,
+    PKIX_UInt32 methodPriority,
     PKIX_PL_VerifyCallback verificationFn,
     PKIX_Boolean isLeafMethod,
     void *plContext);
 
 /*
  * FUNCTION: PKIX_RevocationChecker_Check
  * DESCRIPTION:
  *
--- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
@@ -132,32 +132,38 @@ pkix_RevocationChecker_RegisterSelf(void
         entry.comparator = NULL;
         entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
 
         systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
 
         PKIX_RETURN(REVOCATIONCHECKER);
 }
 
-/* Sort methods by theirs priorities */
+/* Sort methods by their priorities (lower priority = higher preference) */
 static PKIX_Error *
 pkix_RevocationChecker_SortComparator(
         PKIX_PL_Object *obj1,
         PKIX_PL_Object *obj2,
         PKIX_Int32 *pResult,
         void *plContext)
 {
     pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
     
     PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
     
     method1 = (pkix_RevocationMethod *)obj1;
     method2 = (pkix_RevocationMethod *)obj2;
     
-    *pResult = (method1->priority > method2->priority);
+    if (method1->priority < method2->priority) {
+      *pResult = -1;
+    } else if (method1->priority > method2->priority) {
+      *pResult = 1;
+    } else {
+      *pResult = 0;
+    }
     
     PKIX_RETURN(BUILD);
 }
 
 
 /* --Public-Functions--------------------------------------------- */
 
 
--- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
@@ -43,18 +43,19 @@ pkix_ExternalRevocationCheckFn(PKIX_PL_C
                                pkix_RevocationMethod *checkerObject,
                                PKIX_ProcessingParams *procParams,
                                PKIX_UInt32 methodFlags,
                                PKIX_RevocationStatus *pRevStatus,
                                PKIX_UInt32 *reasonCode,
                                void **pNBIOContext, void *plContext);
 
 /* Revocation method structure assosiates revocation types with
- * a set of flags on the method, a priority of the method, and
- * method local/external checker functions. */
+ * a set of flags on the method, a priority of the method (0
+ * corresponds to the highest priority), and method local/external
+ * checker functions. */
 struct pkix_RevocationMethodStruct {
     PKIX_RevocationMethodType methodType;
     PKIX_UInt32 flags;
     PKIX_UInt32 priority;
     pkix_LocalRevocationCheckFn (*localRevChecker);
     pkix_ExternalRevocationCheckFn (*externalRevChecker);
 };
 
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -655,19 +655,21 @@ pkix_ForwardBuilderState_IsIOPending(
 
 /* --Private-BuildChain-Functions------------------------------------------- */
 
 /*
  * FUNCTION: pkix_Build_SortCertComparator
  * DESCRIPTION:
  *
  *  This Function takes two Certificates cast in "obj1" and "obj2",
- *  compares their validity NotAfter dates and returns the result at
- *  "pResult". The comparison key(s) can be expanded by using other
- *  data in the Certificate in the future.
+ *  compares them to determine which is a more preferable certificate
+ *  for chain building. This Function is suitable for use as a
+ *  comparator callback for pkix_List_BubbleSort, setting "*pResult" to
+ *  > 0 if "obj1" is less desirable than "obj2" and < 0 if "obj1"
+ *  is more desirable than "obj2".
  *
  * PARAMETERS:
  *  "obj1"
  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
  *      Must be non-NULL.
  *  "obj2"
  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
  *      Must be non-NULL.
@@ -686,24 +688,24 @@ static PKIX_Error *
 pkix_Build_SortCertComparator(
         PKIX_PL_Object *obj1,
         PKIX_PL_Object *obj2,
         PKIX_Int32 *pResult,
         void *plContext)
 {
         PKIX_PL_Date *date1 = NULL;
         PKIX_PL_Date *date2 = NULL;
-        PKIX_Boolean result = PKIX_FALSE;
+        PKIX_Int32 result = 0;
 
         PKIX_ENTER(BUILD, "pkix_Build_SortCertComparator");
         PKIX_NULLCHECK_THREE(obj1, obj2, pResult);
 
         /*
          * For sorting candidate certificates, we use NotAfter date as the
-         * sorted key for now (can be expanded if desired in the future).
+         * comparison key for now (can be expanded if desired in the future).
          *
          * In PKIX_BuildChain, the List of CertStores was reordered so that
          * trusted CertStores are ahead of untrusted CertStores. That sort, or
          * this one, could be taken out if it is determined that it doesn't help
          * performance, or in some way hinders the solution of choosing desired
          * candidates.
          */
 
@@ -722,17 +724,22 @@ pkix_Build_SortCertComparator(
         
         PKIX_CHECK(PKIX_PL_Object_Compare
                 ((PKIX_PL_Object *)date1,
                 (PKIX_PL_Object *)date2,
                 &result,
                 plContext),
                 PKIX_OBJECTCOMPARATORFAILED);
 
-        *pResult = !result;
+        /*
+         * Invert the result, so that if date1 is greater than date2,
+         * obj1 is sorted before obj2. This is because pkix_List_BubbleSort
+         * sorts in ascending order.
+         */
+        *pResult = -result;
 
 cleanup:
 
         PKIX_DECREF(date1);
         PKIX_DECREF(date2);
 
         PKIX_RETURN(BUILD);
 }
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.h
@@ -40,9 +40,14 @@ pkix_pl_CrlDp_RegisterSelf(void *plConte
 
 /* Parses CRLDistributionPoint structure and creaetes
  * pkix_pl_CrlDp object. */
 PKIX_Error *
 pkix_pl_CrlDp_Create(const CRLDistributionPoint *dp,
                      const CERTName *certIssuerName,
                      pkix_pl_CrlDp **pPkixDP,
                      void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* _PKIX_PL_CRLDP_H */
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.c
@@ -8,71 +8,16 @@
  *
  */
 
 #include "pkix_pl_x500name.h"
 
 /* --Private-X500Name-Functions------------------------------------- */
 
 /*
- * FUNCTION: pkix_pl_X500Name_ToString_Helper
- * DESCRIPTION:
- *
- *  Helper function that creates a string representation of the X500Name
- *  pointed to by "name" and stores it at "pString".
- *
- * PARAMETERS
- *  "name"
- *      Address of X500Name whose string representation is desired.
- *      Must be non-NULL.
- *  "pString"
- *      Address where object pointer will be stored. Must be non-NULL.
- *  "plContext" - Platform-specific context pointer.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns NULL if the function succeeds.
- *  Returns a X500Name Error if the function fails in a non-fatal way.
- *  Returns a Fatal Error if the function fails in an unrecoverable way.
- */
-static PKIX_Error *
-pkix_pl_X500Name_ToString_Helper(
-        PKIX_PL_X500Name *name,
-        PKIX_PL_String **pString,
-        void *plContext)
-{
-        CERTName *nssDN = NULL;
-        char *utf8String = NULL;
-        PKIX_UInt32 utf8Length;
-
-        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_ToString_Helper");
-        PKIX_NULLCHECK_TWO(name, pString);
-        nssDN = &name->nssDN;
-
-        /* this should really be called CERT_NameToUTF8 */
-        utf8String = CERT_NameToAsciiInvertible(nssDN, CERT_N2A_INVERTIBLE);
-        if (!utf8String){
-                PKIX_ERROR(PKIX_CERTNAMETOASCIIFAILED);
-        }
-
-        PKIX_X500NAME_DEBUG("\t\tCalling PL_strlen).\n");
-        utf8Length = PL_strlen(utf8String);
-
-        PKIX_CHECK(PKIX_PL_String_Create
-                    (PKIX_UTF8, utf8String, utf8Length, pString, plContext),
-                    PKIX_STRINGCREATEFAILED);
-
-cleanup:
-
-        PR_Free(utf8String);
-
-        PKIX_RETURN(X500NAME);
-}
-
-/*
  * FUNCTION: pkix_pl_X500Name_Destroy
  * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
  */
 static PKIX_Error *
 pkix_pl_X500Name_Destroy(
         PKIX_PL_Object *object,
         void *plContext)
 {
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -28,20 +28,20 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.17.3" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION  "3.17.4" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   17
-#define NSS_VPATCH   3
+#define NSS_VPATCH   4
 #define NSS_VBUILD   0
 #define NSS_BETA     PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -288,31 +288,28 @@ pk11_fastCert(PK11SlotInfo *slot, CK_OBJ
  */
 CERTCertificate *
 PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
 						CK_ATTRIBUTE *privateLabel)
 {
     char * nickname = NULL;
     CERTCertificate *cert = NULL;
     CERTCertTrust *trust;
-    PRBool isFortezzaRootCA = PR_FALSE;
-    PRBool swapNickname = PR_FALSE;
 
     cert = pk11_fastCert(slot,certID,privateLabel, &nickname);
     if (cert == NULL) 
     	goto loser;
-	
+
     if (nickname) {
 	if (cert->nickname != NULL) {
 	    cert->dbnickname = cert->nickname;
 	} 
 	cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
 	PORT_Free(nickname);
 	nickname = NULL;
-	swapNickname = PR_TRUE;
     }
 
     /* remember where this cert came from.... If we have just looked
      * it up from the database and it already has a slot, don't add a new
      * one. */
     if (cert->slot == NULL) {
 	cert->slot = PK11_ReferenceSlot(slot);
 	cert->pkcs11ID = certID;
@@ -338,17 +335,16 @@ PK11_MakeCertFromHandle(PK11SlotInfo *sl
 	    if (pk11_isID0(slot,certID) && 
 		cert->isRoot) {
 		trustflags |= CERTDB_TRUSTED_CA;
 		/* is the slot a fortezza card? allow the user or
 		 * admin to turn on objectSigning, but don't turn
 		 * full trust on explicitly */
 		if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
 		    trust->objectSigningFlags |= CERTDB_VALID_CA;
-		    isFortezzaRootCA = PR_TRUE;
 		}
 	    }
 	    if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
 		trust->sslFlags |= trustflags;
 	    }
 	    if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) {
 		trust->emailFlags |= trustflags;
 	    }
--- a/security/nss/lib/pk11wrap/pk11mech.c
+++ b/security/nss/lib/pk11wrap/pk11mech.c
@@ -1373,36 +1373,35 @@ SECItem *
 pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen) 
 { 
     CK_RC2_CBC_PARAMS *rc2_params;
     CK_RC2_PARAMS *rc2_ecb_params;
     SECItem *mech;
     SECItem iv;
     SECStatus rv;
 
-
     mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
     if (mech == NULL) return NULL;
 
     rv = SECSuccess;
     mech->type = siBuffer;
+    mech->data = NULL;
+    mech->len = 0;
     switch (type) {
     case CKM_RC4:
     case CKM_SEED_ECB:
     case CKM_CAMELLIA_ECB:
     case CKM_AES_ECB:
     case CKM_DES_ECB:
     case CKM_DES3_ECB:
     case CKM_IDEA_ECB:
     case CKM_CDMF_ECB:
     case CKM_CAST_ECB:
     case CKM_CAST3_ECB:
     case CKM_CAST5_ECB:
-	mech->data = NULL;
-	mech->len = 0;
 	break;
     case CKM_RC2_ECB:
 	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
 	if (rc2_ecb_params == NULL) {
 	    rv = SECFailure;
 	    break;
 	}
 	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
@@ -1440,18 +1439,16 @@ pk11_GenerateNewParamWithKeyLen(CK_MECHA
 	rv = pk11_GenIV(type,&iv);
 	if (rv != SECSuccess) {
 	    break;
 	}
         PORT_Free(mech);
 	return PK11_ParamFromIV(type,&iv);
     default:
 	if (pk11_lookup(type)->iv == 0) {
-	    mech->data = NULL;
-	    mech->len = 0;
 	    break;
 	}
     case CKM_SEED_CBC:
     case CKM_CAMELLIA_CBC:
     case CKM_AES_CBC:
     case CKM_DES_CBC:
     case CKM_DES3_CBC:
     case CKM_IDEA_CBC:
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -851,16 +851,18 @@ fill_CERTCertificateFields(NSSCertificat
 
 static CERTCertificate *
 stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
 {
     nssDecodedCert *dc = NULL;
     CERTCertificate *cc = NULL;
     CERTCertTrust certTrust;
 
+    /* make sure object does not go away until we finish */
+    nssPKIObject_AddRef(&c->object);
     nssPKIObject_Lock(&c->object);
 
     dc = c->decoding;
     if (!dc) {
 	dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
 	if (!dc) {
             goto loser;
         }
@@ -900,16 +902,17 @@ stan_GetCERTCertificate(NSSCertificate *
 
         CERT_LockCertTrust(cc);
         cc->trust = trust;
         CERT_UnlockCertTrust(cc);
     }
 
   loser:
     nssPKIObject_Unlock(&c->object);
+    nssPKIObject_Destroy(&c->object);
     return cc;
 }
 
 NSS_IMPLEMENT CERTCertificate *
 STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
 {
     if (c->decoding) {
 	return stan_GetCERTCertificate(c, PR_TRUE);
@@ -1266,16 +1269,17 @@ done:
 */
 static PRStatus
 DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject)
 {
     int numNotDestroyed = 0;     /* the ones skipped plus the failures */
     int failureCount = 0;        /* actual deletion failures by devices */
     int index;
 
+    nssPKIObject_AddRef(tObject);
     nssPKIObject_Lock(tObject);
     /* Keep going even if a module fails to delete. */
     for (index = 0; index < tObject->numInstances; index++) {
 	nssCryptokiObject *instance = tObject->instances[index];
 	if (!instance) {
 	    continue;
 	}
 
@@ -1299,16 +1303,17 @@ DeleteCertTrustMatchingSlot(PK11SlotInfo
     if (numNotDestroyed == 0) {
     	nss_ZFreeIf(tObject->instances);
     	tObject->numInstances = 0;
     } else {
     	tObject->numInstances = numNotDestroyed;
     }
 
     nssPKIObject_Unlock(tObject);
+    nssPKIObject_Destroy(tObject);
 
     return failureCount == 0 ? PR_SUCCESS : PR_FAILURE;
 }
 
 /*
 ** Delete trust objects matching the slot of the given certificate.
 ** Returns an error if any device fails to delete. 
 */
@@ -1325,30 +1330,32 @@ STAN_DeleteCertTrustMatchingSlot(NSSCert
     int i;
 
     /* Iterate through the cert and trust object instances looking for
      * those with matching pk11 slots to delete. Even if some device
      * can't delete we keep going. Keeping a status variable for the
      * loop so that once it's failed the other gets set.
      */
     NSSRWLock_LockRead(td->tokensLock);
+    nssPKIObject_AddRef(cobject);
     nssPKIObject_Lock(cobject);
     for (i = 0; i < cobject->numInstances; i++) {
 	nssCryptokiObject *cInstance = cobject->instances[i];
 	if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) {
 		PRStatus status;
 	    if (!tobject->numInstances || !tobject->instances) continue;
 	    status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject);
 	    if (status == PR_FAILURE) {
 	    	/* set the outer one but keep going */
 	    	nssrv = PR_FAILURE;
 	    }
 	}
     }
     nssPKIObject_Unlock(cobject);
+    nssPKIObject_Destroy(cobject);
     NSSRWLock_UnlockRead(td->tokensLock);
     return nssrv;
 }
 
 /* CERT_TraversePermCertsForSubject */
 NSS_IMPLEMENT PRStatus
 nssTrustDomain_TraverseCertificatesBySubject (
   NSSTrustDomain *td,
--- a/security/nss/lib/pki/tdcache.c
+++ b/security/nss/lib/pki/tdcache.c
@@ -386,16 +386,17 @@ struct token_cert_dtor {
 
 static void 
 remove_token_certs(const void *k, void *v, void *a)
 {
     NSSCertificate *c = (NSSCertificate *)k;
     nssPKIObject *object = &c->object;
     struct token_cert_dtor *dtor = a;
     PRUint32 i;
+    nssPKIObject_AddRef(object);
     nssPKIObject_Lock(object);
     for (i=0; i<object->numInstances; i++) {
 	if (object->instances[i]->token == dtor->token) {
 	    nssCryptokiObject_Destroy(object->instances[i]);
 	    object->instances[i] = object->instances[object->numInstances-1];
 	    object->instances[object->numInstances-1] = NULL;
 	    object->numInstances--;
 	    dtor->certs[dtor->numCerts++] = c;
@@ -404,16 +405,17 @@ remove_token_certs(const void *k, void *
 		dtor->certs = nss_ZREALLOCARRAY(dtor->certs, 
 		                                NSSCertificate *,
 		                                dtor->arrSize);
 	    }
 	    break;
 	}
     }
     nssPKIObject_Unlock(object);
+    nssPKIObject_Destroy(object);
     return;
 }
 
 /* 
  * Remove all certs for the given token from the cache.  This is
  * needed if the token is removed. 
  */
 NSS_IMPLEMENT PRStatus
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -715,23 +715,32 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, 
 }
 
 
 /* FC_CreateObject creates a new object. */
  CK_RV FC_CreateObject(CK_SESSION_HANDLE hSession,
 		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
 					CK_OBJECT_HANDLE_PTR phObject) {
     CK_OBJECT_CLASS * classptr;
+    CK_RV rv = CKR_OK;
 
-    SFTK_FIPSCHECK();
     CHECK_FORK();
 
     classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate,ulCount,CKA_CLASS);
     if (classptr == NULL) return CKR_TEMPLATE_INCOMPLETE;
 
+    if (*classptr == CKO_NETSCAPE_NEWSLOT || *classptr == CKO_NETSCAPE_DELSLOT) {
+        if (sftk_fatalError)
+            return CKR_DEVICE_ERROR;
+    } else {
+        rv = sftk_fipsCheck();
+        if (rv != CKR_OK)
+            return rv;
+    }
+
     /* FIPS can't create keys from raw key material */
     if (SFTK_IS_NONPUBLIC_KEY_OBJECT(*classptr)) {
 	rv = CKR_ATTRIBUTE_VALUE_INVALID;
     } else {
 	rv = NSC_CreateObject(hSession,pTemplate,ulCount,phObject);
     }
     if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(*classptr)) {
 	sftk_AuditCreateObject(hSession,pTemplate,ulCount,phObject,rv);
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -1686,18 +1686,16 @@ void sdb_SetForkState(PRBool forked)
      * interface, we will need to set it and reset it from here */
 }
 
 /*
  * initialize a single database
  */
 static const char INIT_CMD[] =
  "CREATE TABLE %s (id PRIMARY KEY UNIQUE ON CONFLICT ABORT%s)";
-static const char ALTER_CMD[] = 
- "ALTER TABLE %s ADD COLUMN a%x";
 
 CK_RV 
 sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
 	 int *newInit, int flags, PRUint32 accessOps, SDB **pSdb)
 {
     int i;
     char *initStr = NULL;
     char *newStr;
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -20,16 +20,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.17.3" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION  "3.17.4" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   17
-#define SOFTOKEN_VPATCH   3
+#define SOFTOKEN_VPATCH   4
 #define SOFTOKEN_VBUILD   0
 #define SOFTOKEN_BETA     PR_FALSE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -899,17 +899,17 @@ ssl3_NegotiateVersion(sslSocket *ss, SSL
 {
     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
 	PORT_SetError(SSL_ERROR_SSL_DISABLED);
 	return SECFailure;
     }
 
     if (peerVersion < ss->vrange.min ||
 	(peerVersion > ss->vrange.max && !allowLargerPeerVersion)) {
-	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
 	return SECFailure;
     }
 
     ss->version = PR_MIN(peerVersion, ss->vrange.max);
     PORT_Assert(ssl3_VersionIsSupported(ss->protocolVariant, ss->version));
 
     return SECSuccess;
 }
@@ -6282,17 +6282,17 @@ ssl3_HandleServerHello(sslSocket *ss, SS
             goto alert_loser;
 	}
     }
 
     rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
     if (rv != SECSuccess) {
     	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
 						   : handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	errCode = SSL_ERROR_UNSUPPORTED_VERSION;
 	goto alert_loser;
     }
     isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
 
     rv = ssl3_InitHandshakeHashes(ss);
     if (rv != SECSuccess) {
 	desc = internal_error;
 	errCode = PORT_GetError();
@@ -7694,17 +7694,17 @@ ssl3_HandleClientHello(sslSocket *ss, SS
     } else {
 	ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
     }
 
     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
     if (rv != SECSuccess) {
     	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
 	                                           : handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	errCode = SSL_ERROR_UNSUPPORTED_VERSION;
 	goto alert_loser;
     }
 
     rv = ssl3_InitHandshakeHashes(ss);
     if (rv != SECSuccess) {
 	desc = internal_error;
 	errCode = PORT_GetError();
 	goto alert_loser;
@@ -8467,18 +8467,19 @@ ssl3_HandleV2ClientHello(sslSocket *ss, 
     suite_length = (buffer[3] << 8) | buffer[4];
     sid_length   = (buffer[5] << 8) | buffer[6];
     rand_length  = (buffer[7] << 8) | buffer[8];
     ss->clientHelloVersion = version;
 
     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
     if (rv != SECSuccess) {
 	/* send back which ever alert client will understand. */
-    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
+	                                           : handshake_failure;
+	errCode = SSL_ERROR_UNSUPPORTED_VERSION;
 	goto alert_loser;
     }
 
     rv = ssl3_InitHandshakeHashes(ss);
     if (rv != SECSuccess) {
 	desc = internal_error;
 	errCode = PORT_GetError();
 	goto alert_loser;
@@ -8738,21 +8739,21 @@ ssl3_SendServerHello(sslSocket *ss)
 static SECStatus
 ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
 				SSL3SignatureAndHashAlgorithm* out)
 {
     TLSSignatureAlgorithm sigAlg;
     unsigned int i, j;
     /* hashPreference expresses our preferences for hash algorithms, most
      * preferable first. */
-    static const PRUint8 hashPreference[] = {
-	tls_hash_sha256,
-	tls_hash_sha384,
-	tls_hash_sha512,
-	tls_hash_sha1,
+    static const SECOidTag hashPreference[] = {
+        SEC_OID_SHA256,
+        SEC_OID_SHA384,
+        SEC_OID_SHA512,
+        SEC_OID_SHA1,
     };
 
     switch (ss->ssl3.hs.kea_def->kea) {
     case kea_rsa:
     case kea_rsa_export:
     case kea_rsa_export_1024:
     case kea_dh_rsa:
     case kea_dh_rsa_export:
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -2253,17 +2253,17 @@ ssl3_HandleUseSRTPXtn(sslSocket * ss, PR
  * from a client.
  * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
 static SECStatus
 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
 {
     SECStatus rv;
     SECItem algorithms;
     const unsigned char *b;
-    unsigned int numAlgorithms, i;
+    unsigned int numAlgorithms, i, j;
 
     /* Ignore this extension if we aren't doing TLS 1.2 or greater. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
         return SECSuccess;
     }
 
     /* Keep track of negotiated extensions. */
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
@@ -2289,30 +2289,31 @@ ssl3_ServerHandleSigAlgsXtn(sslSocket * 
     ss->ssl3.hs.clientSigAndHash =
             PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms);
     if (!ss->ssl3.hs.clientSigAndHash) {
         return SECFailure;
     }
     ss->ssl3.hs.numClientSigAndHash = 0;
 
     b = algorithms.data;
-    for (i = 0; i < numAlgorithms; i++) {
+    for (i = j = 0; i < numAlgorithms; i++) {
         unsigned char tls_hash = *(b++);
         unsigned char tls_sig = *(b++);
         SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash);
 
         if (hash == SEC_OID_UNKNOWN) {
             /* We ignore formats that we don't understand. */
             continue;
         }
         /* tls_sig support will be checked later in
          * ssl3_PickSignatureHashAlgorithm. */
-        ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash;
-        ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig;
-        ss->ssl3.hs.numClientSigAndHash++;
+        ss->ssl3.hs.clientSigAndHash[j].hashAlg = hash;
+        ss->ssl3.hs.clientSigAndHash[j].sigAlg = tls_sig;
+        ++j;
+        ++ss->ssl3.hs.numClientSigAndHash;
     }
 
     if (!ss->ssl3.hs.numClientSigAndHash) {
         /* We didn't understand any of the client's requested signature
          * formats. We'll use the defaults. */
         PORT_Free(ss->ssl3.hs.clientSigAndHash);
         ss->ssl3.hs.clientSigAndHash = NULL;
     }
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,20 +14,20 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.17.3"
+#define NSSUTIL_VERSION  "3.17.4"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   17
-#define NSSUTIL_VPATCH   3
+#define NSSUTIL_VPATCH   4
 #define NSSUTIL_VBUILD   0
 #define NSSUTIL_BETA     PR_FALSE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
--- a/security/nss/pkg/solaris/common_files/copyright
+++ b/security/nss/pkg/solaris/common_files/copyright
@@ -1,38 +1,6 @@
 Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 Use is subject to license terms.
 
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this package are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this package except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the Netscape Portable Runtime (NSPR).
-
-The Initial Developer of the Original Code is
-Netscape Communications Corporation.
-Portions created by the Initial Developer are Copyright (C) 1998-2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
--- a/security/nss/tests/chains/scenarios/scenarios
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -1,52 +1,11 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Network Security Services (NSS)
-#
-# The Initial Developer of the Original Code is Sun Microsystems, Inc.
-# Portions created by the Initial Developer are Copyright (C) 2009
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
-#   Ryan Sleevi <ryan.sleevi@gmail.com>, Google
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-#
-# Scenario ocspd.cfg will always be processed first,
-# regardless of its presence in this list.
-#
-# Scenario method.cfg will always be processed, regardless of its presence
-# in this list, and will be processed twice, once with httpserv -O get 
-# and once with -O post. Because method.cfg will be executed with both
-# classic and libpkix engines, it must not contain any policy checks.
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
 #
 bridge.cfg
 megabridge_3_2.cfg
 extension.cfg
 extension2.cfg
 anypolicy.cfg
 anypolicywithlevel.cfg
 explicitPolicy.cfg
--- a/security/nss/tests/dbtests/dbtests.sh
+++ b/security/nss/tests/dbtests/dbtests.sh
@@ -163,29 +163,39 @@ dbtest_main()
     # NFS-mounted directory, it takes several seconds for the
     # first open to see the files are readonly, but subsequent
     # opens immediately see the files are readonly.  As a
     # workaround we open the files once first.  (Bug 185074)
     if [ "${OS_ARCH}" = "Darwin" ]; then
         cat $RONLY_DIR/* > /dev/null
     fi
 
-    ${BINDIR}/dbtest -d $RONLY_DIR
+    # skipping the next two tests when user is root,
+    # otherwise they would fail due to rooty powers
+    if [ $UID -ne 0 ] then
+      ${BINDIR}/dbtest -d $RONLY_DIR
     ret=$?
     if [ $ret -ne 46 ]; then
-      html_failed "Dbtest r/w succeeded in an readonly directory $ret"
+      html_failed "Dbtest r/w succeeded in a readonly directory $ret"
     else
       html_passed "Dbtest r/w didn't work in an readonly dir $ret" 
     fi
-    ${BINDIR}/certutil -D -n "TestUser" -d .
+    else
+      html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
+    fi
+    if [ $UID -ne 0 ] then
+      ${BINDIR}/certutil -D -n "TestUser" -d .
     ret=$?
     if [ $ret -ne 255 ]; then
-      html_failed "Certutil succeeded in deleting a cert in an readonly directory $ret"
+      html_failed "Certutil succeeded in deleting a cert in a readonly directory $ret"
     else
-        html_passed "Certutil didn't work in an readonly dir $ret"
+      html_passed "Certutil didn't work in an readonly dir $ret"
+    fi
+    else
+        html_passed "Skipping Certutil delete cert in a readonly directory test because user is root" 
     fi
     
     Echo "test opening the database ronly in a readonly directory"
 
     ${BINDIR}/dbtest -d $RONLY_DIR -r
     ret=$?
     if [ $ret -ne 0 ]; then
       html_failed "Dbtest readonly failed in a readonly directory $ret"
--- a/security/nss/tests/iopr/server_scr/config
+++ b/security/nss/tests/iopr/server_scr/config
@@ -1,42 +1,11 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Network Security Services (NSS)
-#
-# The Initial Developer of the Original Code is Sun Microsystems, Inc.
-# Portions created by the Initial Developer are Copyright (C) 2006-2009
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 certDir=/iopr
 caCertName=TestCA
 caCrlName=TestCA
 userCertNames="TestUser510 TestUser511"
 userRevokedCertNames="TestUser510"
 reverseRunCGIScript="/cgi-bin/client.cgi"
 supportedTests="SslSingleHs"
--- a/security/nss/tests/libpkix/sample_apps/README
+++ b/security/nss/tests/libpkix/sample_apps/README
@@ -1,44 +1,11 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 This directory contains both sample applications and performance evaluation
 applications.
 
 SAMPLE APPLICATIONS
 
 Currently, there are two performance applications: libpkix_buildThreads and
 nss_threads. And three sample applications: dumpcert, dumpcrl and