Bug 822682: Update NSS to NSS 3.14.1 RTM (NSS_3_14_1_RTM), r=me, a=bajaj GECKO180_2012122710_RELBRANCH
authorBrian Smith <bsmith@mozilla.com>
Thu, 27 Dec 2012 13:16:03 -0800
branchGECKO180_2012122710_RELBRANCH
changeset 118171 c59af840586ded0d0139146b909b4304327f8ab5
parent 118170 865d9457ac40913aa499d846979b7d65e3d38ad6
child 236084 46275a772099c666eae3b77b3775de09ccabb043
push id239
push userakeybl@mozilla.com
push dateThu, 03 Jan 2013 21:54:43 +0000
treeherdermozilla-release@3a7b66445659 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme, bajaj
bugs822682
milestone18.0
Bug 822682: Update NSS to NSS 3.14.1 RTM (NSS_3_14_1_RTM), r=me, a=bajaj
client.py
dbm/include/mcom_db.h
dbm/include/winfile.h
dbm/src/Makefile.in
dbm/src/mktemp.c
security/coreconf/Darwin.mk
security/coreconf/Linux.mk
security/coreconf/README
security/coreconf/WIN95.mk
security/coreconf/WINCE.mk
security/coreconf/WINNT.mk
security/coreconf/config.mk
security/coreconf/coreconf.dep
security/coreconf/rules.mk
security/coreconf/ruleset.mk
security/dbm/Makefile
security/nss/Makefile
security/nss/TAG-INFO
security/nss/TAG-INFO-CKBI
security/nss/cmd/addbuiltin/addbuiltin.c
security/nss/cmd/bltest/blapitest.c
security/nss/cmd/certutil/keystuff.c
security/nss/cmd/lib/basicutil.c
security/nss/cmd/lib/config.mk
security/nss/cmd/lib/secpwd.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/lib/secutil.h
security/nss/cmd/lib/wincemain.c
security/nss/cmd/manifest.mn
security/nss/cmd/ocspclnt/manifest.mn
security/nss/cmd/ocspresp/Makefile
security/nss/cmd/ocspresp/manifest.mn
security/nss/cmd/ocspresp/ocspresp.c
security/nss/cmd/platlibs.mk
security/nss/cmd/strsclnt/strsclnt.c
security/nss/lib/certdb/certi.h
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/manifest.mn
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocsp.h
security/nss/lib/certhigh/ocspsig.c
security/nss/lib/certhigh/ocspt.h
security/nss/lib/certhigh/ocspti.h
security/nss/lib/ckfw/Makefile
security/nss/lib/ckfw/builtins/Makefile
security/nss/lib/ckfw/builtins/certdata.perl
security/nss/lib/ckfw/builtins/config.mk
security/nss/lib/cryptohi/keythi.h
security/nss/lib/cryptohi/seckey.c
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/arcfour.c
security/nss/lib/freebl/config.mk
security/nss/lib/freebl/genload.c
security/nss/lib/freebl/intel-aes.s
security/nss/lib/freebl/mpi/mpcpucache.c
security/nss/lib/freebl/mpi/mpi.h
security/nss/lib/freebl/mpi/mpi_arm.c
security/nss/lib/freebl/mpi/mpmontg.c
security/nss/lib/freebl/nsslowhash.c
security/nss/lib/freebl/win_rand.c
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/nss/nssinit.c
security/nss/lib/pk11wrap/pk11akey.c
security/nss/lib/pk11wrap/pk11auth.c
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11merge.c
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11priv.h
security/nss/lib/pk11wrap/pk11skey.c
security/nss/lib/pk11wrap/pk11slot.c
security/nss/lib/pk11wrap/pk11util.c
security/nss/lib/pkcs7/p7decode.c
security/nss/lib/pkcs7/secpkcs7.h
security/nss/lib/softoken/Makefile
security/nss/lib/softoken/config.mk
security/nss/lib/softoken/legacydb/config.mk
security/nss/lib/softoken/pkcs11u.c
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/notes.txt
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslnonce.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/base64.h
security/nss/lib/util/nssb64d.c
security/nss/lib/util/nssutil.h
security/nss/lib/util/secder.h
security/nss/lib/util/secport.c
security/nss/lib/util/secport.h
security/nss/lib/util/utilmod.c
security/nss/lib/util/utilpars.c
security/nss/lib/util/utilpars.h
security/nss/tests/cert/cert.sh
security/nss/tests/chains/chains.sh
security/patches/README
security/patches/bug-683266.patch
security/patches/bug-797572
security/patches/bug-808218.patch
security/patches/bug-812802.patch
--- a/client.py
+++ b/client.py
@@ -91,20 +91,20 @@ def toggle_trailing_blank_line(depname):
   Otherwise we'll add a blank line."""
   lines = open(depname, "r").readlines()
   if not lines:
       print >>sys.stderr, "unexpected short file"
       return
 
   if not lines[-1].strip():
       # trailing line is blank, removing it
-      open(depname, "w").writelines(lines[:-1])
+      open(depname, "wb").writelines(lines[:-1])
   else:
       # adding blank line
-      open(depname, "a").write("\n")
+      open(depname, "ab").write("\n")
 
 o = OptionParser(usage="client.py [options] update_nspr tagname | update_nss tagname | update_libffi tagname | update_webidlparser tagname")
 o.add_option("--skip-mozilla", dest="skip_mozilla",
              action="store_true", default=False,
              help="Obsolete")
 
 o.add_option("--cvs", dest="cvs", default=os.environ.get('CVS', 'cvs'),
              help="The location of the cvs binary")
@@ -123,32 +123,32 @@ except IndexError:
 if action in ('checkout', 'co'):
     print >>sys.stderr, "Warning: client.py checkout is obsolete."
     pass
 elif action in ('update_nspr'):
     tag, = args[1:]
     if not options.cvsroot:
         options.cvsroot = os.environ.get('CVSROOT', CVSROOT_MOZILLA)
     do_cvs_export(NSPR_DIRS, tag, options.cvsroot, options.cvs)
-    print >>file("nsprpub/TAG-INFO", "w"), tag
+    print >>file("nsprpub/TAG-INFO", "wb"), tag
     toggle_trailing_blank_line("nsprpub/config/prdepend.h")
 elif action in ('update_nss'):
     tag, = args[1:]
     if not options.cvsroot:
         options.cvsroot = os.environ.get('CVSROOT', CVSROOT_MOZILLA)
     do_cvs_export(NSS_DIRS, tag, options.cvsroot, options.cvs)
-    print >>file("security/nss/TAG-INFO", "w"), tag
-    print >>file("security/nss/TAG-INFO-CKBI", "w"), tag
+    print >>file("security/nss/TAG-INFO", "wb"), tag
+    print >>file("security/nss/TAG-INFO-CKBI", "wb"), tag
     toggle_trailing_blank_line("security/coreconf/coreconf.dep")
 elif action in ('update_nssckbi'):
     tag, = args[1:]
     if not options.cvsroot:
         options.cvsroot = os.environ.get('CVSROOT', CVSROOT_MOZILLA)
     do_cvs_export(NSSCKBI_DIRS, tag, options.cvsroot, options.cvs)
-    print >>file("security/nss/TAG-INFO-CKBI", "w"), tag
+    print >>file("security/nss/TAG-INFO-CKBI", "wb"), tag
 elif action in ('update_libffi'):
     tag, = args[1:]
     if not options.cvsroot:
         options.cvsroot = CVSROOT_LIBFFI
     do_cvs_export(LIBFFI_DIRS, tag, options.cvsroot, options.cvs)
 elif action in ('update_webidlparser'):
     tag, = args[1:]
     do_hg_replace(WEBIDLPARSER_DIR, WEBIDLPARSER_REPO, tag, WEBIDLPARSER_EXCLUSIONS, options.hg)
--- a/dbm/include/mcom_db.h
+++ b/dbm/include/mcom_db.h
@@ -30,21 +30,16 @@
  * SUCH DAMAGE.
  *
  *	@(#)db.h	8.7 (Berkeley) 6/16/94
  */
 
 #ifndef _DB_H_
 #define	_DB_H_
 
-
-#ifdef WINCE
-#define off_t long
-#endif
-
 #ifndef macintosh
 #include <sys/types.h>
 #endif
 #include "prtypes.h"
 
 #include <limits.h>
 
 #ifdef __DBINTERFACE_PRIVATE
--- a/dbm/include/winfile.h
+++ b/dbm/include/winfile.h
@@ -26,23 +26,17 @@ typedef struct DIR_Struct {
 } DIR;
 
 #define _ST_FSTYPSZ 16
 
 #if !defined(__BORLANDC__) && !defined(__GNUC__)
  typedef unsigned long mode_t;
  typedef          long uid_t;
  typedef          long gid_t;
-
-#ifdef WINCE
- typedef          long ino_t;
-#else
  typedef          long off_t;
-#endif
-
  typedef unsigned long nlink_t;
 #endif 
 
 typedef struct timestruc {
     time_t  tv_sec;         /* seconds */
     long    tv_nsec;        /* and nanoseconds */
 } timestruc_t;
 
--- a/dbm/src/Makefile.in
+++ b/dbm/src/Makefile.in
@@ -48,16 +48,12 @@ LOCAL_INCLUDES	= -I$(srcdir)/../include
 
 FORCE_STATIC_LIB = 1
 FORCE_USE_PIC = 1
 
 include $(topsrcdir)/config/rules.mk
 
 DEFINES		+= -DMEMMOVE -D__DBINTERFACE_PRIVATE $(SECURITY_FLAG)
 
-ifeq ($(OS_ARCH),WINCE)
-DEFINES     += -D__STDC__ -DDBM_REOPEN_ON_FLUSH
-endif
-
 ifeq ($(OS_ARCH),AIX)
 OS_LIBS		+= -lc_r
 endif
 
--- a/dbm/src/mktemp.c
+++ b/dbm/src/mktemp.c
@@ -73,24 +73,16 @@ mkstemp(char *path)
 int
 mkstempflags(char *path, int extraFlags)
 {
 	int fd;
 
 	return (_gettemp(path, &fd, extraFlags) ? fd : -1);
 }
 
-#ifdef WINCE /* otherwise, use the one in libc */
-char *
-mktemp(char *path)
-{
-	return(_gettemp(path, (int *)NULL, 0) ? path : (char *)NULL);
-}
-#endif
-
 /* NB: This routine modifies its input string, and does not always restore it.
 ** returns 1 on success, 0 on failure.
 */
 static int 
 _gettemp(char *path, register int *doopen, int extraFlags)
 {    
 #if !defined(_WINDOWS) || defined(_WIN32)
 	extern int errno;                    
--- a/security/coreconf/Darwin.mk
+++ b/security/coreconf/Darwin.mk
@@ -103,13 +103,16 @@ ARCH		= darwin
 DSO_CFLAGS	= -fPIC
 # May override this with different compatibility and current version numbers.
 DARWIN_DYLIB_VERSIONS = -compatibility_version 1 -current_version 1
 # May override this with -bundle to create a loadable module.
 DSO_LDOPTS	= -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @executable_path/$(notdir $@) -headerpad_max_install_names
 
 MKSHLIB		= $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
 DLL_SUFFIX	= dylib
+ifdef MAPFILE
+	MKSHLIB += -exported_symbols_list $(MAPFILE)
+endif
 PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
                 sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@
 
 USE_SYSTEM_ZLIB = 1
 ZLIB_LIBS	= -lz
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -127,17 +127,17 @@ LDFLAGS			+= $(ARCHFLAG)
 ifdef _SBOX_DIR
 LDFLAGS			+= -Wl,-rpath-link,/usr/lib:/lib
 endif
 
 # INCLUDES += -I/usr/include -Y/usr/include/linux
 G++INCLUDES		= -I/usr/include/g++
 
 #
-# Always set CPU_TAG on Linux, WINCE.
+# Always set CPU_TAG on Linux.
 #
 CPU_TAG = _$(CPU_ARCH)
 
 #
 # On Linux 2.6 or later, build libfreebl3.so with no NSPR and libnssutil3.so
 # dependencies by default.  Set FREEBL_NO_DEPEND to 0 in the environment to
 # override this.
 #
--- a/security/coreconf/README
+++ b/security/coreconf/README
@@ -452,22 +452,16 @@ OVERVIEW of "rules.mk":
                                           build the object file
                                           associated with the
                                           makefile rule dependency:
 
                                               %.cpp = C++ file
 
         MISCELLANEOUS
         -------------
-        $(DIRS)::                         specifies a helper method
-                                          used by $(LOOP_THROUGH_DIRS)
-                                          to recursively change
-                                          directories and invoke
-                                          $(MAKE)
-
         %.i:                              build the preprocessor file
                                           associated with the
                                           makefile rule dependency:
 
                                               %.c   = C file
                                               %.cpp = C++ file
 
         %:                                process the specified file
--- a/security/coreconf/WIN95.mk
+++ b/security/coreconf/WIN95.mk
@@ -6,10 +6,10 @@
 #
 # Config stuff for OS_TARGET=WIN95
 #
 
 include $(CORE_DEPTH)/coreconf/WIN32.mk
 
 DEFINES += -DWIN95
 
-# WINNT uses the lib prefix, Win95 and WinCE don't
+# WINNT uses the lib prefix, Win95 doesn't
 NSPR31_LIB_PREFIX = $(NULL)
deleted file mode 100644
--- a/security/coreconf/WINCE.mk
+++ /dev/null
@@ -1,182 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-#
-# Configuration common to all versions of Windows CE and Pocket PC x.
-#
-
-ifeq ($(CPU_ARCH),x86)
-    DEFAULT_COMPILER = cl
-    CC           = cl
-    CCC          = cl
-else
-ifeq ($(CPU_ARCH),ARM)
-    DEFAULT_COMPILER = clarm
-    CC           = clarm
-    CCC          = clarm
-else
-include CPU_ARCH_is_not_recognized
-include _$(CPU_ARCH)
-endif
-endif
-
-LINK         = link
-AR           = lib
-AR          += -NOLOGO -OUT:"$@"
-RANLIB       = echo
-BSDECHO      = echo
-
-ifdef BUILD_TREE
-NSINSTALL_DIR  = $(BUILD_TREE)/nss
-else
-NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
-endif
-NSINSTALL      = nsinstall
-
-MKDEPEND_DIR    = $(CORE_DEPTH)/coreconf/mkdepend
-MKDEPEND        = $(MKDEPEND_DIR)/$(OBJDIR_NAME)/mkdepend.exe
-# Note: MKDEPENDENCIES __MUST__ be a relative pathname, not absolute.
-# If it is absolute, gmake will crash unless the named file exists.
-MKDEPENDENCIES  = $(OBJDIR_NAME)/depend.mk
-
-INSTALL      = $(NSINSTALL)
-MAKE_OBJDIR  = mkdir
-MAKE_OBJDIR += $(OBJDIR)
-RC           = rc.exe
-GARBAGE     += $(OBJDIR)/vc20.pdb $(OBJDIR)/vc40.pdb
-XP_DEFINE   += -DXP_PC
-LIB_SUFFIX   = lib
-DLL_SUFFIX   = dll
-OS_DLLFLAGS  += -DLL
-
-EXTRA_EXE_LD_FLAGS += -ENTRY:mainWCRTStartup
-
-ifdef BUILD_OPT
-#   OS_CFLAGS  += -MD
-    OPTIMIZER  += -O2
-    DEFINES    += -UDEBUG -U_DEBUG -DNDEBUG
-    DLLFLAGS   += -OUT:"$@"
-else
-    #
-    # Define USE_DEBUG_RTL if you want to use the debug runtime library
-    # (RTL) in the debug build
-    #
-    ifdef USE_DEBUG_RTL
-#	OS_CFLAGS += -MDd
-    else
-#	OS_CFLAGS += -MD
-    endif
-    OPTIMIZER  += -Od -Z7
-    #OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
-    DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
-    DLLFLAGS   += -DEBUG -DEBUGTYPE:CV -OUT:"$@"
-    LDFLAGS    += -DEBUG -DEBUGTYPE:CV
-endif
-
-# DEFINES += -DWIN32
-
-ifdef MAPFILE
-    DLLFLAGS += -DEF:$(MAPFILE)
-endif
-
-# Change PROCESS to put the mapfile in the correct format for this platform
-PROCESS_MAP_FILE = cp $< $@
-
-#
-#  The following is NOT needed for the NSPR 2.0 library.
-#
-
-DEFINES += -D_WINDOWS
-
-# override default, which is ASFLAGS = CFLAGS
-AS	= ml.exe
-ASFLAGS = -Cp -Sn -Zi -coff $(INCLUDES)
-
-#
-# override the definitions of RELEASE_TREE found in tree.mk
-#
-ifndef RELEASE_TREE
-    ifdef BUILD_SHIP
-	ifdef USE_SHIPS
-	    RELEASE_TREE = $(NTBUILD_SHIP)
-	else
-	    RELEASE_TREE = //redbuild/components
-	endif
-    else
-	RELEASE_TREE = //redbuild/components
-    endif
-endif
-
-#
-# override the definitions of LIB_PREFIX and DLL_PREFIX in prefix.mk
-#
-
-ifndef LIB_PREFIX
-    LIB_PREFIX =  $(NULL)
-endif
-
-ifndef DLL_PREFIX
-    DLL_PREFIX =  $(NULL)
-endif
-
-#
-# override the definitions of various _SUFFIX symbols in suffix.mk
-#
-
-#
-# Object suffixes
-#
-ifndef OBJ_SUFFIX
-    OBJ_SUFFIX = .obj
-endif
-
-#
-# Assembler source suffixes
-#
-ifndef ASM_SUFFIX
-    ASM_SUFFIX = .asm
-endif
-
-#
-# Library suffixes
-#
-
-ifndef IMPORT_LIB_SUFFIX
-    IMPORT_LIB_SUFFIX = .$(LIB_SUFFIX)
-endif
-
-ifndef DYNAMIC_LIB_SUFFIX_FOR_LINKING
-    DYNAMIC_LIB_SUFFIX_FOR_LINKING = $(IMPORT_LIB_SUFFIX)
-endif
-
-#
-# Program suffixes
-#
-ifndef PROG_SUFFIX
-    PROG_SUFFIX = .exe
-endif
-
-#
-# override ruleset.mk, removing the "lib" prefix for library names, and
-# adding the "32" after the LIBRARY_VERSION.
-#
-ifdef LIBRARY_NAME
-    SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION)32$(JDK_DEBUG_SUFFIX).dll
-    IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION)32$(JDK_DEBUG_SUFFIX).lib
-endif
-
-#
-# override the TARGETS defined in ruleset.mk, adding IMPORT_LIBRARY
-#
-ifndef TARGETS
-    TARGETS = $(LIBRARY) $(SHARED_LIBRARY) $(IMPORT_LIBRARY) $(PROGRAM)
-endif
-
-
-#
-# Always set CPU_TAG on Linux, WINCE.
-#
-CPU_TAG = _$(CPU_ARCH)
-
--- a/security/coreconf/WINNT.mk
+++ b/security/coreconf/WINNT.mk
@@ -11,10 +11,10 @@ include $(CORE_DEPTH)/coreconf/WIN32.mk
 
 DEFINES += -DWINNT
 
 #
 # Win NT needs -GT so that fibers can work
 #
 OS_CFLAGS += -GT
 
-# WINNT uses the lib prefix, Win95 and WinCE don't
+# WINNT uses the lib prefix, Win95 doesn't
 NSPR31_LIB_PREFIX = lib
--- a/security/coreconf/config.mk
+++ b/security/coreconf/config.mk
@@ -26,17 +26,17 @@ endif
 #       (dependent upon <architecture> tags)                          #
 #                                                                     #
 #       We are moving towards just having a $(OS_TARGET).mk file      #
 #       as opposed to multiple $(OS_TARGET)$(OS_RELEASE).mk files,    #
 #       one for each OS release.                                      #
 #######################################################################
 
 TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \
-              AIX RISCOS WINNT WIN95 WINCE Linux
+              AIX RISCOS WINNT WIN95 Linux
 
 ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
 else
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk
 endif
 
 #######################################################################
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/coreconf/rules.mk
+++ b/security/coreconf/rules.mk
@@ -236,17 +236,17 @@ endif
 alltags:
 	rm -f TAGS
 	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs etags -a
 	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs ctags -a
 
 $(PROGRAM): $(OBJS) $(EXTRA_LIBS)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
-	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)) $(EXTRA_EXE_LD_FLAGS)
+	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
 ifdef MT
 	if test -f $@.manifest; then \
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $(OBJS) $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
@@ -303,21 +303,16 @@ ifdef MT
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;2; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 endif
 else
 	$(MKSHLIB) -o $@ $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 	chmod +x $@
-ifeq ($(OS_TARGET),Darwin)
-ifdef MAPFILE
-	nmedit -s $(MAPFILE) $@
-endif
-endif
 endif
 endif
 
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 $(RES): $(RESNAME)
 	@$(MAKE_OBJDIR)
 # The resource compiler does not understand the -U option.
 ifdef NS_USE_GCC
@@ -332,17 +327,17 @@ endif
 	@$(MAKE_OBJDIR)
 	$(PROCESS_MAP_FILE)
 
 
 $(OBJDIR)/$(PROG_PREFIX)%$(PROG_SUFFIX): $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $< -Fe$@ -link \
-	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(EXTRA_EXE_LD_FLAGS)
+	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 ifdef MT
 	if test -f $@.manifest; then \
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $< \
@@ -360,22 +355,26 @@ ifeq (,$(filter-out OS2 AIX,$(OS_TARGET)
 # OS/2 and AIX
 NEED_ABSOLUTE_PATH := 1
 PWD := $(shell pwd)
 
 else
 # Windows
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 NEED_ABSOLUTE_PATH := 1
+ifdef .PYMAKE
+PWD := $(CURDIR)
+else
 PWD := $(shell pwd)
 ifeq (,$(findstring ;,$(PATH)))
 ifndef USE_MSYS
 PWD := $(subst \,/,$(shell cygpath -w $(PWD)))
 endif
 endif
+endif
 
 else
 # everything else
 PWD := $(shell pwd)
 endif
 endif
 
 # The quotes allow absolute paths to contain spaces.
@@ -471,29 +470,16 @@ ifneq (,$(filter-out WIN%,$(OS_TARGET)))
 endif
 
 %: %.pl
 	rm -f $@; cp $< $@; chmod +x $@
 
 %: %.sh
 	rm -f $@; cp $< $@; chmod +x $@
 
-ifdef DIRS
-$(DIRS)::
-	@if test -d $@; then				\
-		set $(EXIT_ON_ERROR);			\
-		echo "cd $@; $(MAKE)";			\
-		cd $@; $(MAKE);				\
-		set +e;					\
-	else						\
-		echo "Skipping non-directory $@...";	\
-	fi;						\
-	$(CLICK_STOPWATCH)
-endif
-
 ################################################################################
 # Bunch of things that extend the 'export' rule (in order):
 ################################################################################
 
 $(JAVA_DESTPATH) $(JAVA_DESTPATH)/$(PACKAGE) $(JMCSRCDIR)::
 	@if test ! -d $@; then	    \
 		echo Creating $@;   \
 		rm -rf $@;	    \
@@ -891,17 +877,17 @@ ifdef MKDEPENDENCIES
 	touch $(MKDEPENDENCIES) 
 	chmod u+w $(MKDEPENDENCIES) 
 #on NT, the preceding touch command creates a read-only file !?!?!
 #which is why we have to explicitly chmod it.
 	$(MKDEPEND) -p$(OBJDIR_NAME)/ -o'$(OBJ_SUFFIX)' -f$(MKDEPENDENCIES) \
 $(NOMD_CFLAGS) $(YOPT) $(CSRCS) $(CPPSRCS) $(ASFILES)
 
 $(MKDEPEND):: $(MKDEPEND_DIR)/*.c $(MKDEPEND_DIR)/*.h
-	cd $(MKDEPEND_DIR); $(MAKE)
+	$(MAKE) -C $(MKDEPEND_DIR)
 
 ifdef OBJS
 depend:: $(MKDEPEND) $(MKDEPENDENCIES)
 else
 depend::
 endif
 	+$(LOOP_OVER_DIRS)
 
@@ -953,10 +939,10 @@ DUMMY_DEPEND = $(CORE_DEPTH)/coreconf/co
 # Don't delete these files if we get killed.
 #
 .PRECIOUS: .java $(JDK_HEADERS) $(JDK_STUBS) $(JRI_HEADERS) $(JRI_STUBS) $(JMC_HEADERS) $(JMC_STUBS) $(JNI_HEADERS)
 
 #
 # Fake targets.  Always run these rules, even if a file/directory with that
 # name already exists.
 #
-.PHONY: all all_platforms alltags boot clean clobber clobber_all export install libs program realclean release $(OBJDIR) $(DIRS)
+.PHONY: all all_platforms alltags boot clean clobber clobber_all export install libs program realclean release $(OBJDIR)
 
--- a/security/coreconf/ruleset.mk
+++ b/security/coreconf/ruleset.mk
@@ -176,19 +176,21 @@ else # !JAVA_DESTPATH
     ALL_TRASH += $(wildcard $(PACKAGE)/*.class) $(JDIRS)
 endif
 
 endif #NS_USE_JDK
 
 ifdef NSS_BUILD_CONTINUE_ON_ERROR
 # Try to build everything. I.e., don't exit on errors.
     EXIT_ON_ERROR		= +e
+    IGNORE_ERROR		= -
     CLICK_STOPWATCH		= date
 else
     EXIT_ON_ERROR		= -e
+    IGNORE_ERROR		=
     CLICK_STOPWATCH		= true
 endif
 
 ifdef REQUIRES
     MODULE_INCLUDES := $(addprefix -I$(SOURCE_XP_DIR)/public/, $(REQUIRES))
     INCLUDES        += $(MODULE_INCLUDES)
     ifeq ($(MODULE), sectools)
 	PRIVATE_INCLUDES := $(addprefix -I$(SOURCE_XP_DIR)/private/, $(REQUIRES))
@@ -196,23 +198,19 @@ ifdef REQUIRES
     endif
 endif
 
 ifdef SYSTEM_INCL_DIR
     YOPT = -Y$(SYSTEM_INCL_DIR)
 endif
 
 ifdef DIRS
-    LOOP_OVER_DIRS	=					\
-	@for directory in $(DIRS); do				\
-	    if test -d $$directory; then			\
-		set $(EXIT_ON_ERROR);				\
-		echo "cd $$directory; $(MAKE) $@";		\
-		$(MAKE) -C $$directory $@;			\
-		set +e;						\
-	    else						\
-		echo "Skipping non-directory $$directory...";	\
-	    fi;							\
-	    $(CLICK_STOPWATCH);					\
-	done
+define SUBMAKE
++@echo "cd $2; $(MAKE) $1"
+$(IGNORE_ERROR)@$(MAKE) -C $(2) $(1)
+@$(CLICK_STOPWATCH)
+
+endef
+
+    LOOP_OVER_DIRS	= $(foreach dir,$(DIRS),$(call SUBMAKE,$@,$(dir)))
 endif
 
 MK_RULESET = included
--- a/security/dbm/Makefile
+++ b/security/dbm/Makefile
@@ -6,17 +6,17 @@
 
 #######################################################################
 # (1) Include initial platform-independent assignments (MANDATORY).   #
 #######################################################################
 
 include manifest.mn
 
 ifdef NSS_DISABLE_DBM
-DIRS	= dummy
+DIRS =
 endif
 
 #######################################################################
 # (2) Include "global" configuration information. (OPTIONAL)          #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/config.mk
 
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@@ -21,19 +21,17 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
-ifeq ($(OS_TARGET),WINCE)
-DIRS	= lib	# omit cmd since wince has no command line shell
-endif
+
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
@@ -46,20 +44,20 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
 nss_build_all: build_coreconf build_nspr build_dbm all
 
 nss_clean_all: clobber_coreconf clobber_nspr clobber_dbm clobber
 
 build_coreconf:
-	cd $(CORE_DEPTH)/coreconf ;  $(MAKE)
+	$(MAKE) -C $(CORE_DEPTH)/coreconf
 
 clobber_coreconf:
-	cd $(CORE_DEPTH)/coreconf ;  $(MAKE) clobber
+	$(MAKE) -C $(CORE_DEPTH)/coreconf clobber
 
 NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)/config.status
 NSPR_CONFIGURE = $(CORE_DEPTH)/../nsprpub/configure
 
 #
 # Translate coreconf build options to NSPR configure options.
 #
 
@@ -104,30 +102,30 @@ endif
 	$(NSINSTALL) -D $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)
 	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; \
 	$(NSPR_COMPILERS) sh ../configure \
 	$(NSPR_CONFIGURE_OPTS) \
 	--with-dist-prefix='$(NSPR_PREFIX)' \
 	--with-dist-includedir='$(NSPR_PREFIX)/include'
 
 build_nspr: $(NSPR_CONFIG_STATUS)
-	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE)
+	$(MAKE) -C $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)
 
 clobber_nspr: $(NSPR_CONFIG_STATUS)
-	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE) clobber
+	$(MAKE) -C $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) clobber
 
 build_dbm:
 ifdef NSS_DISABLE_DBM
 	@echo "skipping the build of DBM"
 else
-	cd $(CORE_DEPTH)/dbm ; $(MAKE) export libs
+	$(MAKE) -C $(CORE_DEPTH)/dbm export libs
 endif
 
 clobber_dbm:
-	cd $(CORE_DEPTH)/dbm ; $(MAKE) clobber
+	$(MAKE) -C $(CORE_DEPTH)/dbm clobber
 
 moz_import::
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 	$(NSINSTALL) -D $(DIST)/include/nspr
 	cp $(DIST)/../include/nspr/*.h $(DIST)/include/nspr
 	cp $(DIST)/../include/* $(DIST)/include
 ifdef BUILD_OPT
 	cp $(DIST)/../WIN32_O.OBJ/lib/* $(DIST)/lib
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_14_RTM
+NSS_3_14_1_RTM
--- a/security/nss/TAG-INFO-CKBI
+++ b/security/nss/TAG-INFO-CKBI
@@ -1,1 +1,1 @@
-NSS_3_14_RTM
+NSS_3_14_1_RTM
--- a/security/nss/cmd/addbuiltin/addbuiltin.c
+++ b/security/nss/cmd/addbuiltin/addbuiltin.c
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Tool for converting builtin CA certs.
  *
- * $Id: addbuiltin.c,v 1.19 2012/07/04 15:21:47 gerv%gerv.net Exp $
+ * $Id: addbuiltin.c,v 1.20 2012/11/29 02:11:04 bsmith%mozilla.com Exp $
  */
 
 #include "nssrenam.h"
 #include "nss.h"
 #include "cert.h"
 #include "certdb.h"
 #include "secutil.h"
 #include "pk11func.h"
@@ -261,17 +261,17 @@ ConvertCertificate(SECItem *sdder, char 
 }
 
 void printheader() {
     printf("# \n"
 "# This Source Code Form is subject to the terms of the Mozilla Public\n"
 "# License, v. 2.0. If a copy of the MPL was not distributed with this\n"
 "# file, You can obtain one at http://mozilla.org/MPL/2.0/.\n"
      "#\n"
-     "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.19 $ $Date: 2012/07/04 15:21:47 $\"\n"
+     "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.20 $ $Date: 2012/11/29 02:11:04 $\"\n"
      "\n"
      "#\n"
      "# certdata.txt\n"
      "#\n"
      "# This file contains the object definitions for the certs and other\n"
      "# information \"built into\" NSS.\n"
      "#\n"
      "# Object definitions:\n"
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -1454,16 +1454,17 @@ bltest_rsa_init(bltestCipherInfo *cipher
 	cipherInfo->cx = (void *)pubkey;
 	cipherInfo->cipher.pubkeyCipher = rsa_PublicKeyOp;
     } else {
 	cipherInfo->cipher.pubkeyCipher = rsa_PrivateKeyOp;
     }
     return SECSuccess;
 }
 
+SECStatus
 blapi_pqg_param_gen(unsigned int keysize, PQGParams **pqg, PQGVerify **vfy)
 {
     if (keysize < 1024) {
 	int j = PQG_PBITS_TO_INDEX(keysize);
 	return PQG_ParamGen(j, pqg, vfy);
     }
     return PQG_ParamGenV2(keysize, 0, 0, pqg, vfy);
 }
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -9,20 +9,18 @@
 #if defined(XP_UNIX)
 #include <unistd.h>
 #include <sys/time.h>
 #include <termios.h>
 #endif
 
 #if defined(XP_WIN) || defined (XP_PC)
 #include <time.h>
-#ifndef WINCE
 #include <conio.h>
 #endif
-#endif
 
 #if defined(__sun) && !defined(SVR4)
 extern int fclose(FILE*);
 extern int fprintf(FILE *, char *, ...);
 extern int isatty(int);
 extern char *sys_errlist[];
 #define strerror(errno) sys_errlist[errno]
 #endif
@@ -91,17 +89,17 @@ UpdateRNG(void)
     tio.c_cc[VMIN] = 1;
     tio.c_cc[VTIME] = 0;
     tcsetattr(fd, TCSAFLUSH, &tio);
 #endif
 
     /* Get random noise from keyboard strokes */
     count = 0;
     while (count < sizeof randbuf) {
-#if defined(XP_UNIX) || defined(WINCE)
+#if defined(XP_UNIX)
 	c = getc(stdin);
 #else
 	c = getch();
 #endif
 	if (c == EOF) {
 	    rv = -1;
 	    break;
 	}
--- a/security/nss/cmd/lib/basicutil.c
+++ b/security/nss/cmd/lib/basicutil.c
@@ -12,20 +12,18 @@
 #include "prerror.h"
 #include "prprf.h"
 #include "plgetopt.h"
 #include "prenv.h"
 #include "prnetdb.h"
 
 #include "basicutil.h"
 #include <stdarg.h>
-#if !defined(_WIN32_WCE)
 #include <sys/stat.h>
 #include <errno.h>
-#endif
 
 #ifdef XP_UNIX
 #include <unistd.h>
 #endif
 
 #include "secoid.h"
 
 extern long DER_GetInteger(SECItem *src);
@@ -86,21 +84,17 @@ SECU_PrintError(char *progName, char *ms
 void
 SECU_PrintSystemError(char *progName, char *msg, ...)
 {
     va_list args;
 
     va_start(args, msg);
     fprintf(stderr, "%s: ", progName);
     vfprintf(stderr, msg, args);
-#if defined(_WIN32_WCE)
-    fprintf(stderr, ": %d\n", PR_GetOSError());
-#else
     fprintf(stderr, ": %s\n", strerror(errno));
-#endif
     va_end(args);
 }
 
 SECStatus
 secu_StdinToItem(SECItem *dst)
 {
     unsigned char buf[1000];
     PRInt32 numBytes;
--- a/security/nss/cmd/lib/config.mk
+++ b/security/nss/cmd/lib/config.mk
@@ -8,12 +8,8 @@
 #  are specifed as dependencies within rules.mk.
 #
 
 TARGETS        = $(LIBRARY)
 SHARED_LIBRARY =
 IMPORT_LIBRARY =
 PROGRAM        =
 
-ifeq (WINCE,$(OS_ARCH))
-CSRCS += wincemain.c
-endif
-
--- a/security/nss/cmd/lib/secpwd.c
+++ b/security/nss/cmd/lib/secpwd.c
@@ -15,17 +15,17 @@
 #ifdef XP_UNIX
 #include <termios.h>
 #endif
 
 #if defined(XP_UNIX) || defined(XP_BEOS)
 #include <unistd.h>  /* for isatty() */
 #endif
 
-#if( defined(_WINDOWS) && !defined(_WIN32_WCE))
+#if defined(_WINDOWS)
 #include <conio.h>
 #include <io.h>
 #define QUIET_FGETS quiet_fgets
 static char * quiet_fgets (char *buf, int length, FILE *input);
 #else
 #define QUIET_FGETS fgets
 #endif
 
@@ -139,21 +139,18 @@ static char * quiet_fgets (char *buf, in
   memset (buf, 0, length);
 
   if (!isatty(fileno(input))) {
      return fgets(buf,length,input);
   }
 
   while (1)
     {
-#if defined (_WIN32_WCE)
-    c = getchar();	/* gets a character from stdin */
-#else
     c = getch();	/* getch gets a character from the console */
-#endif
+
     if (c == '\b')
       {
       if (end > buf)
         end--;
       }
 
     else if (--length > 0)
       *end++ = c;
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -15,20 +15,18 @@
 #include "prenv.h"
 #include "prnetdb.h"
 
 #include "cryptohi.h"
 #include "secutil.h"
 #include "secpkcs7.h"
 #include "secpkcs5.h"
 #include <stdarg.h>
-#if !defined(_WIN32_WCE)
 #include <sys/stat.h>
 #include <errno.h>
-#endif
 
 #ifdef XP_UNIX
 #include <unistd.h>
 #endif
 
 /* for SEC_TraverseNames */
 #include "cert.h"
 #include "certt.h"
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -312,58 +312,58 @@ extern SECStatus SECU_StoreCRL(PK11SlotI
 ** encodes the result.
 **	"arena" is the memory arena to use to allocate data from
 **      "sd" returned CERTSignedData 
 ** 	"result" the final der encoded data (memory is allocated)
 ** 	"buf" the input data to sign
 ** 	"len" the amount of data to sign
 ** 	"pk" the private key to encrypt with
 */
-extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
+extern SECStatus SECU_DerSignDataCRL(PLArenaPool *arena, CERTSignedData *sd,
                                      unsigned char *buf, int len,
                                      SECKEYPrivateKey *pk, SECOidTag algID);
 
 typedef enum  {
     noKeyFound = 1,
     noSignatureMatch = 2,
     failToEncode = 3,
     failToSign = 4,
     noMem = 5
 } SignAndEncodeFuncExitStat;
 
 extern SECStatus
 SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
                       SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
 
 extern SECStatus
-SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
+SECU_CopyCRL(PLArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
 
 /*
 ** Finds the crl Authority Key Id extension. Returns NULL if no such extension
 ** was found.
 */
 CERTAuthKeyID *
-SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
+SECU_FindCRLAuthKeyIDExten (PLArenaPool *arena, CERTSignedCrl *crl);
 
 /*
  * Find the issuer of a crl. Cert usage should be checked before signing a crl.
  */
 CERTCertificate *
 SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
                    CERTAuthKeyID* id, PRTime validTime);
 
 
 /* call back function used in encoding of an extension. Called from
  * SECU_EncodeAndAddExtensionValue */
-typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
+typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PLArenaPool *extHandleArena,
                                                void *value, SECItem *encodedValue);
 
 /* Encodes and adds extensions to the CRL or CRL entries. */
 SECStatus 
-SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, 
+SECU_EncodeAndAddExtensionValue(PLArenaPool *arena, void *extHandle, 
                                 void *value, PRBool criticality, int extenType, 
                                 EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
 
 /* Caller ensures that dst is at least item->len*2+1 bytes long */
 void
 SECU_SECItemToHex(const SECItem * item, char * dst);
 
 /* Requires 0x prefix. Case-insensitive. Will do in-place replacement if
deleted file mode 100644
--- a/security/nss/cmd/lib/wincemain.c
+++ /dev/null
@@ -1,33 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifdef WINCE
-#include <windows.h>
-
-int
-wmain(int argc, WCHAR **wargv)
-{
-    char **argv;
-    int i, ret;
-
-    argv = malloc(argc * sizeof(char*));
-
-    for (i = 0; i < argc; i++) {
-        int len = WideCharToMultiByte(CP_ACP, 0, wargv[i], -1, NULL, 0, 0, 0);
-        argv[i] = malloc(len * sizeof(char));
-        WideCharToMultiByte(CP_ACP, 0, wargv[i], -1, argv[i], len, 0, 0);
-    }
-
-    ret = main(argc, argv);
-
-    for (i = 0; i < argc; i++) {
-        free(argv[i]);
-    }
-    free(argv);
-
-    return ret;
-}
-
-#endif
-
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -24,16 +24,17 @@ DIRS = lib  \
  digest  \
  httpserv  \
  fipstest  \
  $(LOWHASHTEST_SRCDIR)  \
  listsuites \
  makepqg  \
  multinit \
  ocspclnt  \
+ ocspresp \
  oidcalc  \
  p7content  \
  p7env  \
  p7sign  \
  p7verify  \
  pk12util \
  pk11mode \
  pk1sign  \
--- a/security/nss/cmd/ocspclnt/manifest.mn
+++ b/security/nss/cmd/ocspclnt/manifest.mn
@@ -17,10 +17,8 @@ REQUIRES = dbm seccmd
 
 # WINNT uses EXTRA_LIBS as the list of libs to link in.
 # Unix uses     OS_LIBS for that purpose.
 # We can solve this via conditional makefile code, but 
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 # So, look in the local Makefile for the defines for the list of libs.
 
 PROGRAM = ocspclnt
-
-USE_STATIC_LIBS = 1
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ocspresp/Makefile
@@ -0,0 +1,47 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ocspresp/manifest.mn
@@ -0,0 +1,15 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+CSRCS = ocspresp.c
+
+REQUIRES = seccmd 
+
+PROGRAM = ocspresp
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ocspresp/ocspresp.c
@@ -0,0 +1,248 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * ocspresp - self test for OCSP response creation
+ */
+
+#include "nspr.h"
+#include "secutil.h"
+#include "secpkcs7.h"
+#include "cert.h"
+#include "certdb.h"
+#include "nss.h"
+#include "pk11func.h"
+#include "cryptohi.h"
+#include "ocsp.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+secuPWData  pwdata          = { PW_NONE, 0 };
+
+static PRBool
+getCaAndSubjectCert(CERTCertDBHandle *certHandle,
+                    const char *caNick, const char *eeNick,
+                    CERTCertificate **outCA, CERTCertificate **outCert)
+{
+    *outCA = CERT_FindCertByNickname(certHandle, caNick);
+    *outCert = CERT_FindCertByNickname(certHandle, eeNick);
+    return *outCA && *outCert;
+}
+
+static SECItem *
+encode(PRArenaPool *arena, CERTOCSPCertID *cid, CERTCertificate *ca)
+{
+    SECItem *response;
+    PRTime now = PR_Now();
+    PRTime nextUpdate;
+    CERTOCSPSingleResponse **responses;
+    CERTOCSPSingleResponse *sr;
+
+    if (!arena)
+        return NULL;
+
+    nextUpdate = now + 10 * PR_USEC_PER_SEC; /* in the future */
+    
+    sr = CERT_CreateOCSPSingleResponseGood(arena, cid, now, &nextUpdate);
+
+    /* meaning of value 2: one entry + one end marker */
+    responses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse*, 2);
+    if (responses == NULL)
+        return NULL;
+    
+    responses[0] = sr;
+    responses[1] = NULL;
+    
+    response = CERT_CreateEncodedOCSPSuccessResponse(
+        arena, ca, ocspResponderID_byName, now, responses, &pwdata);
+
+    return response;
+}
+
+static SECItem *
+encodeRevoked(PRArenaPool *arena, CERTOCSPCertID *cid, CERTCertificate *ca)
+{
+    SECItem *response;
+    PRTime now = PR_Now();
+    PRTime revocationTime;
+    CERTOCSPSingleResponse **responses;
+    CERTOCSPSingleResponse *sr;
+
+    if (!arena)
+        return NULL;
+
+    revocationTime = now - 10 * PR_USEC_PER_SEC; /* in the past */
+
+    sr = CERT_CreateOCSPSingleResponseRevoked(arena, cid, now, NULL,
+                                              revocationTime, NULL);
+
+    /* meaning of value 2: one entry + one end marker */
+    responses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse*, 2);
+    if (responses == NULL)
+        return NULL;
+
+    responses[0] = sr;
+    responses[1] = NULL;
+
+    response = CERT_CreateEncodedOCSPSuccessResponse(
+        arena, ca, ocspResponderID_byName, now, responses, &pwdata);
+
+    return response;
+}
+
+int Usage(void)
+{
+    PRFileDesc *pr_stderr = PR_STDERR;
+    PR_fprintf (pr_stderr, "ocspresp runs an internal selftest for OCSP response creation");
+    PR_fprintf (pr_stderr, "Usage:");
+    PR_fprintf (pr_stderr,
+                "\tocspresp <dbdir> <CA-nick> <EE-nick> [-p <pass>] [-f <file>]\n");
+    PR_fprintf (pr_stderr,
+                "\tdbdir:   Find security databases in \"dbdir\"\n");
+    PR_fprintf (pr_stderr,
+                "\tCA-nick: nickname of a trusted CA certificate with private key\n");
+    PR_fprintf (pr_stderr,
+                "\tEE-nick: nickname of a entity cert issued by CA\n");
+    PR_fprintf (pr_stderr,
+                "\t-p:      a password for db\n");
+    PR_fprintf (pr_stderr,
+                "\t-f:      a filename containing the password for db\n");
+    return -1;
+}
+
+int
+main(int argc, char **argv)
+{
+    SECStatus rv;
+    int retval = -1;
+    CERTCertDBHandle *certHandle = NULL;
+    CERTCertificate *caCert = NULL, *cert = NULL;
+    CERTOCSPCertID *cid = NULL;
+    PRArenaPool *arena = NULL;
+    PRTime now = PR_Now();
+    
+    SECItem *encoded = NULL;
+    CERTOCSPResponse *decoded = NULL;
+    SECStatus statusDecoded;
+
+    SECItem *encodedRev = NULL;
+    CERTOCSPResponse *decodedRev = NULL;
+    SECStatus statusDecodedRev;
+    
+    SECItem *encodedFail = NULL;
+    CERTOCSPResponse *decodedFail = NULL;
+    SECStatus statusDecodedFail;
+
+    CERTCertificate *obtainedSignerCert = NULL;
+
+    if (argc != 4 && argc != 6) {
+        return Usage();
+    }
+
+    if (argc == 6) {
+        if (!strcmp(argv[4], "-p")) {
+            pwdata.source = PW_PLAINTEXT;
+            pwdata.data = PORT_Strdup(argv[5]);
+        }
+        else if (!strcmp(argv[4], "-f")) {
+            pwdata.source = PW_FROMFILE;
+            pwdata.data = PORT_Strdup(argv[5]);
+        }
+        else
+            return Usage();
+    }
+
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    /*rv = NSS_Init(SECU_ConfigDirectory(NULL));*/
+    rv = NSS_Init(argv[1]);
+    if (rv != SECSuccess) {
+	SECU_PrintPRandOSError(argv[0]);
+	goto loser;
+    }
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    certHandle = CERT_GetDefaultCertDB();
+    if (!certHandle)
+	goto loser;
+
+    if (!getCaAndSubjectCert(certHandle, argv[2], argv[3], &caCert, &cert))
+        goto loser;
+
+    cid = CERT_CreateOCSPCertID(cert, now);
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    encoded = encode(arena, cid, caCert);
+    PORT_Assert(encoded);
+    decoded = CERT_DecodeOCSPResponse(encoded);
+    statusDecoded = CERT_GetOCSPResponseStatus(decoded);
+    PORT_Assert(statusDecoded == SECSuccess);
+
+    statusDecoded = CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata,
+                                                &obtainedSignerCert, caCert);
+    PORT_Assert(statusDecoded == SECSuccess);
+    statusDecoded = CERT_GetOCSPStatusForCertID(certHandle, decoded, cid,
+                                                obtainedSignerCert, now);
+    PORT_Assert(statusDecoded == SECSuccess);
+    CERT_DestroyCertificate(obtainedSignerCert);
+
+    encodedRev = encodeRevoked(arena, cid, caCert);
+    PORT_Assert(encodedRev);
+    decodedRev = CERT_DecodeOCSPResponse(encodedRev);
+    statusDecodedRev = CERT_GetOCSPResponseStatus(decodedRev);
+    PORT_Assert(statusDecodedRev == SECSuccess);
+
+    statusDecodedRev = CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
+                                                        &obtainedSignerCert, caCert);
+    PORT_Assert(statusDecodedRev == SECSuccess);
+    statusDecodedRev = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
+                                                   obtainedSignerCert, now);
+    PORT_Assert(statusDecodedRev == SECFailure);
+    PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
+    CERT_DestroyCertificate(obtainedSignerCert);
+    
+    encodedFail = CERT_CreateEncodedOCSPErrorResponse(
+        arena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
+    PORT_Assert(encodedFail);
+    decodedFail = CERT_DecodeOCSPResponse(encodedFail);
+    statusDecodedFail = CERT_GetOCSPResponseStatus(decodedFail);
+    PORT_Assert(statusDecodedFail == SECFailure);
+    PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
+
+    retval = 0;
+loser:
+    if (retval != 0)
+        SECU_PrintError(argv[0], "tests failed");
+    
+    if (cid)
+        CERT_DestroyOCSPCertID(cid);
+    if (cert)
+        CERT_DestroyCertificate(cert);
+    if (caCert)
+        CERT_DestroyCertificate(caCert);
+    if (arena)
+        PORT_FreeArena(arena, PR_FALSE);
+    if (decoded)
+        CERT_DestroyOCSPResponse(decoded);
+    if (decodedRev)
+        CERT_DestroyOCSPResponse(decodedRev);
+    if (decodedFail)
+        CERT_DestroyOCSPResponse(decodedFail);
+    if (pwdata.data) {
+        PORT_Free(pwdata.data);
+    }
+    
+    if (NSS_Shutdown() != SECSuccess) {
+        SECU_PrintError(argv[0], "NSS shutdown:");
+        if (retval == 0)
+            retval = -2;
+    }
+
+    return retval;
+}
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -48,17 +48,17 @@ PKIXLIB = \
 	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
 
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
-ifeq (,$(filter-out WINNT WINCE,$(OS_ARCH))) 
+ifeq ($(OS_ARCH), WINNT)
 
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
@@ -134,17 +134,17 @@ EXTRA_SHARED_LIBS += \
 endif
 
 ifeq ($(OS_TARGET), SunOS)
 OS_LIBS += -lbsm
 endif
 
 else # USE_STATIC_LIBS
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
-ifeq (,$(filter-out WINNT WINCE,$(OS_ARCH))) 
+ifeq ($(OS_ARCH), WINNT)
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -6,20 +6,18 @@
 
 #include "secutil.h"
 #include "basicutil.h"
 
 #if defined(XP_UNIX)
 #include <unistd.h>
 #endif
 #include <stdlib.h>
-#if !defined(_WIN32_WCE)
 #include <errno.h>
 #include <fcntl.h>
-#endif
 #include <stdarg.h>
 
 #include "plgetopt.h"
 
 #include "nspr.h"
 #include "prio.h"
 #include "prnetdb.h"
 #include "prerror.h"
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -1,15 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * certi.h - private data structures for the certificate library
  *
- * $Id: certi.h,v 1.37 2012/04/25 14:49:26 gerv%gerv.net Exp $
+ * $Id: certi.h,v 1.38 2012/12/06 17:56:57 wtc%google.com Exp $
  */
 #ifndef _CERTI_H_
 #define _CERTI_H_
 
 #include "certt.h"
 #include "nssrwlkt.h"
 
 /*
@@ -286,17 +286,17 @@ extern SECStatus cert_GetCertType(CERTCe
 
 /*
  * compute and return the value of nsCertType for cert, but do not 
  * update the CERTCertificate.
  */
 extern PRUint32 cert_ComputeCertType(CERTCertificate *cert);
 
 void cert_AddToVerifyLog(CERTVerifyLog *log,CERTCertificate *cert,
-                         unsigned long errorCode, unsigned int depth,
+                         long errorCode, unsigned int depth,
                          void *arg);
 
 /* Insert a DER CRL into the CRL cache, and take ownership of it.
  *
  * cert_CacheCRLByGeneralName takes ownership of the memory in crl argument
  * completely.  crl must be freeable by SECITEM_FreeItem. It will be freed
  * immediately if it is rejected from the CRL cache, or later during cache
  * updates when a new crl is available, or at shutdown time.
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -224,17 +224,17 @@ CERT_TrustFlagsForCACertUsage(SECCertUsa
     }
     
     return(SECSuccess);
 loser:
     return(SECFailure);
 }
 
 void
-cert_AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, unsigned long error,
+cert_AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, long error,
 	       unsigned int depth, void *arg)
 {
     CERTVerifyLogNode *node, *tnode;
 
     PORT_Assert(log != NULL);
     
     node = (CERTVerifyLogNode *)PORT_ArenaAlloc(log->arena,
 						sizeof(CERTVerifyLogNode));
@@ -285,24 +285,26 @@ cert_AddToVerifyLog(CERTVerifyLog *log, 
 
 #define EXIT_IF_NOT_LOGGING(log) \
     if ( log == NULL ) { \
 	goto loser; \
     }
 
 #define LOG_ERROR_OR_EXIT(log,cert,depth,arg) \
     if ( log != NULL ) { \
-	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
+	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
+			    (void *)(PRWord)arg); \
     } else { \
 	goto loser; \
     }
 
 #define LOG_ERROR(log,cert,depth,arg) \
     if ( log != NULL ) { \
-	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
+	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
+			    (void *)(PRWord)arg); \
     }
 
 static SECStatus
 cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
 		     PRBool checkSig, PRBool* sigerror,
                      SECCertUsage certUsage, int64 t, void *wincx,
                      CERTVerifyLog *log, PRBool* revoked)
 {
--- a/security/nss/lib/certhigh/manifest.mn
+++ b/security/nss/lib/certhigh/manifest.mn
@@ -16,16 +16,17 @@ PRIVATE_EXPORTS = \
 
 MODULE = nss
 
 CSRCS = \
 	certhtml.c \
 	certreq.c \
 	crlv2.c \
 	ocsp.c \
+	ocspsig.c \
 	certhigh.c \
  	certvfy.c \
  	certvfypkix.c \
  	certvfypkixprint.c \
  	xcrldist.c \
 	$(NULL)
 
 LIBRARY_NAME = certhi
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -1,17 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.72 2012/09/22 13:41:58 wtc%google.com Exp $
+ * $Id: ocsp.c,v 1.74.2.1 2012/12/12 16:38:39 wtc%google.com Exp $
  */
 
 #include "prerror.h"
 #include "prprf.h"
 #include "plarena.h"
 #include "prnetdb.h"
 
 #include "seccomon.h"
@@ -146,18 +146,18 @@ ocsp_CertRevokedAfter(ocspRevokedInfo *r
 #define OCSP_TRACE_CERT(cert)
 #define OCSP_TRACE_CERTID(certid)
 #else
 #define OCSP_TRACE(msg) ocsp_Trace msg
 #define OCSP_TRACE_TIME(msg, time) ocsp_dumpStringWithTime(msg, time)
 #define OCSP_TRACE_CERT(cert) dumpCertificate(cert)
 #define OCSP_TRACE_CERTID(certid) dumpCertID(certid)
 
-#if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) \
-     || defined(XP_MACOSX)) && !defined(_WIN32_WCE)
+#if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) \
+     || defined(XP_MACOSX)
 #define NSS_HAVE_GETENV 1
 #endif
 
 static PRBool wantOcspTrace()
 {
     static PRBool firstTime = PR_TRUE;
     static PRBool wantTrace = PR_FALSE;
 
@@ -1156,34 +1156,34 @@ const SEC_ASN1Template ocsp_CertIDTempla
  * Response-related templates...
  */
 
 /*
  * OCSPResponse	::=	SEQUENCE {
  *	responseStatus		OCSPResponseStatus,
  *	responseBytes		[0] EXPLICIT ResponseBytes OPTIONAL }
  */
-static const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = {
+const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = {
     { SEC_ASN1_SEQUENCE, 
 	0, NULL, sizeof(CERTOCSPResponse) },
     { SEC_ASN1_ENUMERATED, 
 	offsetof(CERTOCSPResponse, responseStatus) },
     { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
       SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
 	offsetof(CERTOCSPResponse, responseBytes),
 	ocsp_PointerToResponseBytesTemplate },
     { 0 }
 };
 
 /*
  * ResponseBytes	::=	SEQUENCE {
  *	responseType		OBJECT IDENTIFIER,
  *	response		OCTET STRING }
  */
-static const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = {
+const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	0, NULL, sizeof(ocspResponseBytes) },
     { SEC_ASN1_OBJECT_ID,
 	offsetof(ocspResponseBytes, responseType) },
     { SEC_ASN1_OCTET_STRING,
 	offsetof(ocspResponseBytes, response) },
     { 0 }
 };
@@ -1270,22 +1270,22 @@ const SEC_ASN1Template ocsp_ResponseData
  *
  * XXX Because the ASN.1 encoder and decoder currently do not provide
  * a way to automatically handle a CHOICE, we need to do it in two
  * steps, looking at the type tag and feeding the exact choice back
  * to the ASN.1 code.  Hopefully that will change someday and this
  * can all be simplified down into a single template.  Anyway, for
  * now we list each choice as its own template:
  */
-static const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = {
+const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = {
     { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
 	offsetof(ocspResponderID, responderIDValue.name),
 	CERT_NameTemplate }
 };
-static const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = {
+const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = {
     { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
         SEC_ASN1_XTRN | 2,
 	offsetof(ocspResponderID, responderIDValue.keyHash),
 	SEC_ASN1_SUB(SEC_OctetStringTemplate) }
 };
 static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = {
     { SEC_ASN1_ANY,
 	offsetof(ocspResponderID, responderIDValue.other) }
@@ -2221,17 +2221,17 @@ CERT_DestroyOCSPRequest(CERTOCSPRequest 
  * RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy):
  */
 
 /*
  * Helper function for encoding or decoding a ResponderID -- based on the
  * given type, return the associated template for that choice.
  */
 static const SEC_ASN1Template *
-ocsp_ResponderIDTemplateByType(ocspResponderIDType responderIDType)
+ocsp_ResponderIDTemplateByType(CERTOCSPResponderIDType responderIDType)
 {
     const SEC_ASN1Template *responderIDTemplate;
 
     switch (responderIDType) {
 	case ocspResponderID_byName:
 	    responderIDTemplate = ocsp_ResponderIDByNameTemplate;
 	    break;
 	case ocspResponderID_byKey:
@@ -2366,20 +2366,20 @@ ocsp_FinishDecodingSingleResponses(PRAre
 loser:
     return rv;
 }
 
 /*
  * Helper function for decoding a responderID -- turn the actual DER tag
  * into our local translation.
  */
-static ocspResponderIDType
+static CERTOCSPResponderIDType
 ocsp_ResponderIDTypeByTag(int derTag)
 {
-    ocspResponderIDType responderIDType;
+    CERTOCSPResponderIDType responderIDType;
 
     switch (derTag) {
 	case 1:
 	    responderIDType = ocspResponderID_byName;
 	    break;
 	case 2:
 	    responderIDType = ocspResponderID_byKey;
 	    break;
@@ -2396,17 +2396,17 @@ ocsp_ResponderIDTypeByTag(int derTag)
  */
 static ocspBasicOCSPResponse *
 ocsp_DecodeBasicOCSPResponse(PRArenaPool *arena, SECItem *src)
 {
     void *mark;
     ocspBasicOCSPResponse *basicResponse;
     ocspResponseData *responseData;
     ocspResponderID *responderID;
-    ocspResponderIDType responderIDType;
+    CERTOCSPResponderIDType responderIDType;
     const SEC_ASN1Template *responderIDTemplate;
     int derTag;
     SECStatus rv;
     SECItem newsrc;
 
     mark = PORT_ArenaMark(arena);
 
     basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse));
--- a/security/nss/lib/certhigh/ocsp.h
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Interface to the OCSP implementation.
  *
- * $Id: ocsp.h,v 1.22 2012/09/22 13:41:58 wtc%google.com Exp $
+ * $Id: ocsp.h,v 1.23.2.1 2012/12/12 16:38:39 wtc%google.com Exp $
  */
 
 #ifndef _OCSP_H_
 #define _OCSP_H_
 
 
 #include "plarena.h"
 #include "seccomon.h"
@@ -627,12 +627,79 @@ CERT_CreateOCSPCertID(CERTCertificate *c
  *    free the associated memory.
  * RETURN:
  *  SECSuccess if freeing the memory was successful.  Returns
  *  SECFailure if the memory passed in was not allocated with
  *  a call to CERT_CreateOCSPCertID.
  */
 extern SECStatus
 CERT_DestroyOCSPCertID(CERTOCSPCertID* certID);
+
+
+extern CERTOCSPSingleResponse*
+CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena,
+                                  CERTOCSPCertID *id,
+                                  PRTime thisUpdate,
+                                  const PRTime *nextUpdate);
+
+extern CERTOCSPSingleResponse*
+CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena,
+                                     CERTOCSPCertID *id,
+                                     PRTime thisUpdate,
+                                     const PRTime *nextUpdate);
+
+extern CERTOCSPSingleResponse*
+CERT_CreateOCSPSingleResponseRevoked(
+    PLArenaPool *arena,
+    CERTOCSPCertID *id,
+    PRTime thisUpdate,
+    const PRTime *nextUpdate,
+    PRTime revocationTime,
+    const CERTCRLEntryReasonCode* revocationReason);
+
+extern SECItem*
+CERT_CreateEncodedOCSPSuccessResponse(
+    PLArenaPool *arena,
+    CERTCertificate *responderCert,
+    CERTOCSPResponderIDType responderIDType,
+    PRTime producedAt,
+    CERTOCSPSingleResponse **responses,
+    void *wincx);
+
+/*
+ * FUNCTION: CERT_CreateEncodedOCSPErrorResponse
+ *  Creates an encoded OCSP response with an error response status.
+ * INPUTS:
+ *  PLArenaPool *arena
+ *    The return value is allocated from here.
+ *    If a NULL is passed in, allocation is done from the heap instead.
+ *  int error
+ *    An NSS error code indicating an error response status. The error
+ *    code is mapped to an OCSP response status as follows:
+ *        SEC_ERROR_OCSP_MALFORMED_REQUEST -> malformedRequest
+ *        SEC_ERROR_OCSP_SERVER_ERROR -> internalError
+ *        SEC_ERROR_OCSP_TRY_SERVER_LATER -> tryLater
+ *        SEC_ERROR_OCSP_REQUEST_NEEDS_SIG -> sigRequired
+ *        SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST -> unauthorized
+ *    where the OCSP response status is an enumerated type defined in
+ *    RFC 2560:
+ *    OCSPResponseStatus ::= ENUMERATED {
+ *        successful           (0),     --Response has valid confirmations
+ *        malformedRequest     (1),     --Illegal confirmation request
+ *        internalError        (2),     --Internal error in issuer
+ *        tryLater             (3),     --Try again later
+ *                                      --(4) is not used
+ *        sigRequired          (5),     --Must sign the request
+ *        unauthorized         (6)      --Request unauthorized
+ *    }
+ * RETURN:
+ *   Returns a pointer to the SECItem holding the response.
+ *   On error, returns null with error set describing the reason:
+ *	SEC_ERROR_INVALID_ARGS
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+extern SECItem*
+CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error);
+
 /************************************************************************/
 SEC_END_PROTOS
 
 #endif /* _OCSP_H_ */
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/certhigh/ocspsig.c
@@ -0,0 +1,550 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "cert.h"
+#include "secerr.h"
+#include "secoid.h"
+#include "sechash.h"
+#include "keyhi.h"
+#include "cryptohi.h"
+#include "ocsp.h"
+#include "ocspti.h"
+#include "ocspi.h"
+#include "pk11pub.h"
+
+
+extern const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[];
+extern const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[];
+extern const SEC_ASN1Template ocsp_OCSPResponseTemplate[];
+
+ocspCertStatus*
+ocsp_CreateCertStatus(PLArenaPool *arena,
+                      ocspCertStatusType status,
+                      PRTime revocationTime)
+{
+    ocspCertStatus *cs;
+
+    if (!arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    switch (status) {
+        case ocspCertStatus_good:
+        case ocspCertStatus_unknown:
+        case ocspCertStatus_revoked:
+            break;
+        default:
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return NULL;
+    }
+    
+    cs = PORT_ArenaZNew(arena, ocspCertStatus);
+    if (!cs)
+        return NULL;
+    cs->certStatusType = status;
+    switch (status) {
+        case ocspCertStatus_good:
+            cs->certStatusInfo.goodInfo = SECITEM_AllocItem(arena, NULL, 0);
+            if (!cs->certStatusInfo.goodInfo)
+                return NULL;
+            break;
+        case ocspCertStatus_unknown:
+            cs->certStatusInfo.unknownInfo = SECITEM_AllocItem(arena, NULL, 0);
+            if (!cs->certStatusInfo.unknownInfo)
+                return NULL;
+            break;
+        case ocspCertStatus_revoked:
+            cs->certStatusInfo.revokedInfo =
+                PORT_ArenaZNew(arena, ocspRevokedInfo);
+            if (!cs->certStatusInfo.revokedInfo)
+                return NULL;
+            cs->certStatusInfo.revokedInfo->revocationReason =
+                SECITEM_AllocItem(arena, NULL, 0);
+            if (!cs->certStatusInfo.revokedInfo->revocationReason)
+                return NULL;
+            if (DER_TimeToGeneralizedTimeArena(arena,
+                    &cs->certStatusInfo.revokedInfo->revocationTime,
+                    revocationTime) != SECSuccess)
+                return NULL;
+            break;
+        default:
+            PORT_Assert(PR_FALSE);
+    }
+    return cs;
+}
+
+static const SEC_ASN1Template mySEC_EnumeratedTemplate[] = {
+    { SEC_ASN1_ENUMERATED, 0, NULL, sizeof(SECItem) }
+};
+
+static const SEC_ASN1Template mySEC_PointerToEnumeratedTemplate[] = {
+    { SEC_ASN1_POINTER, 0, mySEC_EnumeratedTemplate }
+};
+
+static const SEC_ASN1Template ocsp_EncodeRevokedInfoTemplate[] = {
+    { SEC_ASN1_GENERALIZED_TIME,
+        offsetof(ocspRevokedInfo, revocationTime) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC| 0,
+        offsetof(ocspRevokedInfo, revocationReason),
+        mySEC_PointerToEnumeratedTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template ocsp_PointerToEncodeRevokedInfoTemplate[] = {
+    { SEC_ASN1_POINTER, 0,
+      ocsp_EncodeRevokedInfoTemplate }
+};
+
+static const SEC_ASN1Template mySEC_NullTemplate[] = {
+    { SEC_ASN1_NULL, 0, NULL, sizeof(SECItem) }
+};
+
+static const SEC_ASN1Template ocsp_CertStatusTemplate[] = {
+    { SEC_ASN1_CHOICE, offsetof(ocspCertStatus, certStatusType),
+        0, sizeof(ocspCertStatus) },
+    { SEC_ASN1_CONTEXT_SPECIFIC | 0,
+        0, mySEC_NullTemplate, ocspCertStatus_good },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_CONTEXT_SPECIFIC | 1,
+        offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
+        ocsp_PointerToEncodeRevokedInfoTemplate, ocspCertStatus_revoked },
+    { SEC_ASN1_CONTEXT_SPECIFIC | 2,
+        0, mySEC_NullTemplate, ocspCertStatus_unknown },
+    { 0 }
+};
+
+static const SEC_ASN1Template mySECOID_AlgorithmIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(SECAlgorithmID) },
+    { SEC_ASN1_OBJECT_ID,
+          offsetof(SECAlgorithmID,algorithm), },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+          offsetof(SECAlgorithmID,parameters), },
+    { 0, }
+};
+
+static const SEC_ASN1Template mySEC_AnyTemplate[] = {
+    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+static const SEC_ASN1Template mySEC_SequenceOfAnyTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, mySEC_AnyTemplate }
+};
+
+static const SEC_ASN1Template mySEC_PointerToSequenceOfAnyTemplate[] = {
+    { SEC_ASN1_POINTER, 0, mySEC_SequenceOfAnyTemplate }
+};
+
+static const SEC_ASN1Template mySEC_IntegerTemplate[] = {
+    { SEC_ASN1_INTEGER, 0, NULL, sizeof(SECItem) }
+};
+
+static const SEC_ASN1Template mySEC_PointerToIntegerTemplate[] = {
+    { SEC_ASN1_POINTER, 0, mySEC_IntegerTemplate }
+};
+
+static const SEC_ASN1Template mySEC_GeneralizedTimeTemplate[] = {
+    { SEC_ASN1_GENERALIZED_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
+};
+
+static const SEC_ASN1Template mySEC_PointerToGeneralizedTimeTemplate[] = {
+    { SEC_ASN1_POINTER, 0, mySEC_GeneralizedTimeTemplate }
+};
+
+static const SEC_ASN1Template ocsp_myCertIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(CERTOCSPCertID) },
+    { SEC_ASN1_INLINE,
+        offsetof(CERTOCSPCertID, hashAlgorithm),
+        mySECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_OCTET_STRING,
+        offsetof(CERTOCSPCertID, issuerNameHash) },
+    { SEC_ASN1_OCTET_STRING,
+        offsetof(CERTOCSPCertID, issuerKeyHash) },
+    { SEC_ASN1_INTEGER,
+        offsetof(CERTOCSPCertID, serialNumber) },
+    { 0 }
+};
+
+static const SEC_ASN1Template myCERT_CertExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(CERTCertExtension) },
+    { SEC_ASN1_OBJECT_ID,
+          offsetof(CERTCertExtension,id) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,             /* XXX DER_DEFAULT */
+          offsetof(CERTCertExtension,critical) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(CERTCertExtension,value) },
+    { 0, }
+};
+
+static const SEC_ASN1Template myCERT_SequenceOfCertExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, myCERT_CertExtensionTemplate }
+};
+
+static const SEC_ASN1Template myCERT_PointerToSequenceOfCertExtensionTemplate[] = {
+    { SEC_ASN1_POINTER, 0, myCERT_SequenceOfCertExtensionTemplate }
+};
+
+static const SEC_ASN1Template ocsp_mySingleResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(CERTOCSPSingleResponse) },
+    { SEC_ASN1_POINTER,
+        offsetof(CERTOCSPSingleResponse, certID),
+        ocsp_myCertIDTemplate },
+    { SEC_ASN1_ANY,
+        offsetof(CERTOCSPSingleResponse, derCertStatus) },
+    { SEC_ASN1_GENERALIZED_TIME,
+        offsetof(CERTOCSPSingleResponse, thisUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+        offsetof(CERTOCSPSingleResponse, nextUpdate),
+        mySEC_PointerToGeneralizedTimeTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+        offsetof(CERTOCSPSingleResponse, singleExtensions),
+        myCERT_PointerToSequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template ocsp_myResponseDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(ocspResponseData) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |           /* XXX DER_DEFAULT */
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+        offsetof(ocspResponseData, version),
+        mySEC_PointerToIntegerTemplate },
+    { SEC_ASN1_ANY,
+        offsetof(ocspResponseData, derResponderID) },
+    { SEC_ASN1_GENERALIZED_TIME,
+        offsetof(ocspResponseData, producedAt) },
+    { SEC_ASN1_SEQUENCE_OF,
+        offsetof(ocspResponseData, responses),
+        ocsp_mySingleResponseTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+        offsetof(ocspResponseData, responseExtensions),
+        myCERT_PointerToSequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+
+static const SEC_ASN1Template ocsp_EncodeBasicOCSPResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(ocspBasicOCSPResponse) },
+    { SEC_ASN1_POINTER,
+        offsetof(ocspBasicOCSPResponse, tbsResponseData),
+        ocsp_myResponseDataTemplate },
+    { SEC_ASN1_INLINE,
+        offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
+        mySECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+        offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+        offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
+        mySEC_PointerToSequenceOfAnyTemplate },
+    { 0 }
+};
+
+static CERTOCSPSingleResponse*
+ocsp_CreateSingleResponse(PLArenaPool *arena,
+                          CERTOCSPCertID *id, ocspCertStatus *status,
+                          PRTime thisUpdate, const PRTime *nextUpdate)
+{
+    CERTOCSPSingleResponse *sr;
+
+    if (!arena || !id || !status) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    sr = PORT_ArenaZNew(arena, CERTOCSPSingleResponse);
+    if (!sr)
+        return NULL;
+    sr->arena = arena;
+    sr->certID = id;
+    sr->certStatus = status;
+    if (DER_TimeToGeneralizedTimeArena(arena, &sr->thisUpdate, thisUpdate)
+             != SECSuccess)
+        return NULL;
+    sr->nextUpdate = NULL;
+    if (nextUpdate) {
+        sr->nextUpdate = SECITEM_AllocItem(arena, NULL, 0);
+        if (!sr->nextUpdate)
+            return NULL;
+        if (DER_TimeToGeneralizedTimeArena(arena, sr->nextUpdate, *nextUpdate)
+             != SECSuccess)
+            return NULL;
+    }
+
+    sr->singleExtensions = PORT_ArenaNewArray(arena, CERTCertExtension*, 1);
+    if (!sr->singleExtensions)
+        return NULL;
+
+    sr->singleExtensions[0] = NULL;
+    
+    if (!SEC_ASN1EncodeItem(arena, &sr->derCertStatus,
+                            status, ocsp_CertStatusTemplate))
+        return NULL;
+
+    return sr;
+}
+
+CERTOCSPSingleResponse*
+CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena,
+                                  CERTOCSPCertID *id,
+                                  PRTime thisUpdate,
+                                  const PRTime *nextUpdate)
+{
+    ocspCertStatus * cs;
+    if (!arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    cs = ocsp_CreateCertStatus(arena, ocspCertStatus_good, 0);
+    if (!cs)
+        return NULL;
+    return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate);
+}
+
+CERTOCSPSingleResponse*
+CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena,
+                                     CERTOCSPCertID *id,
+                                     PRTime thisUpdate,
+                                     const PRTime *nextUpdate)
+{
+    ocspCertStatus * cs;
+    if (!arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    cs = ocsp_CreateCertStatus(arena, ocspCertStatus_unknown, 0);
+    if (!cs)
+        return NULL;
+    return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate);
+}
+
+CERTOCSPSingleResponse*
+CERT_CreateOCSPSingleResponseRevoked(
+    PLArenaPool *arena,
+    CERTOCSPCertID *id,
+    PRTime thisUpdate,
+    const PRTime *nextUpdate,
+    PRTime revocationTime,
+    const CERTCRLEntryReasonCode* revocationReason)
+{
+    ocspCertStatus * cs;
+    /* revocationReason is not yet supported, so it must be NULL. */
+    if (!arena || revocationReason) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    cs = ocsp_CreateCertStatus(arena, ocspCertStatus_revoked, revocationTime);
+    if (!cs)
+        return NULL;
+    return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate);
+}
+
+SECItem*
+CERT_CreateEncodedOCSPSuccessResponse(
+    PLArenaPool *arena,
+    CERTCertificate *responderCert,
+    CERTOCSPResponderIDType responderIDType,
+    PRTime producedAt,
+    CERTOCSPSingleResponse **responses,
+    void *wincx)
+{
+    PLArenaPool *tmpArena;
+    ocspResponseData *rd = NULL;
+    ocspResponderID *rid = NULL;
+    const SEC_ASN1Template *responderIDTemplate = NULL;
+    ocspBasicOCSPResponse *br = NULL;
+    ocspResponseBytes *rb = NULL;
+    CERTOCSPResponse *response = NULL;
+    
+    SECOidTag algID;
+    SECOidData *od = NULL;
+    SECKEYPrivateKey *privKey = NULL;
+    SECItem *result = NULL;
+  
+    if (!arena || !responderCert || !responses) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    if (responderIDType != ocspResponderID_byName &&
+        responderIDType != ocspResponderID_byKey) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!tmpArena)
+        return NULL;
+
+    rd = PORT_ArenaZNew(tmpArena, ocspResponseData);
+    if (!rd)
+        goto done;
+    rid = PORT_ArenaZNew(tmpArena, ocspResponderID);
+    if (!rid)
+        goto done;
+    br = PORT_ArenaZNew(tmpArena, ocspBasicOCSPResponse);
+    if (!br)
+        goto done;
+    rb = PORT_ArenaZNew(tmpArena, ocspResponseBytes);
+    if (!rb)
+        goto done;
+    response = PORT_ArenaZNew(tmpArena, CERTOCSPResponse);
+    if (!response)
+        goto done;
+    
+    rd->version.data=NULL;
+    rd->version.len=0;
+    rd->responseExtensions = NULL;
+    rd->responses = responses;
+    if (DER_TimeToGeneralizedTimeArena(tmpArena, &rd->producedAt, producedAt)
+            != SECSuccess)
+        goto done;
+    rid->responderIDType = responderIDType;
+    if (responderIDType == ocspResponderID_byName) {
+        responderIDTemplate = ocsp_ResponderIDByNameTemplate;
+        if (CERT_CopyName(tmpArena, &rid->responderIDValue.name,
+                           &responderCert->subject) != SECSuccess)
+            goto done;
+    }
+    else {
+        responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
+        if (!CERT_GetSPKIDigest(tmpArena, responderCert, SEC_OID_SHA1,
+                                      &rid->responderIDValue.keyHash))
+            goto done;
+    }
+
+    if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
+            responderIDTemplate))
+        goto done;
+
+    br->tbsResponseData = rd;
+    
+    if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData,
+            ocsp_myResponseDataTemplate))
+        goto done;
+
+    br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem*, 1);
+    if (!br->responseSignature.derCerts)
+        goto done;
+    br->responseSignature.derCerts[0] = NULL;
+
+    privKey = PK11_FindKeyByAnyCert(responderCert, wincx);
+    if (!privKey)
+        goto done;
+
+    algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, SEC_OID_SHA1);
+    if (algID == SEC_OID_UNKNOWN)
+        goto done;
+
+    if (SEC_SignData(&br->responseSignature.signature,
+                        br->tbsResponseDataDER.data, br->tbsResponseDataDER.len,
+                        privKey, algID)
+            != SECSuccess)
+        goto done;
+
+    /* convert len-in-bytes to len-in-bits */
+    br->responseSignature.signature.len = br->responseSignature.signature.len << 3;
+
+    /* br->responseSignature.signature wasn't allocated from arena,
+     * we must free it when done. */
+
+    if (SECOID_SetAlgorithmID(tmpArena, &br->responseSignature.signatureAlgorithm, algID, 0)
+            != SECSuccess)
+        goto done;
+
+    if (!SEC_ASN1EncodeItem(tmpArena, &rb->response, br,
+                            ocsp_EncodeBasicOCSPResponseTemplate))
+        goto done;
+
+    rb->responseTypeTag = SEC_OID_PKIX_OCSP_BASIC_RESPONSE;
+
+    od = SECOID_FindOIDByTag(rb->responseTypeTag);
+    if (!od)
+        goto done;
+
+    rb->responseType = od->oid;
+    rb->decodedResponse.basic = br;
+
+    response->arena = tmpArena;
+    response->responseBytes = rb;
+    response->statusValue = ocspResponse_successful;
+
+    if (!SEC_ASN1EncodeInteger(tmpArena, &response->responseStatus,
+                               response->statusValue))
+        goto done;
+
+    result = SEC_ASN1EncodeItem(arena, NULL, response, ocsp_OCSPResponseTemplate);
+
+done:
+    if (privKey)
+        SECKEY_DestroyPrivateKey(privKey);
+    if (br->responseSignature.signature.data)
+        SECITEM_FreeItem(&br->responseSignature.signature, PR_FALSE);
+    PORT_FreeArena(tmpArena, PR_FALSE);
+
+    return result;
+}
+
+static const SEC_ASN1Template ocsp_OCSPErrorResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(CERTOCSPResponse) },
+    { SEC_ASN1_ENUMERATED,
+        offsetof(CERTOCSPResponse, responseStatus) },
+    { 0, 0,
+        mySEC_NullTemplate },
+    { 0 }
+};
+
+SECItem*
+CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error)
+{
+    CERTOCSPResponse response;
+    SECItem *result = NULL;
+
+    switch (error) {
+        case SEC_ERROR_OCSP_MALFORMED_REQUEST:
+            response.statusValue = ocspResponse_malformedRequest;
+            break;
+        case SEC_ERROR_OCSP_SERVER_ERROR:
+            response.statusValue = ocspResponse_internalError;
+            break;
+        case SEC_ERROR_OCSP_TRY_SERVER_LATER:
+            response.statusValue = ocspResponse_tryLater;
+            break;
+        case SEC_ERROR_OCSP_REQUEST_NEEDS_SIG:
+            response.statusValue = ocspResponse_sigRequired;
+            break;
+        case SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST:
+            response.statusValue = ocspResponse_unauthorized;
+            break;
+        default:
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return NULL;
+    }
+
+    if (!SEC_ASN1EncodeInteger(NULL, &response.responseStatus,
+                               response.statusValue))
+        return NULL;
+
+    result = SEC_ASN1EncodeItem(arena, NULL, &response,
+                                ocsp_OCSPErrorResponseTemplate);
+
+    SECITEM_FreeItem(&response.responseStatus, PR_FALSE);
+
+    return result;
+}
--- a/security/nss/lib/certhigh/ocspt.h
+++ b/security/nss/lib/certhigh/ocspt.h
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Public header for exported OCSP types.
  *
- * $Id: ocspt.h,v 1.10 2012/04/25 14:49:27 gerv%gerv.net Exp $
+ * $Id: ocspt.h,v 1.11.2.1 2012/12/12 16:38:39 wtc%google.com Exp $
  */
 
 #ifndef _OCSPT_H_
 #define _OCSPT_H_
 
 /*
  * The following are all opaque types.  If someone needs to get at
  * a field within, then we need to fix the API.  Try very hard not
@@ -19,17 +19,16 @@
 typedef struct CERTOCSPRequestStr CERTOCSPRequest;
 typedef struct CERTOCSPResponseStr CERTOCSPResponse;
 
 /*
  * XXX I think only those first two above should need to be exported,
  * but until I know for certain I am leaving the rest of these here, too.
  */
 typedef struct CERTOCSPCertIDStr CERTOCSPCertID;
-typedef struct CERTOCSPCertStatusStr CERTOCSPCertStatus;
 typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
 
 /*
  * This interface is described in terms of an HttpClient which
  * supports at least a specified set of functions. (An implementer may
  * provide HttpClients with additional functionality accessible only to
  * users with a particular implementation in mind.) The basic behavior
  * is provided by defining a set of functions, listed in an
@@ -276,9 +275,29 @@ typedef struct SEC_HttpClientFcnStruct {
  *
  * Additional failure modes might be added in the future.
  */
 typedef enum {
     ocspMode_FailureIsVerificationFailure = 0,
     ocspMode_FailureIsNotAVerificationFailure = 1
 } SEC_OcspFailureMode;
 
+/*
+ * A ResponderID identifies the responder -- or more correctly, the
+ * signer of the response.  The ASN.1 definition of a ResponderID is:
+ *
+ * ResponderID	::=	CHOICE {
+ *	byName			[1] EXPLICIT Name,
+ *	byKey			[2] EXPLICIT KeyHash }
+ *
+ * Because it is CHOICE, the type of identification used and the
+ * identification itself are actually encoded together.  To represent
+ * this same information internally, we explicitly define a type and
+ * save it, along with the value, into a data structure.
+ */
+
+typedef enum {
+    ocspResponderID_other = -1,		/* unknown kind of responderID */
+    ocspResponderID_byName = 1,
+    ocspResponderID_byKey = 2
+} CERTOCSPResponderIDType;
+
 #endif /* _OCSPT_H_ */
--- a/security/nss/lib/certhigh/ocspti.h
+++ b/security/nss/lib/certhigh/ocspti.h
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Private header defining OCSP types.
  *
- * $Id: ocspti.h,v 1.8 2012/04/25 14:49:27 gerv%gerv.net Exp $
+ * $Id: ocspti.h,v 1.8.2.1 2012/12/12 16:38:39 wtc%google.com Exp $
  */
 
 #ifndef _OCSPTI_H_
 #define _OCSPTI_H_
 
 #include "ocspt.h"
 
 #include "certt.h"
@@ -184,24 +184,24 @@ struct CERTOCSPCertIDStr {
  *	internalError		(2),	--Internal error in issuer
  *	tryLater		(3),	--Try again later
  *					--(4) is not used
  *	sigRequired		(5),	--Must sign the request
  *	unauthorized		(6),	--Request unauthorized
  * }
  */
 typedef enum {
+    ocspResponse_other = -1,		/* unknown/unrecognized value */
     ocspResponse_successful = 0,
     ocspResponse_malformedRequest = 1,
     ocspResponse_internalError = 2,
     ocspResponse_tryLater = 3,
     ocspResponse_unused = 4,
     ocspResponse_sigRequired = 5,
-    ocspResponse_unauthorized = 6,
-    ocspResponse_other			/* unknown/unrecognized value */
+    ocspResponse_unauthorized = 6
 } ocspResponseStatus;
 
 /*
  * An OCSPResponse is what is sent (encoded) by an OCSP responder.
  *
  * The field "responseStatus" is the ASN.1 encoded value; the field
  * "statusValue" is simply that same value translated into our local
  * type ocspResponseStatus.
@@ -261,38 +261,18 @@ struct ocspResponseDataStr {
     SECItem version;			/* an INTEGER */
     SECItem derResponderID;
     ocspResponderID *responderID;	/* local; not part of encoding */
     SECItem producedAt;			/* a GeneralizedTime */
     CERTOCSPSingleResponse **responses;
     CERTCertExtension **responseExtensions;
 };
 
-/*
- * A ResponderID identifies the responder -- or more correctly, the
- * signer of the response.  The ASN.1 definition of a ResponderID is:
- *
- * ResponderID	::=	CHOICE {
- *	byName			[1] EXPLICIT Name,
- *	byKey			[2] EXPLICIT KeyHash }
- *
- * Because it is CHOICE, the type of identification used and the
- * identification itself are actually encoded together.  To represent
- * this same information internally, we explicitly define a type and
- * save it, along with the value, into a data structure.
- */
-
-typedef enum {
-    ocspResponderID_byName,
-    ocspResponderID_byKey,
-    ocspResponderID_other		/* unknown kind of responderID */
-} ocspResponderIDType;
-
 struct ocspResponderIDStr {
-    ocspResponderIDType responderIDType;/* local; not part of encoding */
+    CERTOCSPResponderIDType responderIDType;/* local; not part of encoding */
     union {
 	CERTName name;			/* when ocspResponderID_byName */
 	SECItem keyHash;		/* when ocspResponderID_byKey */
 	SECItem other;			/* when ocspResponderID_other */
     } responderIDValue;
 };
 
 /*
--- a/security/nss/lib/ckfw/Makefile
+++ b/security/nss/lib/ckfw/Makefile
@@ -1,13 +1,13 @@
 # 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.18 $ $Date: 2012/04/25 14:49:28 $"
+MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.19 $ $Date: 2012/11/14 01:14:10 $"
 
 include manifest.mn
 include $(CORE_DEPTH)/coreconf/config.mk
 include config.mk
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 ifdef NOTDEF # was ifdef MOZILLA_CLIENT
 NSS_BUILD_CAPI = 1
@@ -24,17 +24,17 @@ endif
 # nssckft.h: ck.api ckapi.perl
 # nssckg.h: ck.api ckapi.perl
 # nssck.api: ck.api ckapi.perl
 # 	$(PERL) ckapi.perl ck.api
 
 export:: private_export
 
 # can't do this in manifest.mn because OS_TARGET isn't defined there.
-ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) # list omits WINCE
+ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
 ifdef NSS_BUILD_CAPI
 DIRS += capi
 endif
 endif
 
 #ifeq ($(OS_ARCH), Darwin)
 #DIRS += nssmkey
 #endif
--- a/security/nss/lib/ckfw/builtins/Makefile
+++ b/security/nss/lib/ckfw/builtins/Makefile
@@ -1,13 +1,13 @@
 # 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.21 $ $Date: 2012/04/25 14:49:29 $"
+MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.22 $ $Date: 2012/11/30 02:40:52 $"
 
 include manifest.mn
 include $(CORE_DEPTH)/coreconf/config.mk
 include config.mk
 
 EXTRA_LIBS = \
 	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
--- a/security/nss/lib/ckfw/builtins/certdata.perl
+++ b/security/nss/lib/ckfw/builtins/certdata.perl
@@ -1,14 +1,14 @@
 #!perl -w
 # 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-my $cvs_id = '@(#) $RCSfile: certdata.perl,v $ $Revision: 1.15 $ $Date: 2012/07/04 15:21:49 $';
+my $cvs_id = '@(#) $RCSfile: certdata.perl,v $ $Revision: 1.16 $ $Date: 2012/11/30 02:40:52 $';
 use strict;
 
 my %constants;
 my $count = 0;
 my $o;
 my @objects = ();
 my @objsize;
 my $cvsid;
--- a/security/nss/lib/ckfw/builtins/config.mk
+++ b/security/nss/lib/ckfw/builtins/config.mk
@@ -1,13 +1,13 @@
 # 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.15 $ $Date: 2012/04/25 14:49:29 $"
+CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.16 $ $Date: 2012/11/30 02:40:52 $"
 
 #
 #  Override TARGETS variable so that only shared libraries
 #  are specifed as dependencies within rules.mk.
 #
 
 TARGETS        = $(SHARED_LIBRARY)
 LIBRARY        =
@@ -20,17 +20,17 @@ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
     RESNAME = $(LIBRARY_NAME).rc
 endif
 
 ifdef BUILD_IDG
     DEFINES += -DNSSDEBUG
 endif
 
 # Needed for compilation of $(OBJDIR)/certdata.c
-INCLUDES += -I$(CORE_DEPTH)/nss/lib/ckfw/builtins
+INCLUDES += -I.
 
 #
 # To create a loadable module on Darwin, we must use -bundle.
 #
 ifeq ($(OS_TARGET),Darwin)
 ifndef USE_64
 DSO_LDOPTS = -bundle
 endif
--- a/security/nss/lib/cryptohi/keythi.h
+++ b/security/nss/lib/cryptohi/keythi.h
@@ -209,17 +209,22 @@ typedef struct SECKEYPublicKeyStr SECKEY
      (0 != (key->staticflags & SECKEY_Attributes_Cached))
 
 #define SECKEY_ATTRIBUTE_VALUE(key,attribute) \
      (0 != (key->staticflags & SECKEY_##attribute))
 
 #define SECKEY_HAS_ATTRIBUTE_SET(key,attribute) \
     (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? \
     (0 != (key->staticflags & SECKEY_##attribute)) : \
-    PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute)
+    PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute, PR_FALSE)
+
+#define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key,attribute, haslock) \
+    (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? \
+    (0 != (key->staticflags & SECKEY_##attribute)) : \
+    PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute, haslock)
 
 /*
 ** A generic key structure
 */ 
 struct SECKEYPrivateKeyStr {
     PLArenaPool *arena;
     KeyType keyType;
     PK11SlotInfo *pkcs11Slot;	/* pkcs11 slot this key lives in */
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -8,17 +8,16 @@
 #include "secder.h"
 #include "base64.h"
 #include "secasn1.h"
 #include "cert.h"
 #include "pk11func.h"
 #include "secerr.h"
 #include "secdig.h"
 #include "prtime.h"
-#include "ec.h"
 #include "keyi.h"
 
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
 SEC_ASN1_MKSUB(SEC_IntegerTemplate)
 
 const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(CERTSubjectPublicKeyInfo) },
@@ -1913,17 +1912,17 @@ SECKEY_AddPublicKeyToListTail( SECKEYPub
     node->key = key;
     return(SECSuccess);
 
 loser:
     return(SECFailure);
 }
 
 #define SECKEY_CacheAttribute(key, attribute) \
-    if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute)) { \
+    if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)) { \
         key->staticflags |= SECKEY_##attribute; \
     } else { \
         key->staticflags &= (~SECKEY_##attribute); \
     }
 
 SECStatus
 SECKEY_CacheStaticFlags(SECKEYPrivateKey* key)
 {
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -110,17 +110,17 @@ endif
 ifeq (OS2,$(OS_TARGET))
     ASFILES  = mpi_x86_os2.s
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
     DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
     DEFINES += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
     DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
 endif
 
-ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))  #omits WINCE
+ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
 ifndef USE_64
 # 32-bit Windows
 ifdef NS_USE_GCC
 # Ideally, we want to use assembler
 #     ASFILES  = mpi_x86.s
 #     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE \
 #                -DMP_ASSEMBLY_DIV_2DX1D
 # but we haven't figured out how to make it work, so we are not
@@ -150,21 +150,16 @@ else
     ASFILES  = arcfour-amd64-masm.asm mpi_amd64_masm.asm mp_comba_amd64_masm.asm
     DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
     DEFINES += -DNSS_USE_COMBA
     MPI_SRCS += mpi_amd64.c
 endif
 endif
 endif
 
-ifeq ($(OS_TARGET),WINCE)
-    DEFINES += -DMP_ARGCHK=0	# no assert in WinCE
-    DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
-endif
-
 ifeq ($(OS_TARGET),IRIX)
 ifeq ($(USE_N32),1)
     ASFILES  = mpi_mips.s
     ifeq ($(NS_USE_GCC),1)
 	ASFLAGS = -Wp,-P -Wp,-traditional -O -mips3
     else
 	ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 
     endif
--- a/security/nss/lib/freebl/arcfour.c
+++ b/security/nss/lib/freebl/arcfour.c
@@ -27,21 +27,16 @@
 #if defined(AIX) || defined(OSF1) || defined(NSS_BEVAND_ARCFOUR)
 /* Treat array variables as words, not bytes, on CPUs that take 
  * much longer to write bytes than to write words, or when using 
  * assembler code that required it.
  */
 #define USE_WORD
 #endif
 
-#if defined(_WIN32_WCE)
-#undef WORD
-#define WORD ARC4WORD
-#endif
-
 #if (defined(IS_64))
 typedef PRUint64 WORD;
 #else
 typedef PRUint32 WORD;
 #endif
 #define WORDSIZE sizeof(WORD)
 
 #if defined(USE_WORD)
--- a/security/nss/lib/freebl/config.mk
+++ b/security/nss/lib/freebl/config.mk
@@ -48,23 +48,21 @@ endif
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
 # don't want the 32 in the shared library name
 SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
 
 RES     = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = freebl.rc
 
-ifndef WINCE
 ifdef NS_USE_GCC
 OS_LIBS += -lshell32
 else
 OS_LIBS += shell32.lib
 endif
-endif
 
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lnspr4 \
--- a/security/nss/lib/freebl/genload.c
+++ b/security/nss/lib/freebl/genload.c
@@ -22,16 +22,26 @@
  * If 'link' is a symbolic link, this function follows the symbolic links
  * and returns the pathname of the ultimate source of the symbolic links.
  * If 'link' is not a symbolic link, this function returns NULL.
  * The caller should call PR_Free to free the string returned by this
  * function.
  */
 static char* loader_GetOriginalPathname(const char* link)
 {
+#ifdef __GLIBC__
+    char* tmp = realpath(link, NULL);
+    char* resolved;
+    if (! tmp)
+    	return NULL;
+    resolved = PR_Malloc(strlen(tmp) + 1);
+    strcpy(resolved, tmp); /* This is necessary because PR_Free might not be using free() */
+    free(tmp);
+    return resolved;
+#else
     char* resolved = NULL;
     char* input = NULL;
     PRUint32 iterations = 0;
     PRInt32 len = 0, retlen = 0;
     if (!link) {
         PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
         return NULL;
     }
@@ -56,16 +66,17 @@ static char* loader_GetOriginalPathname(
         resolved = tmp;
     }
     PR_Free(resolved);
     if (iterations == 1 && retlen < 0) {
         PR_Free(input);
         input = NULL;
     }
     return input;
+#endif
 }
 #endif /* XP_UNIX */
 
 /*
  * Load the library with the file name 'name' residing in the same
  * directory as the reference library, whose pathname is 'referencePath'.
  */
 static PRLibrary *
--- a/security/nss/lib/freebl/intel-aes.s
+++ b/security/nss/lib/freebl/intel-aes.s
@@ -551,18 +551,20 @@ 2:	xor	%eax, %eax
    in %r8  : input - pointer to input buffer
    in %r9  : inputLen - length of input buffer
    on stack: blocksize - AES blocksize (always 16, unused)
 */
 	.type intel_aes_decrypt_cbc_128,@function
 	.globl intel_aes_decrypt_cbc_128
 	.align	16
 intel_aes_decrypt_cbc_128:
-	leaq	16(%rdi), %rdx  /* iv */
-	leaq	48(%rdi), %rdi  /* expanded key */
+//	leaq	IV_OFFSET(%rdi), %rdx
+//	leaq	EXPANDED_KEY_OFFSET(%rdi), %rdi
+	leaq	16(%rdi), %rdx
+	leaq	48(%rdi), %rdi
 
 	movdqu	(%rdx), %xmm0   /* iv */
 	movdqu	(%rdi), %xmm2   /* first key block */
 	movdqu	160(%rdi), %xmm12 /* last key block */
 	xorl	%eax, %eax
 	cmpq	$128, %r9
 	jb	1f
 	leaq	-128(%r9), %r11
--- a/security/nss/lib/freebl/mpi/mpcpucache.c
+++ b/security/nss/lib/freebl/mpi/mpcpucache.c
@@ -69,23 +69,23 @@ void freebl_cpuid(unsigned long op, unsi
 /* x86 */
 
 #if defined(__GNUC__)
 void freebl_cpuid(unsigned long op, unsigned long *eax, 
 	                 unsigned long *ebx, unsigned long *ecx, 
                          unsigned long *edx)
 {
 /* sigh GCC isn't smart enough to save the ebx PIC register on it's own
- * in this case, so do it by hand. */
-	__asm__("pushl %%ebx\n\t"
+ * in this case, so do it by hand. Use edi to store ebx and pass the
+ * value returned in ebx from cpuid through edi. */
+	__asm__("mov %%ebx,%%edi\n\t"
 		  "cpuid\n\t"
-		  "mov %%ebx,%1\n\t"
-		  "popl %%ebx\n\t"
+		  "xchgl %%ebx,%%edi\n\t"
 		: "=a" (*eax),
-		  "=r" (*ebx),
+		  "=D" (*ebx),
 		  "=c" (*ecx),
 		  "=d" (*edx)
 		: "0" (op));
 }
 
 /*
  * try flipping a processor flag to determine CPU type
  */
--- a/security/nss/lib/freebl/mpi/mpi.h
+++ b/security/nss/lib/freebl/mpi/mpi.h
@@ -1,17 +1,17 @@
 /*
  *  mpi.h
  *
  *  Arbitrary precision integer arithmetic library
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: mpi.h,v 1.25 2012/04/25 14:49:50 gerv%gerv.net Exp $ */
+/* $Id: mpi.h,v 1.26 2012/11/14 01:14:11 wtc%google.com Exp $ */
 
 #ifndef _H_MPI_
 #define _H_MPI_
 
 #include "mpi-config.h"
 
 #if MP_DEBUG
 #undef MP_IOFUNC
@@ -24,21 +24,17 @@
 #endif
 
 #include <limits.h>
 
 #if defined(BSDI)
 #undef ULLONG_MAX
 #endif
 
-#if defined( _WIN32_WCE)
-/* #include <sys/types.h> What do we need here ?? */
-#else
 #include <sys/types.h>
-#endif
 
 #define  MP_NEG    1
 #define  MP_ZPOS   0
 
 #define  MP_OKAY          0 /* no error, all is well */
 #define  MP_YES           0 /* yes (boolean result)  */
 #define  MP_NO           -1 /* no (boolean result)   */
 #define  MP_MEM          -2 /* out of memory         */
--- a/security/nss/lib/freebl/mpi/mpi_arm.c
+++ b/security/nss/lib/freebl/mpi/mpi_arm.c
@@ -52,17 +52,17 @@ void s_mpv_mul_d_add(const mp_digit *a, 
     "cmp     %1, r5\n" /* r5 is 0 now */
     "beq     2f\n"
 #endif
 
     "1:\n"
     "mov     r4, #0\n"
     "ldr     r6, [%3]\n"
     "adds    r5, r6\n"
-    "adc     r4, #0\n"
+    "adc     r4, r4, #0\n"
 
     "ldr     r6, [%0], #4\n"
     "umlal   r5, r4, r6, %2\n"
     "str     r5, [%3], #4\n"
     "mov     r5, r4\n"
 
     "subs    %1, #1\n"
     "bne     1b\n"
@@ -81,17 +81,17 @@ void s_mpv_mul_d_add_prop(const mp_digit
 
   __asm__ __volatile__(
     "mov     r5, #0\n"
 
     "1:\n"
     "mov     r4, #0\n"
     "ldr     r6, [%3]\n"
     "adds    r5, r6\n"
-    "adc     r4, #0\n"
+    "adc     r4, r4, #0\n"
     "ldr     r6, [%0], #4\n"
     "umlal   r5, r4, r6, %2\n"
     "str     r5, [%3], #4\n"
     "mov     r5, r4\n"
 
     "subs    %1, #1\n"
     "bne     1b\n"
 
@@ -101,17 +101,17 @@ void s_mpv_mul_d_add_prop(const mp_digit
     "cmp     r4, #0\n"
     "beq     3f\n"
 #endif
 
     "2:\n"
     "mov     r4, #0\n"
     "ldr     r6, [%3]\n"
     "adds    r5, r6\n"
-    "adc     r4, #0\n"
+    "adc     r4, r4, #0\n"
     "str     r5, [%3], #4\n"
     "movs    r5, r4\n"
     "bne     2b\n"
 
     "3:\n"
     :
     : "r"(a), "r"(a_len), "r"(b), "r"(c)
     : "memory", "cc", "%r4", "%r5", "%r6");
@@ -127,24 +127,24 @@ void s_mpv_sqr_add_prop(const mp_digit *
   __asm__ __volatile__(
     "mov     r3, #0\n"
 
     "1:\n"
     "mov     r4, #0\n"
     "ldr     r6, [%0], #4\n"
     "ldr     r5, [%2]\n"
     "adds    r3, r5\n"
-    "adc     r4, #0\n"
+    "adc     r4, r4, #0\n"
     "umlal   r3, r4, r6, r6\n" /* w = r3:r4 */
     "str     r3, [%2], #4\n"
 
     "ldr     r5, [%2]\n"
     "adds    r3, r4, r5\n"
     "mov     r4, #0\n"
-    "adc     r4, #0\n"
+    "adc     r4, r4, #0\n"
     "str     r3, [%2], #4\n"
     "mov     r3, r4\n"
 
     "subs    %1, #1\n"
     "bne     1b\n"
 
 #ifdef __thumb2__
     "cbz     r3, 3f\n"
@@ -152,17 +152,17 @@ void s_mpv_sqr_add_prop(const mp_digit *
     "cmp     r3, #0\n"
     "beq     3f\n"
 #endif
 
     "2:\n"
     "mov     r4, #0\n"
     "ldr     r5, [%2]\n"
     "adds    r3, r5\n"
-    "adc     r4, #0\n"
+    "adc     r4, r4, #0\n"
     "str     r3, [%2], #4\n"
     "movs    r3, r4\n"
     "bne     2b\n"
 
     "3:"
     :
     : "r"(pa), "r"(a_len), "r"(ps)
     : "memory", "cc", "%r3", "%r4", "%r5", "%r6");
--- a/security/nss/lib/freebl/mpi/mpmontg.c
+++ b/security/nss/lib/freebl/mpi/mpmontg.c
@@ -1,12 +1,12 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: mpmontg.c,v 1.24 2012/04/25 14:49:50 gerv%gerv.net Exp $ */
+/* $Id: mpmontg.c,v 1.25 2012/11/14 01:14:11 wtc%google.com Exp $ */
 
 /* This file implements moduluar exponentiation using Montgomery's
  * method for modular reduction.  This file implements the method
  * described as "Improvement 2" in the paper "A Cryptogrpahic Library for
  * the Motorola DSP56000" by Stephen R. Dusse' and Burton S. Kaliski Jr.
  * published in "Advances in Cryptology: Proceedings of EUROCRYPT '90"
  * "Lecture Notes in Computer Science" volume 473, 1991, pg 230-244,
  * published by Springer Verlag.
@@ -30,22 +30,16 @@
        "  if you define MP_CHAR_STORE_SLOW."
 #endif
 #endif
 
 #define STATIC
 
 #define MAX_ODD_INTS    32   /* 2 ** (WINDOW_BITS - 1) */
 
-#if defined(_WIN32_WCE)
-#define ABORT  res = MP_UNDEF; goto CLEANUP
-#else
-#define ABORT abort()
-#endif
-
 /*! computes T = REDC(T), 2^b == R 
     \param T < RN
 */
 mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm)
 {
   mp_err res;
   mp_size i;
 
@@ -252,47 +246,47 @@ mp_err mp_exptmod_f(const mp_int *   mon
     smallExp = (mp_size)res;
 
     if (window_bits == 1) {
       if (!smallExp) {
 	SQR;
       } else if (smallExp & 1) {
 	SQR; MUL(0); 
       } else {
-	ABORT;
+	abort();
       }
     } else if (window_bits == 4) {
       if (!smallExp) {
 	SQR; SQR; SQR; SQR;
       } else if (smallExp & 1) {
 	SQR; SQR; SQR; SQR; MUL(smallExp/2); 
       } else if (smallExp & 2) {
 	SQR; SQR; SQR; MUL(smallExp/4); SQR; 
       } else if (smallExp & 4) {
 	SQR; SQR; MUL(smallExp/8); SQR; SQR; 
       } else if (smallExp & 8) {
 	SQR; MUL(smallExp/16); SQR; SQR; SQR; 
       } else {
-	ABORT;
+	abort();
       }
     } else if (window_bits == 5) {
       if (!smallExp) {
 	SQR; SQR; SQR; SQR; SQR; 
       } else if (smallExp & 1) {
 	SQR; SQR; SQR; SQR; SQR; MUL(smallExp/2);
       } else if (smallExp & 2) {
 	SQR; SQR; SQR; SQR; MUL(smallExp/4); SQR;
       } else if (smallExp & 4) {
 	SQR; SQR; SQR; MUL(smallExp/8); SQR; SQR;
       } else if (smallExp & 8) {
 	SQR; SQR; MUL(smallExp/16); SQR; SQR; SQR;
       } else if (smallExp & 0x10) {
 	SQR; MUL(smallExp/32); SQR; SQR; SQR; SQR;
       } else {
-	ABORT;
+	abort();
       }
     } else if (window_bits == 6) {
       if (!smallExp) {
 	SQR; SQR; SQR; SQR; SQR; SQR;
       } else if (smallExp & 1) {
 	SQR; SQR; SQR; SQR; SQR; SQR; MUL(smallExp/2); 
       } else if (smallExp & 2) {
 	SQR; SQR; SQR; SQR; SQR; MUL(smallExp/4); SQR; 
@@ -300,20 +294,20 @@ mp_err mp_exptmod_f(const mp_int *   mon
 	SQR; SQR; SQR; SQR; MUL(smallExp/8); SQR; SQR; 
       } else if (smallExp & 8) {
 	SQR; SQR; SQR; MUL(smallExp/16); SQR; SQR; SQR; 
       } else if (smallExp & 0x10) {
 	SQR; SQR; MUL(smallExp/32); SQR; SQR; SQR; SQR; 
       } else if (smallExp & 0x20) {
 	SQR; MUL(smallExp/64); SQR; SQR; SQR; SQR; SQR; 
       } else {
-	ABORT;
+	abort();
       }
     } else {
-      ABORT;
+      abort();
     }
   }
 
   s_mp_copy(mResult, MP_DIGITS(&accum1), nLen); /* from, to, len */
 
   res = s_mp_redc(&accum1, mmm);
   mp_exch(&accum1, result);
 
@@ -400,17 +394,17 @@ mp_err mp_exptmod_i(const mp_int *   mon
     smallExp = (mp_size)res;
 
     if (window_bits == 1) {
       if (!smallExp) {
 	SQR(pa1,pa2); SWAPPA;
       } else if (smallExp & 1) {
 	SQR(pa1,pa2); MUL(0,pa2,pa1);
       } else {
-	ABORT;
+	abort();
       }
     } else if (window_bits == 4) {
       if (!smallExp) {
 	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
       } else if (smallExp & 1) {
 	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
 	MUL(smallExp/2, pa1,pa2); SWAPPA;
       } else if (smallExp & 2) {
@@ -418,17 +412,17 @@ mp_err mp_exptmod_i(const mp_int *   mon
 	MUL(smallExp/4,pa2,pa1); SQR(pa1,pa2); SWAPPA;
       } else if (smallExp & 4) {
 	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/8,pa1,pa2); 
 	SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
       } else if (smallExp & 8) {
 	SQR(pa1,pa2); MUL(smallExp/16,pa2,pa1); SQR(pa1,pa2); 
 	SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
       } else {
-	ABORT;
+	abort();
       }
     } else if (window_bits == 5) {
       if (!smallExp) {
 	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
 	SQR(pa1,pa2); SWAPPA;
       } else if (smallExp & 1) {
 	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
 	SQR(pa1,pa2); MUL(smallExp/2,pa2,pa1);
@@ -440,17 +434,17 @@ mp_err mp_exptmod_i(const mp_int *   mon
 	MUL(smallExp/8,pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
       } else if (smallExp & 8) {
 	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/16,pa1,pa2); 
 	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
       } else if (smallExp & 0x10) {
 	SQR(pa1,pa2); MUL(smallExp/32,pa2,pa1); SQR(pa1,pa2); 
 	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
       } else {
-	ABORT;
+	abort();
       }
     } else if (window_bits == 6) {
       if (!smallExp) {
 	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
 	SQR(pa1,pa2); SQR(pa2,pa1);
       } else if (smallExp & 1) {
 	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
 	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/2,pa1,pa2); SWAPPA;
@@ -466,20 +460,20 @@ mp_err mp_exptmod_i(const mp_int *   mon
 	SQR(pa1,pa2); SWAPPA;
       } else if (smallExp & 0x10) {
 	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/32,pa1,pa2); 
 	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
       } else if (smallExp & 0x20) {
 	SQR(pa1,pa2); MUL(smallExp/64,pa2,pa1); SQR(pa1,pa2); 
 	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
       } else {
-	ABORT;
+	abort();
       }
     } else {
-      ABORT;
+      abort();
     }
   }
 
   res = s_mp_redc(pa1, mmm);
   mp_exch(pa1, result);
 
 CLEANUP:
   mp_clear(&accum1);
@@ -1008,32 +1002,32 @@ mp_err mp_exptmod_safe_i(const mp_int * 
     /* handle unroll the loops */
     switch (window_bits) {
     case 1:
 	if (!smallExp) {
 	    SQR(pa1,pa2); SWAPPA;
 	} else if (smallExp & 1) {
 	    SQR(pa1,pa2); MUL_NOWEAVE(montBase,pa2,pa1);
 	} else {
-	    ABORT;
+	    abort();
 	}
 	break;
     case 6:
 	SQR(pa1,pa2); SQR(pa2,pa1); 
 	/* fall through */
     case 4:
 	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
 	MUL(smallExp, pa1,pa2); SWAPPA;
 	break;
     case 5:
 	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
 	SQR(pa1,pa2); MUL(smallExp,pa2,pa1);
 	break;
     default:
-	ABORT; /* could do a loop? */
+	abort(); /* could do a loop? */
     }
   }
 
   res = s_mp_redc(pa1, mmm);
   mp_exch(pa1, result);
 
 CLEANUP:
   mp_clear(&accum1);
--- a/security/nss/lib/freebl/nsslowhash.c
+++ b/security/nss/lib/freebl/nsslowhash.c
@@ -1,12 +1,12 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: nsslowhash.c,v 1.9 2012/06/26 22:27:29 rrelyea%redhat.com Exp $ */
+/* $Id: nsslowhash.c,v 1.10 2012/11/21 22:19:22 emaldona%redhat.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 #include "prtypes.h"
 #include "secerr.h"
 #include "pkcs11t.h"
 #include "blapi.h"
@@ -97,20 +97,20 @@ freebl_fips_SHA_PowerUpSelfTest( void )
     /* SHA-1 Known Digest Message (160-bits). */
     static const PRUint8 sha1_known_digest[] = {
 			       0x0a,0x6d,0x07,0xba,0x1e,0xbd,0x8a,0x1b,
 			       0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0,
 			       0xe0,0x68,0x47,0x7a};
 
     /* SHA-224 Known Digest Message (224-bits). */
     static const PRUint8 sha224_known_digest[] = {
-        0x1c,0xc3,0x06,0x8e,0xce,0x37,0x68,0xfb, 
-        0x1a,0x82,0x4a,0xbe,0x2b,0x00,0x51,0xf8,
-        0x9d,0xb6,0xe0,0x90,0x0d,0x00,0xc9,0x64,
-        0x9a,0xb8,0x98,0x4e};
+        0x89,0x5e,0x7f,0xfd,0x0e,0xd8,0x35,0x6f,
+        0x64,0x6d,0xf2,0xde,0x5e,0xed,0xa6,0x7f,
+        0x29,0xd1,0x12,0x73,0x42,0x84,0x95,0x4f,
+        0x8e,0x08,0xe5,0xcb};
 
     /* SHA-256 Known Digest Message (256-bits). */
     static const PRUint8 sha256_known_digest[] = {
         0x38,0xa9,0xc1,0xf0,0x35,0xf6,0x5d,0x61,
         0x11,0xd4,0x0b,0xdc,0xce,0x35,0x14,0x8d,
         0xf2,0xdd,0xaf,0xaf,0xcf,0xb7,0x87,0xe9,
         0x96,0xa5,0xd2,0x83,0x62,0x46,0x56,0x79};
  
--- a/security/nss/lib/freebl/win_rand.c
+++ b/security/nss/lib/freebl/win_rand.c
@@ -3,26 +3,20 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "secrng.h"
 #include "secerr.h"
 
 #ifdef XP_WIN
 #include <windows.h>
 #include <shlobj.h>     /* for CSIDL constants */
-
-#if defined(_WIN32_WCE)
-#include <stdlib.h>	/* Win CE puts lots of stuff here. */
-#include "prprf.h"	/* for PR_snprintf */
-#else
 #include <time.h>
 #include <io.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#endif
 #include <stdio.h>
 #include "prio.h"
 #include "prerror.h"
 
 static PRInt32  filesToRead;
 static DWORD    totalFileBytes;
 static DWORD    maxFileBytes	= 250000;	/* 250 thousand */
 static DWORD    dwNumFiles, dwReadEvery, dwFileToRead;
@@ -41,16 +35,17 @@ CurrentClockTickTime(LPDWORD lpdwHigh, L
     return TRUE;
 }
 
 size_t RNG_GetNoise(void *buf, size_t maxbuf)
 {
     DWORD   dwHigh, dwLow, dwVal;
     int     n = 0;
     int     nBytes;
+    time_t  sTime;
 
     if (maxbuf <= 0)
         return 0;
 
     CurrentClockTickTime(&dwHigh, &dwLow);
 
     // get the maximally changing bits first
     nBytes = sizeof(dwLow) > maxbuf ? maxbuf : sizeof(dwLow);
@@ -75,32 +70,21 @@ size_t RNG_GetNoise(void *buf, size_t ma
     nBytes = sizeof(dwVal) > maxbuf ? maxbuf : sizeof(dwVal);
     memcpy(((char *)buf) + n, &dwVal, nBytes);
     n += nBytes;
     maxbuf -= nBytes;
 
     if (maxbuf <= 0)
         return n;
 
-    {
-#if defined(_WIN32_WCE)
-    // get the number of milliseconds elapsed since Windows CE was started. 
-    FILETIME sTime;
-    SYSTEMTIME st;
-    GetSystemTime(&st);
-    SystemTimeToFileTime(&st,&sTime);
-#else
-    time_t  sTime;
     // get the time in seconds since midnight Jan 1, 1970
     time(&sTime);
-#endif
     nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
     memcpy(((char *)buf) + n, &sTime, nBytes);
     n += nBytes;
-    }
 
     return n;
 }
 
 typedef PRInt32 (* Handler)(const PRUnichar *);
 #define MAX_DEPTH 2
 #define MAX_FOLDERS 4
 #define MAX_FILES 1024
@@ -149,20 +133,18 @@ EnumSystemFilesInFolder(Handler func, PR
 
 static BOOL
 EnumSystemFiles(Handler func)
 {
     PRUnichar szSysDir[_MAX_PATH];
     static const int folders[] = {
     	CSIDL_BITBUCKET,  
 	CSIDL_RECENT,
-#ifndef WINCE		     
 	CSIDL_INTERNET_CACHE, 
 	CSIDL_HISTORY,
-#endif
 	0
     };
     int i = 0;
     if (_MAX_PATH > (i = GetTempPathW(_MAX_PATH, szSysDir))) {
         if (i > 0 && szSysDir[i-1] == L'\\')
 	    szSysDir[i-1] = L'\0'; // we need to lop off the trailing slash
         EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH);
     }
@@ -266,52 +248,46 @@ ReadSystemFiles(void)
 
 void RNG_SystemInfoForRNG(void)
 {
     DWORD           dwVal;
     char            buffer[256];
     int             nBytes;
     MEMORYSTATUS    sMem;
     HANDLE          hVal;
-#if !defined(_WIN32_WCE)
     DWORD           dwSerialNum;
     DWORD           dwComponentLen;
     DWORD           dwSysFlags;
     char            volName[128];
     DWORD           dwSectors, dwBytes, dwFreeClusters, dwNumClusters;
-#endif
 
     nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
     RNG_RandomUpdate(buffer, nBytes);
 
     sMem.dwLength = sizeof(sMem);
     GlobalMemoryStatus(&sMem);                // assorted memory stats
     RNG_RandomUpdate(&sMem, sizeof(sMem));
-#if !defined(_WIN32_WCE)
+
     dwVal = GetLogicalDrives();
     RNG_RandomUpdate(&dwVal, sizeof(dwVal));  // bitfields in bits 0-25
-#endif
 
-#if !defined(_WIN32_WCE)
     dwVal = sizeof(buffer);
     if (GetComputerName(buffer, &dwVal))
         RNG_RandomUpdate(buffer, dwVal);
-#endif
 
     hVal = GetCurrentProcess();               // 4 or 8 byte pseudo handle (a
                                               // constant!) of current process
     RNG_RandomUpdate(&hVal, sizeof(hVal));
 
     dwVal = GetCurrentProcessId();            // process ID (4 bytes)
     RNG_RandomUpdate(&dwVal, sizeof(dwVal));
 
     dwVal = GetCurrentThreadId();             // thread ID (4 bytes)
     RNG_RandomUpdate(&dwVal, sizeof(dwVal));
 
-#if !defined(_WIN32_WCE)
     volName[0] = '\0';
     buffer[0] = '\0';
     GetVolumeInformation(NULL,
                          volName,
                          sizeof(volName),
                          &dwSerialNum,
                          &dwComponentLen,
                          &dwSysFlags,
@@ -326,17 +302,16 @@ void RNG_SystemInfoForRNG(void)
 
     if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, 
                          &dwNumClusters)) {
         RNG_RandomUpdate(&dwSectors,      sizeof(dwSectors));
         RNG_RandomUpdate(&dwBytes,        sizeof(dwBytes));
         RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters));
         RNG_RandomUpdate(&dwNumClusters,  sizeof(dwNumClusters));
     }
-#endif
 
     // Skip the potentially slow file scanning if the OS's PRNG worked.
     if (!usedWindowsPRNG)
 	ReadSystemFiles();
 
     nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
     RNG_RandomUpdate(buffer, nBytes);
 }
@@ -347,73 +322,16 @@ static void rng_systemJitter(void)
     EnumSystemFiles(ReadOneFile);
     dwFileToRead++;
     if (dwFileToRead >= dwNumFiles) {
 	dwFileToRead = 0;
     }
 }
 
 
-#if defined(_WIN32_WCE)
-void RNG_FileForRNG(const char *filename)
-{
-    PRFileDesc *    file;
-    int             nBytes;
-    PRFileInfo      infoBuf;
-    unsigned char   buffer[1024];
-
-    if (PR_GetFileInfo(filename, &infoBuf) != PR_SUCCESS)
-        return;
-
-    RNG_RandomUpdate((unsigned char*)&infoBuf, sizeof(infoBuf));
-
-    file = PR_Open(filename, PR_RDONLY, 0);
-    if (file != NULL) {
-        for (;;) {
-            PRInt32 bytes = PR_Read(file, buffer, sizeof buffer);
-
-            if (bytes <= 0)
-                break;
-
-            RNG_RandomUpdate(buffer, bytes);
-            totalFileBytes += bytes;
-            if (totalFileBytes > maxFileBytes)
-                break;
-        }
-
-        PR_Close(file);
-    }
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-}
-
-/*
- * The Windows CE and Windows Mobile FIPS Security Policy, page 13,
- * (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp825.pdf)
- * says CeGenRandom is the right function to call for creating a seed
- * for a random number generator.
- */
-size_t RNG_SystemRNG(void *dest, size_t maxLen)
-{
-    size_t bytes = 0;
-    usedWindowsPRNG = PR_FALSE;
-    if (CeGenRandom(maxLen, dest)) {
-	bytes = maxLen;
-	usedWindowsPRNG = PR_TRUE;
-    }
-    if (bytes == 0) {
-	bytes = rng_systemFromNoise(dest,maxLen);
-    }
-    return bytes;
-}
-
-
-#else /* not WinCE */
-
 void RNG_FileForRNG(const char *filename)
 {
     FILE*           file;
     int             nBytes;
     struct stat     stat_buf;
     unsigned char   buffer[1024];
 
     /* windows doesn't initialize all the bytes in the stat buf,
@@ -537,11 +455,9 @@ size_t RNG_SystemRNG(void *dest, size_t 
     }
     if (bytes == 0) {
 	bytes = rng_systemFromNoise(dest,maxLen);
     }
 done:
     FreeLibrary(hModule);
     return bytes;
 }
-#endif  /* not WinCE */
-
 #endif  /* is XP_WIN */
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1006,8 +1006,18 @@ CERT_CheckOCSPStatus;
 CERT_DecodeOCSPRequest;
 CERT_GetEncodedOCSPResponse;
 PK11_GetBestSlotWithAttributes;
 PK11_GetBestSlotMultipleWithAttributes;
 PK11_PQG_ParamGenV2;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.14.1 {    # NSS 3.14.1 release
+;+    global:
+CERT_CreateEncodedOCSPErrorResponse;
+CERT_CreateEncodedOCSPSuccessResponse;
+CERT_CreateOCSPSingleResponseGood;
+CERT_CreateOCSPSingleResponseUnknown;
+CERT_CreateOCSPSingleResponseRevoked;
+;+    local:
+;+       *;
+;+};
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -1,15 +1,15 @@
 /*
  * NSS utility functions
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: nss.h,v 1.99 2012/10/18 16:54:44 kaie%kuix.de Exp $ */
+/* $Id: nss.h,v 1.100.2.1 2012/12/13 19:11:46 wtc%google.com Exp $ */
 
 #ifndef __nss_h_
 #define __nss_h_
 
 /* The private macro _NSS_ECC_STRING is for NSS internal use only. */
 #ifdef NSS_ENABLE_ECC
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
 #define _NSS_ECC_STRING " Extended ECC"
@@ -29,21 +29,21 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.14.0.1" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION  "3.14.1.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   14
-#define NSS_VPATCH   0
-#define NSS_VBUILD   1
+#define NSS_VPATCH   1
+#define NSS_VBUILD   0
 #define NSS_BETA     PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -1,15 +1,15 @@
 /*
  * NSS utility functions
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: nssinit.c,v 1.119 2012/10/09 18:22:46 emaldona%redhat.com Exp $ */
+/* $Id: nssinit.c,v 1.120 2012/11/17 01:45:33 wtc%google.com Exp $ */
 
 #include <ctype.h>
 #include <string.h>
 #include "seccomon.h"
 #include "prerror.h"
 #include "prinit.h"
 #include "prprf.h"
 #include "prmem.h"
@@ -632,19 +632,18 @@ nss_Init(const char *configdir, const ch
 	}
     } else {
 	configStrings = pk11_config_strings;
 	configName = pk11_config_name;
 	passwordRequired = pk11_password_required;
     }
 
     /* Skip the module init if we are already initted and we are trying
-     * to init with not noCertDB and noModDB */
+     * to init with noCertDB and noModDB */
     if (!(isReallyInitted && noCertDB && noModDB)) {
-	/* we always try to initialize the modules */
 	rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
 		updateDir, updCertPrefix, updKeyPrefix, updateID, 
 		updateName, configName, configStrings, passwordRequired,
 		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
 		(initContextPtr != NULL));
 
 	if (rv != SECSuccess) {
 	    goto loser;
--- a/security/nss/lib/pk11wrap/pk11akey.c
+++ b/security/nss/lib/pk11wrap/pk11akey.c
@@ -735,31 +735,31 @@ PK11_MakePrivKey(PK11SlotInfo *slot, Key
     PRBool isPrivate;
     SECStatus rv;
 
     /* don't know? look it up */
     if (keyType == nullKey) {
 	CK_KEY_TYPE pk11Type = CKK_RSA;
 
 	pk11Type = PK11_ReadULongAttribute(slot,privID,CKA_KEY_TYPE);
-	isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN);
+	isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN,PR_FALSE);
 	switch (pk11Type) {
 	case CKK_RSA: keyType = rsaKey; break;
 	case CKK_DSA: keyType = dsaKey; break;
 	case CKK_DH: keyType = dhKey; break;
 	case CKK_KEA: keyType = fortezzaKey; break;
 	case CKK_EC: keyType = ecKey; break;
 	default:
 		break;
 	}
     }
 
     /* if the key is private, make sure we are authenticated to the
      * token before we try to use it */
-    isPrivate = (PRBool)PK11_HasAttributeSet(slot,privID,CKA_PRIVATE);
+    isPrivate = (PRBool)PK11_HasAttributeSet(slot,privID,CKA_PRIVATE,PR_FALSE);
     if (isPrivate) {
 	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
  	if (rv != SECSuccess) {
  	    return NULL;
  	}
     }
 
     /* now we need to create space for the private key */
@@ -1427,17 +1427,17 @@ PK11_GenerateKeyPairWithOpFlags(PK11Slot
 	} 
 	PK11_DestroyObject(slot,pubID);
 	PK11_DestroyObject(slot,privID);
 	return NULL;
     }
 
     /* set the ID to the public key so we can find it again */
     cka_id = pk11_MakeIDFromPublicKey(*pubKey);
-    pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN);
+    pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN,PR_FALSE);
 
     PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len);
 
     if (haslock) { PK11_EnterSlotMonitor(slot); }
     crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, privID,
 		&setTemplate, 1);
    
     if (crv == CKR_OK && pubIsToken) {
--- a/security/nss/lib/pk11wrap/pk11auth.c
+++ b/security/nss/lib/pk11wrap/pk11auth.c
@@ -40,18 +40,19 @@ static struct PK11GlobalStruct {
  
 /***********************************************************
  * Password Utilities
  ***********************************************************/
 /*
  * Check the user's password. Log into the card if it's correct.
  * succeed if the user is already logged in.
  */
-SECStatus
-pk11_CheckPassword(PK11SlotInfo *slot,char *pw,PRBool contextSpecific)
+static SECStatus
+pk11_CheckPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
+			char *pw, PRBool alreadyLocked, PRBool contextSpecific)
 {
     int len = 0;
     CK_RV crv;
     SECStatus rv;
     int64 currtime = PR_Now();
     PRBool mustRetry;
     int retry = 0;
 
@@ -61,23 +62,23 @@ pk11_CheckPassword(PK11SlotInfo *slot,ch
     } else if (pw == NULL) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     } else {
 	len = PORT_Strlen(pw);
     }
 
     do {
-	PK11_EnterSlotMonitor(slot);
-	crv = PK11_GETTAB(slot)->C_Login(slot->session,
+	if (!alreadyLocked) PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_Login(session,
 		contextSpecific ? CKU_CONTEXT_SPECIFIC : CKU_USER,
 						(unsigned char *)pw,len);
 	slot->lastLoginCheck = 0;
 	mustRetry = PR_FALSE;
-	PK11_ExitSlotMonitor(slot);
+	if (!alreadyLocked) PK11_ExitSlotMonitor(slot);
 	switch (crv) {
 	/* if we're already logged in, we're good to go */
 	case CKR_OK:
 		/* TODO If it was for CKU_CONTEXT_SPECIFIC should we do this */
 	    slot->authTransact = PK11_Global.transaction;
 	    /* Fall through */
 	case CKR_USER_ALREADY_LOGGED_IN:
 	    slot->authTime = currtime;
@@ -86,20 +87,29 @@ pk11_CheckPassword(PK11SlotInfo *slot,ch
 	case CKR_PIN_INCORRECT:
 	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
 	    rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
 	    break;
 	/* someone called reset while we fetched the password, try again once
 	 * if the token is still there. */
 	case CKR_SESSION_HANDLE_INVALID:
 	case CKR_SESSION_CLOSED:
+	    if (session != slot->session) {
+		/* don't bother retrying, we were in a middle of an operation,
+		 * which is now lost. Just fail. */
+	        PORT_SetError(PK11_MapError(crv));
+	        rv = SECFailure; 
+		break;
+	    }
 	    if (retry++ == 0) {
 		rv = PK11_InitToken(slot,PR_FALSE);
 		if (rv == SECSuccess) {
 		    if (slot->session != CK_INVALID_SESSION) {
+			session = slot->session; /* we should have 
+						  * a new session now */
 			mustRetry = PR_TRUE;
 		    } else {
 			PORT_SetError(PK11_MapError(crv));
 			rv = SECFailure;
 		    }
 		}
 		break;
 	    }
@@ -237,17 +247,18 @@ PK11_HandlePasswordCheck(PK11SlotInfo *s
 			 (PK11_Global.transaction != slot->authTransact)) {
     	    PK11_EnterSlotMonitor(slot);
 	    PK11_GETTAB(slot)->C_Logout(slot->session);
 	    slot->lastLoginCheck = 0;
     	    PK11_ExitSlotMonitor(slot);
 	    NeedAuth = PR_TRUE;
 	}
     }
-    if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx,PR_FALSE);
+    if (NeedAuth) PK11_DoPassword(slot, slot->session, PR_TRUE,
+			wincx, PR_FALSE, PR_FALSE);
 }
 
 void
 PK11_SlotDBUpdate(PK11SlotInfo *slot)
 {
     SECMOD_UpdateModule(slot->module);
 }
 
@@ -296,17 +307,18 @@ pk11_LoginStillRequired(PK11SlotInfo *sl
 
 /*
  * make sure a slot is authenticated...
  * This function only does the authentication if it is needed.
  */
 SECStatus
 PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) {
     if (pk11_LoginStillRequired(slot,wincx)) {
-	return PK11_DoPassword(slot,loadCerts,wincx,PR_FALSE);
+	return PK11_DoPassword(slot, slot->session, loadCerts, wincx,
+				PR_FALSE, PR_FALSE);
     }
     return SECSuccess;
 }
 
 /*
  * Authenticate to "unfriendly" tokens (tokens which need to be logged
  * in to find the certs.
  */
@@ -527,17 +539,18 @@ PK11_SetIsLoggedInFunc(PK11IsLoggedInFun
 /*
  * authenticate to a slot. This loops until we can't recover, the user
  * gives up, or we succeed. If we're already logged in and this function
  * is called we will still prompt for a password, but we will probably
  * succeed no matter what the password was (depending on the implementation
  * of the PKCS 11 module.
  */
 SECStatus
-PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx,
+PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
+			PRBool loadCerts, void *wincx, PRBool alreadyLocked,
 			PRBool contextSpecific)
 {
     SECStatus rv = SECFailure;
     char * password;
     PRBool attempt = PR_FALSE;
 
     if (PK11_NeedUserInit(slot)) {
 	PORT_SetError(SEC_ERROR_IO);
@@ -597,17 +610,18 @@ PK11_DoPassword(PK11SlotInfo *slot, PRBo
 	    }
 	    /* applicaton tried to authenticate and succeeded we're done */
 	    if (strcmp(password, PK11_PW_AUTHENTICATED) == 0) {
 		rv = SECSuccess;
 		PORT_Free(password);
 		break;
 	    }
 	}
-	rv = pk11_CheckPassword(slot,password,contextSpecific);
+	rv = pk11_CheckPassword(slot, session, password, 
+				alreadyLocked, contextSpecific);
 	PORT_Memset(password, 0, PORT_Strlen(password));
 	PORT_Free(password);
 	if (rv != SECWouldBlock) break;
     }
     if (rv == SECSuccess) {
 	if (!PK11_IsFriendly(slot)) {
 	    nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
 	                                      slot->nssToken);
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -2658,17 +2658,17 @@ PK11_GetAllSlotsForCert(CERTCertificate 
 	nssCryptokiObjectArray_Destroy(instances);
 	return NULL;
     }
 
     for (ip = instances; *ip; ip++) {
 	nssCryptokiObject *instance = *ip;
 	PK11SlotInfo *slot = instance->token->pk11slot;
 	if (slot) {
-	    PK11_AddSlotToList(slotList, slot);
+	    PK11_AddSlotToList(slotList, slot, PR_TRUE);
 	    found = PR_TRUE;
 	}
     }
     if (!found) {
 	PK11_FreeSlotList(slotList);
 	PORT_SetError(SEC_ERROR_NO_TOKEN);
 	slotList = NULL;
     }
--- a/security/nss/lib/pk11wrap/pk11merge.c
+++ b/security/nss/lib/pk11wrap/pk11merge.c
@@ -164,25 +164,25 @@ done:
 /*
  * Fetch the key usage based on the pkcs #11 flags
  */
 unsigned int
 pk11_getPrivateKeyUsage(PK11SlotInfo *slot, CK_OBJECT_HANDLE id)
 {
     unsigned int usage = 0;
 
-    if ((PK11_HasAttributeSet(slot, id, CKA_UNWRAP) || 
-			PK11_HasAttributeSet(slot,id, CKA_DECRYPT))) {
+    if ((PK11_HasAttributeSet(slot, id, CKA_UNWRAP,PR_FALSE) || 
+			PK11_HasAttributeSet(slot,id, CKA_DECRYPT,PR_FALSE))) {
 	usage |= KU_KEY_ENCIPHERMENT;
     }
-    if (PK11_HasAttributeSet(slot, id, CKA_DERIVE)) {
+    if (PK11_HasAttributeSet(slot, id, CKA_DERIVE, PR_FALSE)) {
 	usage |= KU_KEY_AGREEMENT;
     }
-    if ((PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER) || 
-			PK11_HasAttributeSet(slot, id, CKA_SIGN))) {
+    if ((PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER, PR_FALSE) || 
+			PK11_HasAttributeSet(slot, id, CKA_SIGN, PR_FALSE))) {
 	usage |= KU_DIGITAL_SIGNATURE;
     }
     return usage;
 }
     
 	
 /*
  * merge a private key, 
@@ -368,41 +368,41 @@ pk11_incrementID(PRArenaPool *arena, CK_
 }
 
 
 static CK_FLAGS
 pk11_getSecretKeyFlags(PK11SlotInfo *slot, CK_OBJECT_HANDLE id)
 {
     CK_FLAGS flags = 0;
 
-    if (PK11_HasAttributeSet(slot, id, CKA_UNWRAP)) {
+    if (PK11_HasAttributeSet(slot, id, CKA_UNWRAP, PR_FALSE)) {
 	flags |= CKF_UNWRAP;
     }
-    if (PK11_HasAttributeSet(slot, id, CKA_WRAP)) {
+    if (PK11_HasAttributeSet(slot, id, CKA_WRAP, PR_FALSE)) {
 	flags |= CKF_WRAP;
     }
-    if (PK11_HasAttributeSet(slot, id, CKA_ENCRYPT)) {
+    if (PK11_HasAttributeSet(slot, id, CKA_ENCRYPT, PR_FALSE)) {
 	flags |= CKF_ENCRYPT;
     }
-    if (PK11_HasAttributeSet(slot, id, CKA_DECRYPT)) {
+    if (PK11_HasAttributeSet(slot, id, CKA_DECRYPT, PR_FALSE)) {
 	flags |= CKF_DECRYPT;
     }
-    if (PK11_HasAttributeSet(slot, id, CKA_DERIVE)) {
+    if (PK11_HasAttributeSet(slot, id, CKA_DERIVE, PR_FALSE)) {
 	flags |= CKF_DERIVE;
     }
-    if (PK11_HasAttributeSet(slot, id, CKA_SIGN)) {
+    if (PK11_HasAttributeSet(slot, id, CKA_SIGN, PR_FALSE)) {
 	flags |= CKF_SIGN;
     }
-    if (PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER)) {
+    if (PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER, PR_FALSE)) {
 	flags |= CKF_SIGN_RECOVER;
     }
-    if (PK11_HasAttributeSet(slot, id, CKA_VERIFY)) {
+    if (PK11_HasAttributeSet(slot, id, CKA_VERIFY, PR_FALSE)) {
 	flags |= CKF_VERIFY;
     }
-    if (PK11_HasAttributeSet(slot, id, CKA_VERIFY_RECOVER)) {
+    if (PK11_HasAttributeSet(slot, id, CKA_VERIFY_RECOVER, PR_FALSE)) {
 	flags |= CKF_VERIFY_RECOVER;
     }
     return flags;
 }
 
 static const char testString[] = 
 	"My Encrytion Test Data (should be at least 32 bytes long)";
 /*
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@@ -141,30 +141,30 @@ PK11_ReadULongAttribute(PK11SlotInfo *sl
     return value;
 }
 
 /*
  * check to see if a bool has been set.
  */
 CK_BBOOL
 PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-				                      CK_ATTRIBUTE_TYPE type )
+				 CK_ATTRIBUTE_TYPE type, PRBool haslock )
 {
     CK_BBOOL ckvalue = CK_FALSE;
     CK_ATTRIBUTE theTemplate;
     CK_RV crv;
 
     /* Prepare to retrieve the attribute. */
     PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) );
 
     /* Retrieve attribute value. */
-    PK11_EnterSlotMonitor(slot);
+    if (!haslock) PK11_EnterSlotMonitor(slot);
     crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id,
                                                     &theTemplate, 1 );
-    PK11_ExitSlotMonitor(slot);
+    if (!haslock) PK11_ExitSlotMonitor(slot);
     if( crv != CKR_OK ) {
         PORT_SetError( PK11_MapError( crv ) );
         return CK_FALSE;
     }
 
     return ckvalue;
 }
 
@@ -249,17 +249,17 @@ PK11_GetAttributes(PRArenaPool *arena,PK
 	PORT_ArenaUnmark(arena,mark);
     }
     return crv;
 }
 
 PRBool
 PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle)
 {
-    return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN);
+    return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN, PR_FALSE);
 }
 
 char *
 PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) 
 {
     char *nickname = NULL;
     SECItem result;
     SECStatus rv;
@@ -731,44 +731,48 @@ PK11_Verify(SECKEYPublicKey *key, const 
  */
 SECStatus
 PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, const SECItem *hash)
 {
     PK11SlotInfo *slot = key->pkcs11Slot;
     CK_MECHANISM mech = {0, NULL, 0 };
     PRBool owner = PR_TRUE;
     CK_SESSION_HANDLE session;
+    PRBool haslock = PR_FALSE;
     CK_ULONG len;
     CK_RV crv;
 
     mech.mechanism = PK11_MapSignKeyType(key->keyType);
 
     if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_PRIVATE)) {
 	PK11_HandlePasswordCheck(slot, key->wincx);
     }
 
     session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    haslock = (!owner || !(slot->isThreadSafe));
+    if (haslock) PK11_EnterSlotMonitor(slot);
     crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
     if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	if (haslock) PK11_ExitSlotMonitor(slot);
 	pk11_CloseSession(slot,session,owner);
 	PORT_SetError( PK11_MapError(crv) );
 	return SECFailure;
     }
-	/* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then 
-	 * do C_Login with CKU_CONTEXT_SPECIFIC 
-	 * between C_SignInit and C_Sign */
-	if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_ALWAYS_AUTHENTICATE)) {
-		PK11_DoPassword(slot, PR_FALSE, key->wincx, PR_TRUE);
-	}
+
+    /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then 
+     * do C_Login with CKU_CONTEXT_SPECIFIC 
+     * between C_SignInit and C_Sign */
+    if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) {
+	PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE);
+    }
+
     len = sig->len;
     crv = PK11_GETTAB(slot)->C_Sign(session,hash->data,
 					hash->len, sig->data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    if (haslock) PK11_ExitSlotMonitor(slot);
     pk11_CloseSession(slot,session,owner);
     sig->len = len;
     if (crv != CKR_OK) {
 	PORT_SetError( PK11_MapError(crv) );
 	return SECFailure;
     }
     return SECSuccess;
 }
@@ -784,48 +788,52 @@ static SECStatus
 pk11_PrivDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
 	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
 				    unsigned encLen, CK_MECHANISM_PTR mech)
 {
     PK11SlotInfo *slot = key->pkcs11Slot;
     CK_ULONG out = maxLen;
     PRBool owner = PR_TRUE;
     CK_SESSION_HANDLE session;
+    PRBool haslock = PR_FALSE;
     CK_RV crv;
 
     if (key->keyType != rsaKey) {
 	PORT_SetError( SEC_ERROR_INVALID_KEY );
 	return SECFailure;
     }
 
     /* Why do we do a PK11_handle check here? for simple
      * decryption? .. because the user may have asked for 'ask always'
      * and this is a private key operation. In practice, thought, it's mute
      * since only servers wind up using this function */
     if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_PRIVATE)) {
 	PK11_HandlePasswordCheck(slot, key->wincx);
     }
     session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    haslock = (!owner || !(slot->isThreadSafe));
+    if (haslock) PK11_EnterSlotMonitor(slot);
     crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, key->pkcs11ID);
     if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	if (haslock) PK11_ExitSlotMonitor(slot);
 	pk11_CloseSession(slot,session,owner);
 	PORT_SetError( PK11_MapError(crv) );
 	return SECFailure;
     }
-	/* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then 
-	 * do C_Login with CKU_CONTEXT_SPECIFIC 
-	 * between C_DecryptInit and C_Decrypt */
-	/* But see note above about servers */
-	if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_ALWAYS_AUTHENTICATE)) {
-		PK11_DoPassword(slot, PR_FALSE, key->wincx, PR_TRUE);
-	}
+
+    /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then 
+     * do C_Login with CKU_CONTEXT_SPECIFIC 
+     * between C_DecryptInit and C_Decrypt
+     * ... But see note above about servers */
+     if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) {
+	PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE);
+    }
+
     crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen, data, &out);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    if (haslock) PK11_ExitSlotMonitor(slot);
     pk11_CloseSession(slot,session,owner);
     *outLen = out;
     if (crv != CKR_OK) {
 	PORT_SetError( PK11_MapError(crv) );
 	return SECFailure;
     }
     return SECSuccess;
 }
--- a/security/nss/lib/pk11wrap/pk11priv.h
+++ b/security/nss/lib/pk11wrap/pk11priv.h
@@ -23,17 +23,17 @@
 SEC_BEGIN_PROTOS
 
 /************************************************************
  * Generic Slot Lists Management
  ************************************************************/
 PK11SlotList * PK11_NewSlotList(void);
 PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,
 						PRBool needRW,void *wincx);
-SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot);
+SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot, PRBool sorted);
 SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le);
 PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list,
 							PK11SlotInfo *slot);
 PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
 int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE type);
 
 /************************************************************
  * Generic Slot Management
@@ -54,18 +54,19 @@ PK11SlotInfo *PK11_NewSlotInfo(SECMODMod
 void PK11_EnterSlotMonitor(PK11SlotInfo *);
 void PK11_ExitSlotMonitor(PK11SlotInfo *);
 void PK11_CleanKeyList(PK11SlotInfo *slot);
 
 
 /************************************************************
  *  Slot Password Management
  ************************************************************/
-SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx,
-				PRBool contextSpecific);
+SECStatus PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
+			PRBool loadCerts, void *wincx, PRBool alreadyLocked,
+			PRBool contextSpecific);
 SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw);
 void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx);
 void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func);
 void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func);
 
 /************************************************************
  * Manage the built-In Slot Lists
  ************************************************************/
@@ -116,17 +117,18 @@ SECStatus PK11_TraversePrivateKeysInSlot
 SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
 CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname,
 	PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, 
 								void *wincx);
 CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot,CK_OBJECT_HANDLE peer,
 						CK_OBJECT_CLASS o_class); 
 CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot,
 			       CK_OBJECT_HANDLE id,
-			       CK_ATTRIBUTE_TYPE type );
+			       CK_ATTRIBUTE_TYPE type,
+			       PRBool haslock );
 CK_RV PK11_GetAttributes(PLArenaPool *arena,PK11SlotInfo *slot,
 			 CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count);
 int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
 SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, 
 	SECStatus(*callback)(CERTCertificate *, void *), void *arg);
 SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
    PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
 SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -900,23 +900,20 @@ PK11SymKey *
 pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
     SECItem *param, CK_KEY_TYPE keyType, int keySize, SECItem *keyid, 
     CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx)
 {
     PK11SymKey *symKey;
     CK_ATTRIBUTE genTemplate[MAX_TEMPL_ATTRS];
     CK_ATTRIBUTE *attrs = genTemplate;
     int count = sizeof(genTemplate)/sizeof(genTemplate[0]);
-    CK_SESSION_HANDLE session;
     CK_MECHANISM_TYPE keyGenType;
-    CK_RV crv;
     CK_BBOOL cktrue = CK_TRUE;
     CK_BBOOL ckfalse = CK_FALSE;
     CK_ULONG ck_key_size;       /* only used for variable-length keys */
-    PRBool isToken = ((attrFlags & PK11_ATTR_TOKEN) != 0);
 
     if (pk11_BadAttrFlags(attrFlags)) {
 	PORT_SetError( SEC_ERROR_INVALID_ARGS );
 	return NULL;
     }
 
     if ((keySize != 0) && (type != CKM_DES3_CBC) && 
 		(type !=CKM_DES3_CBC_PAD) && (type != CKM_DES3_ECB)) {
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -166,32 +166,51 @@ void
 PK11_FreeSlotList(PK11SlotList *list)
 {
     pk11_FreeSlotListStatic(list);
     PORT_Free(list);
 }
 
 /*
  * add a slot to a list
+ * "slot" is the slot to be added. Ownership is not transferred.
+ * "sorted" indicates whether or not the slot should be inserted according to
+ *   cipherOrder of the associated module. PR_FALSE indicates that the slot
+ *   should be inserted to the head of the list.
  */
 SECStatus
-PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot)
+PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot, PRBool sorted)
 {
     PK11SlotListElement *le;
+    PK11SlotListElement *element;
 
     le = (PK11SlotListElement *) PORT_Alloc(sizeof(PK11SlotListElement));
     if (le == NULL) return SECFailure;
 
     le->slot = PK11_ReferenceSlot(slot);
     le->prev = NULL;
     le->refCount = 1;
     PZ_Lock(list->lock);
-    if (list->head) list->head->prev = le; else list->tail = le;
-    le->next = list->head;
-    list->head = le;
+    element = list->head;
+    /* Insertion sort, with higher cipherOrders are sorted first in the list */
+    while (element && sorted && (element->slot->module->cipherOrder >
+                                 le->slot->module->cipherOrder)) {
+        element = element->next;
+    }
+    if (element) {
+        le->prev = element->prev;
+        element->prev = le;
+        le->next = element;
+    } else {
+        le->prev = list->tail;
+        le->next = NULL;
+        list->tail = le;
+    }
+    if (le->prev) le->prev->next = le;
+    if (list->head == element) list->head = le;
     PZ_Unlock(list->lock);
 
     return SECSuccess;
 }
 
 /*
  * remove a slot entry from the list
  */
@@ -203,21 +222,22 @@ PK11_DeleteSlotFromList(PK11SlotList *li
     if (le->next) le->next->prev = le->prev; else list->tail = le->prev;
     le->next = le->prev = NULL;
     PZ_Unlock(list->lock);
     PK11_FreeSlotListElement(list,le);
     return SECSuccess;
 }
 
 /*
- * Move a list to the end of the target list. NOTE: There is no locking
- * here... This assumes BOTH lists are private copy lists.
+ * Move a list to the end of the target list.
+ * NOTE: There is no locking here... This assumes BOTH lists are private copy
+ * lists. It also does not re-sort the target list.
  */
 SECStatus
-PK11_MoveListToList(PK11SlotList *target,PK11SlotList *src)
+pk11_MoveListToList(PK11SlotList *target,PK11SlotList *src)
 {
     if (src->head == NULL) return SECSuccess;
 
     if (target->tail == NULL) {
 	target->head = src->head;
     } else {
 	target->tail->next = src->head;
     }
@@ -506,17 +526,17 @@ PK11_FindSlotsByNames(const char *dllNam
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         return slotList;
     }
 
     if ( ((NULL == dllName) || (0 == *dllName)) &&
         ((NULL == slotName) || (0 == *slotName)) &&
         ((NULL == tokenName) || (0 == *tokenName)) ) {
         /* default to softoken */
-        PK11_AddSlotToList(slotList, PK11_GetInternalKeySlot());
+        PK11_AddSlotToList(slotList, PK11_GetInternalKeySlot(), PR_TRUE);
         return slotList;
     }
 
     /* work through all the slots */
     SECMOD_GetReadLock(moduleLock);
     modules = SECMOD_GetDefaultModuleList();
     for (mlp = modules; mlp != NULL; mlp = mlp->next) {
         PORT_Assert(mlp->module);
@@ -534,17 +554,17 @@ PK11_FindSlotsByNames(const char *dllNam
                     break;
                 }
                 if ((PR_FALSE == presentOnly || PK11_IsPresent(tmpSlot)) &&
                     ( (!tokenName) || (tmpSlot->token_name &&
                     (0==PORT_Strcmp(tmpSlot->token_name, tokenName)))) &&
                     ( (!slotName) || (tmpSlot->slot_name &&
                     (0==PORT_Strcmp(tmpSlot->slot_name, slotName)))) ) {
                     if (tmpSlot) {
-                        PK11_AddSlotToList(slotList, tmpSlot);
+                        PK11_AddSlotToList(slotList, tmpSlot, PR_TRUE);
                         slotcount++;
                     }
                 }
             }
         }
     }
     SECMOD_ReleaseReadLock(moduleLock);
 
@@ -905,17 +925,17 @@ PK11_LoadSlotList(PK11SlotInfo *slot, PK
 	return;
     }
 
     for (i=0; i < num_pk11_default_mechanisms; i++) {
 	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
 	    CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
 	    PK11SlotList *slotList = PK11_GetSlotList(mechanism);
 
-	    if (slotList) PK11_AddSlotToList(slotList,slot);
+	    if (slotList) PK11_AddSlotToList(slotList,slot,PR_FALSE);
 	}
     }
 
     return;
 }
 
 
 /*
@@ -932,17 +952,17 @@ PK11_UpdateSlotAttribute(PK11SlotInfo *s
 
     if (add) { /* trying to turn on a mechanism */
                  
         /* turn on the default flag in the slot */
         slot->defaultFlags |= entry->flag;
         
         /* add this slot to the list */
         if (slotList!=NULL)
-            result = PK11_AddSlotToList(slotList, slot);
+            result = PK11_AddSlotToList(slotList, slot, PR_FALSE);
         
     } else { /* trying to turn off */
             
         /* turn OFF the flag in the slot */ 
         slot->defaultFlags &= ~entry->flag;
         
         if (slotList) {
             /* find the element in the list & delete it */
@@ -1905,32 +1925,32 @@ PK11_GetAllTokens(CK_MECHANISM_TYPE type
 	    PK11SlotInfo *slot = mlp->module->slots[i];
 
 	    if (pk11_IsPresentCertLoad(slot, loadCerts)) {
 		if (needRW &&  slot->readOnly) continue;
 		if ((type == CKM_INVALID_MECHANISM) 
 					|| PK11_DoesMechanism(slot, type)) {
 		    if (pk11_LoginStillRequired(slot,wincx)) {
 			if (PK11_IsFriendly(slot)) {
-			    PK11_AddSlotToList(friendlyList, slot);
+			    PK11_AddSlotToList(friendlyList, slot, PR_TRUE);
 			} else {
-			    PK11_AddSlotToList(loginList, slot);
+			    PK11_AddSlotToList(loginList, slot, PR_TRUE);
 			}
 		    } else {
-			PK11_AddSlotToList(list, slot);
+			PK11_AddSlotToList(list, slot, PR_TRUE);
 		    }
 		}
 	    }
 	}
     }
     SECMOD_ReleaseReadLock(moduleLock);
 
-    PK11_MoveListToList(list,friendlyList);
+    pk11_MoveListToList(list,friendlyList);
     PK11_FreeSlotList(friendlyList);
-    PK11_MoveListToList(list,loginList);
+    pk11_MoveListToList(list,loginList);
     PK11_FreeSlotList(loginList);
 
     return list;
 }
 
 /*
  * NOTE: This routine is working from a private List generated by 
  * PK11_GetAllTokens. That is why it does not need to lock.
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -8,17 +8,16 @@
 #include "secmod.h"
 #include "nssilock.h"
 #include "secmodi.h"
 #include "secmodti.h"
 #include "pk11func.h"
 #include "pki3hack.h"
 #include "secerr.h"
 #include "dev.h"
-#include "pkcs11ni.h"
 #include "utilpars.h"
 
 /* these are for displaying error messages */
 
 static  SECMODModuleList *modules = NULL;
 static  SECMODModuleList *modulesDB = NULL;
 static  SECMODModuleList *modulesUnload = NULL;
 static  SECMODModule *internalModule = NULL;
--- a/security/nss/lib/pkcs7/p7decode.c
+++ b/security/nss/lib/pkcs7/p7decode.c
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * PKCS7 decoding, verification.
  *
- * $Id: p7decode.c,v 1.29 2012/04/25 14:50:06 gerv%gerv.net Exp $
+ * $Id: p7decode.c,v 1.30 2012/11/27 22:48:08 bsmith%mozilla.com Exp $
  */
 
 #include "p7local.h"
 
 #include "cert.h"
 				/* XXX do not want to have to include */
 #include "certdb.h"		/* certdb.h -- the trust stuff needed by */
      				/* the add certificate code needs to get */
--- a/security/nss/lib/pkcs7/secpkcs7.h
+++ b/security/nss/lib/pkcs7/secpkcs7.h
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Interface to the PKCS7 implementation.
  *
- * $Id: secpkcs7.h,v 1.9 2012/04/25 14:50:06 gerv%gerv.net Exp $
+ * $Id: secpkcs7.h,v 1.10 2012/11/27 22:48:08 bsmith%mozilla.com Exp $
  */
 
 #ifndef _SECPKCS7_H_
 #define _SECPKCS7_H_
 
 #include "seccomon.h"
 
 #include "secoidt.h"
--- a/security/nss/lib/softoken/Makefile
+++ b/security/nss/lib/softoken/Makefile
@@ -34,17 +34,17 @@ include config.mk
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 ifdef NSS_DISABLE_DBM
-DIRS= dummy
+DIRS=
 endif
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
 export:: private_export
 
--- a/security/nss/lib/softoken/config.mk
+++ b/security/nss/lib/softoken/config.mk
@@ -60,12 +60,8 @@ endif
 
 ifeq ($(OS_TARGET),AIX)
 OS_LIBS += -lpthread
 endif
 
 ifeq ($(OS_TARGET),SunOS)
 OS_LIBS += -lbsm 
 endif
-
-ifeq ($(OS_TARGET),WINCE)
-DEFINES += -DDBM_USING_NSPR
-endif
--- a/security/nss/lib/softoken/legacydb/config.mk
+++ b/security/nss/lib/softoken/legacydb/config.mk
@@ -54,12 +54,8 @@ EXTRA_SHARED_LIBS += \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 endif
 
 ifeq ($(OS_TARGET),SunOS)
 OS_LIBS += -lbsm 
 endif
-
-ifeq ($(OS_TARGET),WINCE)
-DEFINES += -DDBM_USING_NSPR
-endif
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -506,17 +506,17 @@ sftk_forceTokenAttribute(SFTKObject *obj
     PORT_Assert(to);
     if (to == NULL) {
 	return CKR_DEVICE_ERROR;
     }
 
     dbHandle = sftk_getDBForTokenObject(object->slot, object->handle);
 
     attribute.type = type;
-    attribute.pValue = value;
+    attribute.pValue = (void *)value;
     attribute.ulValueLen = len;
 
     crv = sftkdb_SetAttributeValue(dbHandle, object, &attribute, 1);
     sftk_freeDB(dbHandle);
     return crv;
 }
 	
 /*
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -1679,19 +1679,17 @@ sdb_init(char *dbname, char *table, sdbD
     if (sqlerr != SQLITE_OK) {
 	error = sdb_mapSQLError(type, sqlerr); 
 	goto loser;
     }
     /* sql created the file, but it doesn't set appropriate modes for
      * a database */
     if (create) {
 	/* NO NSPR call for this? :( */
-#ifndef WINCE
 	chmod (dbname, 0600);
-#endif
     }
 
     if (flags != SDB_RDONLY) {
 	sqlerr = sqlite3_exec(sqlDB, BEGIN_CMD, NULL, 0, NULL);
 	if (sqlerr != SQLITE_OK) {
 	    error = sdb_mapSQLError(type, sqlerr);
 	    goto loser;
 	}
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -20,16 +20,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.14.0.1" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION  "3.14.1.0" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   14
-#define SOFTOKEN_VPATCH   0
-#define SOFTOKEN_VBUILD   1
+#define SOFTOKEN_VPATCH   1
+#define SOFTOKEN_VBUILD   0
 #define SOFTOKEN_BETA     PR_FALSE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/notes.txt
+++ b/security/nss/lib/ssl/notes.txt
@@ -1,11 +1,11 @@
- This Source Code Form is subject to the terms of the Mozilla Public
- # License, v. 2.0. If a copy of the MPL was not distributed with this
- # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 SSL's Buffers: enumerated and explained.
 
 ---------------------------------------------------------------------------
 incoming:
 
 gs = ss->gather
 hs = ss->ssl3->hs
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -1,16 +1,16 @@
 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: ssl3con.c,v 1.192 2012/09/28 05:10:25 wtc%google.com Exp $ */
+/* $Id: ssl3con.c,v 1.195 2012/11/15 18:49:01 wtc%google.com Exp $ */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
 #include "cert.h"
 #include "ssl.h"
 #include "cryptohi.h"	/* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
@@ -5572,17 +5572,16 @@ ssl3_HandleServerHello(sslSocket *ss, SS
 
 	ss->ssl3.hs.isResuming = PR_TRUE;
 
 	/* copy the peer cert from the SID */
 	if (sid->peerCert != NULL) {
 	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
 	}
 
-
 	/* NULL value for PMS signifies re-use of the old MS */
 	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
 	if (rv != SECSuccess) {
 	    goto alert_loser;	/* err code was set */
 	}
 	return SECSuccess;
     } while (0);
 
@@ -5976,24 +5975,24 @@ ssl3_HandleCertificateRequest(sslSocket 
     }
 
     if (length != 0)
         goto alert_loser;   	/* malformed */
 
     desc = no_certificate;
     ss->ssl3.hs.ws = wait_hello_done;
 
-    if (ss->getClientAuthData == NULL) {
-	rv = SECFailure; /* force it to send a no_certificate alert */
-    } else {
+    if (ss->getClientAuthData != NULL) {
 	/* XXX Should pass cert_types in this call!! */
 	rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
 						 ss->fd, &ca_list,
 						 &ss->ssl3.clientCertificate,
 						 &ss->ssl3.clientPrivateKey);
+    } else {
+	rv = SECFailure; /* force it to send a no_certificate alert */
     }
     switch (rv) {
     case SECWouldBlock:	/* getClientAuthData has put up a dialog box. */
 	ssl3_SetAlwaysBlock(ss);
 	break;	/* not an error */
 
     case SECSuccess:
         /* check what the callback function returned */
@@ -6073,20 +6072,27 @@ ssl3_CanFalseStart(sslSocket *ss) {
      * would be called.
      */
 
     ssl_GetSpecReadLock(ss);
     rv = ss->opt.enableFalseStart &&
 	 !ss->sec.isServer &&
 	 !ss->ssl3.hs.isResuming &&
 	 ss->ssl3.cwSpec &&
+
+	 /* An attacker can control the selected ciphersuite so we only wish to
+	  * do False Start in the case that the selected ciphersuite is
+	  * sufficiently strong that the attack can gain no advantage.
+	  * Therefore we require an 80-bit cipher and a forward-secret key
+	  * exchange. */
 	 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
-	(ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa ||
-	 ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh  ||
-	 ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh);
+	(ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
+	 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
+	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
+	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
     ssl_ReleaseSpecReadLock(ss);
     return rv;
 }
 
 static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 Server Hello Done message.
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -1,17 +1,17 @@
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TLS extension code moved here from ssl3ecc.c */
-/* $Id: ssl3ext.c,v 1.28 2012/09/21 00:28:05 wtc%google.com Exp $ */
+/* $Id: ssl3ext.c,v 1.30 2012/11/13 01:26:40 wtc%google.com Exp $ */
 
 #include "nssrenam.h"
 #include "nss.h"
 #include "ssl.h"
 #include "sslproto.h"
 #include "sslimpl.h"
 #include "pk11pub.h"
 #ifdef NO_PKCS11_BYPASS
@@ -530,16 +530,22 @@ static SECStatus
 ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
 {
     if (ss->firstHsDone || data->len != 0) {
 	/* Clients MUST send an empty NPN extension, if any. */
 	PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
 	return SECFailure;
     }
 
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+
+    /* TODO: server side NPN support would require calling
+     * ssl3_RegisterServerHelloExtensionSender here in order to echo the
+     * extension back to the client. */
+
     return SECSuccess;
 }
 
 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none
  * of the lengths may be 0 and the sum of the lengths must equal the length of
  * the block. */
 SECStatus
 ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length)
@@ -598,16 +604,18 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSoc
 	return rv;
     /* If the callback wrote more than allowed to |result| it has corrupted our
      * stack. */
     if (result.len > sizeof resultBuffer) {
 	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
 	return SECFailure;
     }
 
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
     return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result);
 }
 
 static PRInt32
 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
 				PRUint32 maxBytes)
 {
@@ -1071,17 +1079,17 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc
 
 	/* Get session ticket keys. */
 #ifndef NO_PKCS11_BYPASS
 	if (ss->opt.bypassPKCS11) {
 	    rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
 		&mac_key, &mac_key_length);
 	} else 
 #endif
-    {
+	{
 	    rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
 		&mac_key_pkcs11);
 	}
 	if (rv != SECSuccess) {
 	    SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.",
 			SSL_GETPID(), ss->fd));
 	    goto loser;
 	}
@@ -1109,17 +1117,17 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc
 	    HMAC_Begin(hmac_ctx);
 	    HMAC_Update(hmac_ctx, extension_data.data,
 		extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
 	    if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
 		    sizeof(computed_mac)) != SECSuccess)
 		goto no_ticket;
 	} else 
 #endif
-    {
+	{
 	    SECItem macParam;
 	    macParam.data = NULL;
 	    macParam.len = 0;
 	    hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
 		CKA_SIGN, mac_key_pkcs11, &macParam);
 	    if (!hmac_ctx_pkcs11) {
 		SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
 			    SSL_GETPID(), ss->fd, PORT_GetError()));
@@ -1173,17 +1181,17 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc
 	    rv = AES_Decrypt(aes_ctx, decrypted_state->data,
 		&decrypted_state->len, decrypted_state->len,
 		enc_session_ticket.encrypted_state.data,
 		enc_session_ticket.encrypted_state.len);
 	    if (rv != SECSuccess)
 		goto no_ticket;
 	} else 
 #endif
-    {
+	{
 	    SECItem ivItem;
 	    ivItem.data = enc_session_ticket.iv;
 	    ivItem.len = AES_BLOCK_SIZE;
 	    aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
 		CKA_DECRYPT, aes_key_pkcs11, &ivItem);
 	    if (!aes_ctx_pkcs11) {
 		SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
 			    SSL_GETPID(), ss->fd));
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -1,16 +1,16 @@
 /*
  * This file is PRIVATE to SSL and should be the first thing included by
  * any SSL implementation file.
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslimpl.h,v 1.108 2012/09/28 01:46:45 wtc%google.com Exp $ */
+/* $Id: sslimpl.h,v 1.109 2012/11/14 01:14:12 wtc%google.com Exp $ */
 
 #ifndef __sslimpl_h_
 #define __sslimpl_h_
 
 #ifdef DEBUG
 #undef NDEBUG
 #else
 #undef NDEBUG
@@ -1786,18 +1786,16 @@ ssl3_TLSPRFWithMasterSecret(ssl3CipherSp
 #endif
 
 void ssl_Trace(const char *format, ...);
 
 SEC_END_PROTOS
 
 #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
 #define SSL_GETPID getpid
-#elif defined(_WIN32_WCE)
-#define SSL_GETPID GetCurrentProcessId
 #elif defined(WIN32)
 extern int __cdecl _getpid(void);
 #define SSL_GETPID _getpid
 #else
 #define SSL_GETPID() 0
 #endif
 
 #endif /* __sslimpl_h_ */
--- a/security/nss/lib/ssl/sslnonce.c
+++ b/security/nss/lib/ssl/sslnonce.c
@@ -1,26 +1,26 @@
 /* 
  * This file implements the CLIENT Session ID cache.  
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslnonce.c,v 1.27 2012/04/25 14:50:12 gerv%gerv.net Exp $ */
+/* $Id: sslnonce.c,v 1.28 2012/11/14 01:14:12 wtc%google.com Exp $ */
 
 #include "cert.h"
 #include "pk11pub.h"
 #include "secitem.h"
 #include "ssl.h"
 #include "nss.h"
 
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "nssilock.h"
-#if (defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
+#if defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)
 #include <time.h>
 #endif
 
 PRUint32 ssl_sid_timeout = 100;
 PRUint32 ssl3_sid_timeout = 86400L; /* 24 hours */
 
 static sslSessionID *cache = NULL;
 static PZLock *      cacheLock = NULL;
@@ -447,17 +447,17 @@ SSL_ClearSessionCache(void)
     UNLOCK_CACHE;
 }
 
 /* returns an unsigned int containing the number of seconds in PR_Now() */
 PRUint32
 ssl_Time(void)
 {
     PRUint32 myTime;
-#if (defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
+#if defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)
     myTime = time(NULL);	/* accurate until the year 2038. */
 #else
     /* portable, but possibly slower */
     PRTime now;
     PRInt64 ll;
 
     now = PR_Now();
     LL_I2L(ll, 1000000L);
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -1,17 +1,17 @@
 /*
  * vtables (and methods that call through them) for the 4 types of 
  * SSLSockets supported.  Only one type is still supported.
  * Various other functions.
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslsock.c,v 1.96 2012/09/24 23:57:42 wtc%google.com Exp $ */
+/* $Id: sslsock.c,v 1.98 2012/11/14 01:14:12 wtc%google.com Exp $ */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "nspr.h"
 #include "private/pprio.h"
@@ -2748,17 +2748,17 @@ ssl_MakeLocks(sslSocket *ss)
 	    goto loser;
     }
     return SECSuccess;
 loser:
     ssl_DestroyLocks(ss);
     return SECFailure;
 }
 
-#if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
+#if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)
 #define NSS_HAVE_GETENV 1
 #endif
 
 #define LOWER(x) (x | 0x20)  /* cheap ToLower function ignores LOCALE */
 
 static void
 ssl_SetDefaultsFromEnvironment(void)
 {
@@ -2787,21 +2787,25 @@ ssl_SetDefaultsFromEnvironment(void)
 	if (ev && ev[0]) {
 	    ssl_debug = atoi(ev);
 	    SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
 	}
 #endif /* DEBUG */
 	ev = getenv("SSLKEYLOGFILE");
 	if (ev && ev[0]) {
 	    ssl_keylog_iob = fopen(ev, "a");
-	    if (ftell(ssl_keylog_iob) == 0) {
-		fputs("# SSL/TLS secrets log file, generated by NSS\n",
-		      ssl_keylog_iob);
+	    if (!ssl_keylog_iob) {
+		SSL_TRACE(("SSL: failed to open key log file"));
+	    } else {
+		if (ftell(ssl_keylog_iob) == 0) {
+		    fputs("# SSL/TLS secrets log file, generated by NSS\n",
+			  ssl_keylog_iob);
+		}
+		SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
 	    }
-	    SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
 	}
 #ifndef NO_PKCS11_BYPASS
 	ev = getenv("SSLBYPASS");
 	if (ev && ev[0]) {
 	    ssl_defaults.bypassPKCS11 = (ev[0] == '1');
 	    SSL_TRACE(("SSL: bypass default set to %d", \
 		      ssl_defaults.bypassPKCS11));
 	}
--- a/security/nss/lib/util/base64.h
+++ b/security/nss/lib/util/base64.h
@@ -1,17 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * base64.h - prototypes for base64 encoding/decoding
  * Note: These functions are deprecated; see nssb64.h for new routines.
  *
- * $Id: base64.h,v 1.4 2012/04/25 14:50:16 gerv%gerv.net Exp $
+ * $Id: base64.h,v 1.5 2012/11/27 22:48:09 bsmith%mozilla.com Exp $
  */
 #ifndef _BASE64_H_
 #define _BASE64_H_
 
 #include "utilrename.h"
 #include "seccomon.h"
 
 SEC_BEGIN_PROTOS
--- a/security/nss/lib/util/nssb64d.c
+++ b/security/nss/lib/util/nssb64d.c
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Base64 decoding (ascii to binary).
  *
- * $Id: nssb64d.c,v 1.9 2012/04/25 14:50:16 gerv%gerv.net Exp $
+ * $Id: nssb64d.c,v 1.10 2012/11/27 22:48:09 bsmith%mozilla.com Exp $
  */
 
 #include "nssb64.h"
 #include "nspr.h"
 #include "secitem.h"
 #include "secerr.h"
 
 /*
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,21 +14,21 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.14.0.1"
+#define NSSUTIL_VERSION  "3.14.1.0"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   14
-#define NSSUTIL_VPATCH   0
-#define NSSUTIL_VBUILD   1
+#define NSSUTIL_VPATCH   1
+#define NSSUTIL_VBUILD   0
 #define NSSUTIL_BETA     PR_FALSE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
 extern const char *NSSUTIL_GetVersion(void);
--- a/security/nss/lib/util/secder.h
+++ b/security/nss/lib/util/secder.h
@@ -6,23 +6,20 @@
 #define _SECDER_H_
 
 #include "utilrename.h"
 
 /*
  * secder.h - public data structures and prototypes for the DER encoding and
  *	      decoding utilities library
  *
- * $Id: secder.h,v 1.16 2012/04/25 14:50:16 gerv%gerv.net Exp $
+ * $Id: secder.h,v 1.17 2012/11/14 01:14:12 wtc%google.com Exp $
  */
 
-#if defined(_WIN32_WCE)
-#else
 #include <time.h>
-#endif
 
 #include "plarena.h"
 #include "prlong.h"
 
 #include "seccomon.h"
 #include "secdert.h"
 #include "prtime.h"
 
--- a/security/nss/lib/util/secport.c
+++ b/security/nss/lib/util/secport.c
@@ -4,17 +4,17 @@
 
 /*
  * secport.c - portability interfaces for security libraries
  *
  * This file abstracts out libc functionality that libsec depends on
  * 
  * NOTE - These are not public interfaces
  *
- * $Id: secport.c,v 1.30 2012/04/25 14:50:16 gerv%gerv.net Exp $
+ * $Id: secport.c,v 1.31 2012/11/14 01:14:12 wtc%google.com Exp $
  */
 
 #include "seccomon.h"
 #include "prmem.h"
 #include "prerror.h"
 #include "plarena.h"
 #include "secerr.h"
 #include "prmon.h"
@@ -628,19 +628,16 @@ PORT_UCS2_ASCIIConversion(PRBool toUnico
 
 
 /* Portable putenv.  Creates/replaces an environment variable of the form
  *  envVarName=envValue
  */
 int
 NSS_PutEnv(const char * envVarName, const char * envValue)
 {
-#ifdef _WIN32_WCE
-    return SECFailure;
-#else
     SECStatus result = SECSuccess;
     char *    encoded;
     int       putEnvFailed;
 #ifdef _WIN32
     PRBool      setOK;
 
     setOK = SetEnvironmentVariable(envVarName, envValue);
     if (!setOK) {
@@ -656,17 +653,16 @@ NSS_PutEnv(const char * envVarName, cons
 
     putEnvFailed = putenv(encoded); /* adopt. */
     if (putEnvFailed) {
         SET_ERROR_CODE
         result = SECFailure;
         PORT_Free(encoded);
     }
     return result;
-#endif
 }
 
 /*
  * Perform a constant-time compare of two memory regions. The return value is
  * 0 if the memory regions are equal and non-zero otherwise.
  */
 int
 NSS_SecureMemcmp(const void *ia, const void *ib, size_t n)
--- a/security/nss/lib/util/secport.h
+++ b/security/nss/lib/util/secport.h
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * secport.h - portability interfaces for security libraries
  *
- * $Id: secport.h,v 1.28 2012/04/25 14:50:16 gerv%gerv.net Exp $
+ * $Id: secport.h,v 1.29 2012/11/14 01:14:12 wtc%google.com Exp $
  */
 
 #ifndef _SECPORT_H_
 #define _SECPORT_H_
 
 #include "utilrename.h"
 #include "prlink.h"
 
@@ -36,30 +36,21 @@
 #endif
 
 #ifdef unix
 # ifndef XP_UNIX
 # define XP_UNIX
 # endif
 #endif
 
-#if defined(_WIN32_WCE)
-#include <windef.h>
-#include <types.h>
-#else
 #include <sys/types.h>
-#endif
 
 #include <ctype.h>
 #include <string.h>
-#if defined(_WIN32_WCE)
-#include <stdlib.h>	/* WinCE puts some stddef symbols here. */
-#else
 #include <stddef.h>
-#endif
 #include <stdlib.h>
 #include "prtypes.h"
 #include "prlog.h"	/* for PR_ASSERT */
 #include "plarena.h"
 #include "plstr.h"
 
 /*
  * HACK for NSS 2.8 to allow Admin to compile without source changes.
--- a/security/nss/lib/util/utilmod.c
+++ b/security/nss/lib/util/utilmod.c
@@ -13,18 +13,17 @@
  *
  * Each SFTKDBHandle points to a low level database handle (SDB). This handle
  * represents the underlying physical database. These objects are not 
  * reference counted, and are 'owned' by their respective SFTKDBHandles.
  */
 
 #include "prprf.h" 
 #include "prsystem.h"
-#include "pkcs11t.h"
-#include "secitem.h"
+#include "secport.h"
 #include "utilpars.h" 
 #include "secerr.h"
 #if defined (_WIN32)
 #include <io.h>
 #endif
 
 /****************************************************************
  *
@@ -111,39 +110,42 @@ nssutil_growList(char ***pModuleList, in
 static 
 char *_NSSUTIL_GetOldSecmodName(const char *dbname,const char *filename)
 {
     char *file = NULL;
     char *dirPath = PORT_Strdup(dbname);
     char *sep;
 
     sep = PORT_Strrchr(dirPath,*NSSUTIL_PATH_SEPARATOR);
-#ifdef WINDOWS
+#ifdef _WIN32
     if (!sep) {
+	/* utilparst.h defines NSSUTIL_PATH_SEPARATOR as "/" for all
+	 * platforms. */
 	sep = PORT_Strrchr(dirPath,'\\');
     }
 #endif
     if (sep) {
-	*(sep)=0;
+	*sep = 0;
+	file = PR_smprintf("%s"NSSUTIL_PATH_SEPARATOR"%s", dirPath, filename);
+    } else {
+	file = PR_smprintf("%s", filename);
     }
-    file= PR_smprintf("%s"NSSUTIL_PATH_SEPARATOR"%s", dirPath, filename);
     PORT_Free(dirPath);
     return file;
 }
 
-static SECStatus nssutil_AddSecmodDB(NSSDBType dbType, const char *appName, 
+static SECStatus nssutil_AddSecmodDB(const char *appName, 
 		   const char *filename, const char *dbname, 
 		   char *module, PRBool rw);
 
 #ifdef XP_UNIX
 #include <unistd.h>
 #endif
 #include <fcntl.h>
 
-#ifndef WINCE
 /* same as fopen, except it doesn't use umask, but explicit */
 FILE *
 lfopen(const char *name, const char *mode, int flags)
 {
     int fd;
     FILE *file;
 
     fd = open(name, flags, 0600);
@@ -152,47 +154,45 @@ lfopen(const char *name, const char *mod
     }
     file = fdopen(fd, mode);
     if (!file) {
 	close(fd);
     }
     /* file inherits fd */
     return file;
 }
-#endif
 
 #define MAX_LINE_LENGTH 2048
 
 /*
  * Read all the existing modules in out of the file.
  */
 static char **
-nssutil_ReadSecmodDB(NSSDBType dbType, const char *appName, 
+nssutil_ReadSecmodDB(const char *appName, 
 		    const char *filename, const char *dbname, 
 		    char *params, PRBool rw)
 {
     FILE *fd = NULL;
     char **moduleList = NULL;
     int moduleCount = 1;
     int useCount = SECMOD_STEP;
     char line[MAX_LINE_LENGTH];
     PRBool internal = PR_FALSE;
     PRBool skipParams = PR_FALSE;
     char *moduleString = NULL;
     char *paramsValue=NULL;
     PRBool failed = PR_TRUE;
 
-    if (dbname == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-
     moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
     if (moduleList == NULL) return NULL;
 
+    if (dbname == NULL) {
+	goto return_default;
+    }
+
     /* do we really want to use streams here */
     fd = fopen(dbname, "r");
     if (fd == NULL) goto done;
 
     /*
      * the following loop takes line separated config lines and collapses
      * the lines to a single string, escaping and quoting as necessary.
      */
@@ -349,29 +349,31 @@ done:
 	char *olddbname = _NSSUTIL_GetOldSecmodName(dbname,filename);
 	PRStatus status;
 
 	/* couldn't get the old name */
 	if (!olddbname) {
 	    goto bail;
 	}
 
-	/* old one doesn't exist */
+	/* old one exists */
 	status = PR_Access(olddbname, PR_ACCESS_EXISTS);
 	if (status == PR_SUCCESS) {
 	    PR_smprintf_free(olddbname);
 	    PORT_SetError(SEC_ERROR_LEGACY_DATABASE);
 	    return NULL;
 	}
 
 bail:
 	if (olddbname) {
 	    PR_smprintf_free(olddbname);
 	}
     }
+
+return_default:
 	
     if (!moduleList[0]) {
 	char * newParams;
 	moduleString = PORT_Strdup(NSSUTIL_DEFAULT_INTERNAL_INIT1);
 	newParams = NSSUTIL_Quote(params,'"');
 	if (newParams == NULL) goto loser;
 	moduleString = nssutil_DupCat(moduleString, newParams);
 	PORT_Free(newParams);
@@ -408,38 +410,38 @@ loser:
 	nssutil_releaseSpecList(moduleList);
 	moduleList = NULL;
 	failed = PR_TRUE;
     }
     if (fd != NULL) {
 	fclose(fd);
     } else if (!failed && rw) {
 	/* update our internal module */
-	nssutil_AddSecmodDB(dbType,appName,filename,dbname,moduleList[0],rw);
+	nssutil_AddSecmodDB(appName,filename,dbname,moduleList[0],rw);
     }
     return moduleList;
 }
 
 static SECStatus
-nssutil_ReleaseSecmodDBData(NSSDBType dbType, const char *appName, 
+nssutil_ReleaseSecmodDBData(const char *appName, 
 			const char *filename, const char *dbname, 
 			char **moduleSpecList, PRBool rw)
 {
     if (moduleSpecList) {
 	nssutil_releaseSpecList(moduleSpecList);
     }
     return SECSuccess;
 }
 
 
 /*
  * Delete a module from the Data Base
  */
 static SECStatus
-nssutil_DeleteSecmodDB(NSSDBType dbType, const char *appName, 
+nssutil_DeleteSecmodDB(const char *appName, 
 		      const char *filename, const char *dbname, 
 		      char *args, PRBool rw)
 {
     /* SHDB_FIXME implement */
     FILE *fd = NULL;
     FILE *fd2 = NULL;
     char line[MAX_LINE_LENGTH];
     char *dbname2 = NULL;
@@ -462,21 +464,17 @@ nssutil_DeleteSecmodDB(NSSDBType dbType,
 
     dbname2 = PORT_Strdup(dbname);
     if (dbname2 == NULL) goto loser;
     dbname2[strlen(dbname)-1]++;
 
     /* do we really want to use streams here */
     fd = fopen(dbname, "r");
     if (fd == NULL) goto loser;
-#ifdef WINCE
-    fd2 = fopen(dbname2, "w+");
-#else
     fd2 = lfopen(dbname2, "w+", O_CREAT|O_RDWR|O_TRUNC);
-#endif
     if (fd2 == NULL) goto loser;
 
     name = NSSUTIL_ArgGetParamValue("name",args);
     if (name) {
 	name_len = PORT_Strlen(name);
     }
     lib = NSSUTIL_ArgGetParamValue("library",args);
     if (lib) {
@@ -562,17 +560,17 @@ loser:
     PORT_Free(name);
     return SECFailure;
 }
 
 /*
  * Add a module to the Data base 
  */
 static SECStatus
-nssutil_AddSecmodDB(NSSDBType dbType, const char *appName, 
+nssutil_AddSecmodDB(const char *appName, 
 		   const char *filename, const char *dbname, 
 		   char *module, PRBool rw)
 {
     FILE *fd = NULL;
     char *block = NULL;
     PRBool libFound = PR_FALSE;
 
     if (dbname == NULL) {
@@ -582,24 +580,20 @@ nssutil_AddSecmodDB(NSSDBType dbType, co
 
     /* can't write to a read only module */
     if (!rw) {
 	PORT_SetError(SEC_ERROR_READ_ONLY);
 	return SECFailure;
     }
 
     /* remove the previous version if it exists */
-    (void) nssutil_DeleteSecmodDB(dbType, appName, filename, 
+    (void) nssutil_DeleteSecmodDB(appName, filename, 
 				  dbname, module, rw);
 
-#ifdef WINCE
-    fd = fopen(dbname, "a+");
-#else
     fd = lfopen(dbname, "a+", O_CREAT|O_RDWR|O_APPEND);
-#endif
     if (fd == NULL) {
 	return SECFailure;
     }
     module = NSSUTIL_ArgStrip(module);
     while (*module) {
 	int count;
 	char *keyEnd = PORT_Strchr(module,'=');
 	char *value;
@@ -661,29 +655,29 @@ NSSUTIL_DoModuleDBFunction(unsigned long
 	/* we can't handle the old database, only softoken can */
 	PORT_SetError(SEC_ERROR_LEGACY_DATABASE);
 	rvstr =  NULL;
 	goto done;
     }
 
     switch (function) {
     case SECMOD_MODULE_DB_FUNCTION_FIND:
-        rvstr = nssutil_ReadSecmodDB(dbType,appName,filename,
+        rvstr = nssutil_ReadSecmodDB(appName,filename,
 				     secmod,(char *)parameters,rw);
         break;
     case SECMOD_MODULE_DB_FUNCTION_ADD:
-        rvstr = (nssutil_AddSecmodDB(dbType,appName,filename,
+        rvstr = (nssutil_AddSecmodDB(appName,filename,
 		secmod,(char *)args,rw) == SECSuccess) ? &success: NULL;
         break;
     case SECMOD_MODULE_DB_FUNCTION_DEL:
-        rvstr = (nssutil_DeleteSecmodDB(dbType,appName,filename,
+        rvstr = (nssutil_DeleteSecmodDB(appName,filename,
 		secmod,(char *)args,rw) == SECSuccess) ? &success: NULL;
         break;
     case SECMOD_MODULE_DB_FUNCTION_RELEASE:
-        rvstr = (nssutil_ReleaseSecmodDBData(dbType, appName,filename,
+        rvstr = (nssutil_ReleaseSecmodDBData(appName,filename,
 		secmod, (char **)args,rw) == SECSuccess) ? &success: NULL;
         break;
     }
 done:
     if (secmod) PR_smprintf_free(secmod);
     if (appName) PORT_Free(appName);
     if (filename) PORT_Free(filename);
     return rvstr;
--- a/security/nss/lib/util/utilpars.c
+++ b/security/nss/lib/util/utilpars.c
@@ -334,17 +334,17 @@ nssutil_escapeQuotes(const char *string,
 {
     char *newString = 0;
     int size = 0;
     const char *src;
     char *dest;
 
     size = nssutil_escapeQuotesSize(string, quote, addquotes);
 
-    dest = newString = PORT_ZAlloc(size+2); 
+    dest = newString = PORT_ZAlloc(size); 
     if (newString == NULL) {
 	return NULL;
     }
 
     if (addquotes) *dest++=quote;
     for (src=string; *src; src++,dest++) {
 	if ((*src == '\\') || (*src == quote)) {
 	    *dest++ = '\\';
@@ -538,16 +538,18 @@ static struct nssutilArgSlotFlagTable ns
 	NSSUTIL_ARG_ENTRY(DSA,SECMOD_RSA_FLAG),
 	NSSUTIL_ARG_ENTRY(RC2,SECMOD_RC4_FLAG),
 	NSSUTIL_ARG_ENTRY(RC4,SECMOD_RC2_FLAG),
 	NSSUTIL_ARG_ENTRY(DES,SECMOD_DES_FLAG),
 	NSSUTIL_ARG_ENTRY(DH,SECMOD_DH_FLAG),
 	NSSUTIL_ARG_ENTRY(FORTEZZA,SECMOD_FORTEZZA_FLAG),
 	NSSUTIL_ARG_ENTRY(RC5,SECMOD_RC5_FLAG),
 	NSSUTIL_ARG_ENTRY(SHA1,SECMOD_SHA1_FLAG),
+	NSSUTIL_ARG_ENTRY(SHA256,SECMOD_SHA256_FLAG),
+	NSSUTIL_ARG_ENTRY(SHA512,SECMOD_SHA512_FLAG),
 	NSSUTIL_ARG_ENTRY(MD5,SECMOD_MD5_FLAG),
 	NSSUTIL_ARG_ENTRY(MD2,SECMOD_MD2_FLAG),
 	NSSUTIL_ARG_ENTRY(SSL,SECMOD_SSL_FLAG),
 	NSSUTIL_ARG_ENTRY(TLS,SECMOD_TLS_FLAG),
 	NSSUTIL_ARG_ENTRY(AES,SECMOD_AES_FLAG),
 	NSSUTIL_ARG_ENTRY(Camellia,SECMOD_CAMELLIA_FLAG),
 	NSSUTIL_ARG_ENTRY(SEED,SECMOD_SEED_FLAG),
 	NSSUTIL_ARG_ENTRY(PublicCerts,SECMOD_FRIENDLY_FLAG),
@@ -1057,16 +1059,17 @@ char *
 		   char **filename, PRBool *rw)
 {
     int next;
     char *configdir = NULL;
     char *secmodName = NULL;
     char *value = NULL;
     char *save_params = param;
     const char *lconfigdir;
+    PRBool noModDB = PR_FALSE;
     param = NSSUTIL_ArgStrip(param);
 	
 
     while (*param) {
 	NSSUTIL_HANDLE_STRING_ARG(param,configdir,"configDir=",;)
 	NSSUTIL_HANDLE_STRING_ARG(param,secmodName,"secmod=",;)
 	NSSUTIL_HANDLE_FINAL_ARG(param)
    }
@@ -1081,27 +1084,32 @@ char *
 	secmodName = PORT_Strdup(SECMOD_DB);
    }
 
    *filename = secmodName;
    lconfigdir = _NSSUTIL_EvaluateConfigDir(configdir, dbType, appName);
 
    if (NSSUTIL_ArgHasFlag("flags","noModDB",save_params)) {
 	/* there isn't a module db, don't load the legacy support */
+	noModDB = PR_TRUE;
 	*dbType = NSS_DB_TYPE_SQL;
+	PORT_Free(*filename);
+	*filename = NULL;
         *rw = PR_FALSE;
    }
 
    /* only use the renamed secmod for legacy databases */
    if ((*dbType != NSS_DB_TYPE_LEGACY) && 
 	(*dbType != NSS_DB_TYPE_MULTIACCESS)) {
 	secmodName="pkcs11.txt";
    }
 
-   if (lconfigdir) {
+   if (noModDB) {
+	value = NULL;
+   } else if (lconfigdir && lconfigdir[0] != '\0') {
 	value = PR_smprintf("%s" NSSUTIL_PATH_SEPARATOR "%s",
 			lconfigdir,secmodName);
    } else {
 	value = PR_smprintf("%s",secmodName);
    }
    if (configdir) PORT_Free(configdir);
    return value;
 }
--- a/security/nss/lib/util/utilpars.h
+++ b/security/nss/lib/util/utilpars.h
@@ -1,16 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef _UTILPARS_H_
 #define _UTILPARS_H_ 1
 
 #include "utilparst.h"
+#include "plarena.h"
 
 /* handle a module db request */
 char ** NSSUTIL_DoModuleDBFunction(unsigned long function,char *parameters, void *args);
 
 /* parsing functions */
 char *NSSUTIL_ArgFetchValue(char *string, int *pcount);
 char *NSSUTIL_ArgStrip(char *c);
 char *NSSUTIL_ArgGetParamValue(char *paramName,char *parameters);
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -124,16 +124,39 @@ crlu()
         cert_log "ERROR: ${CU_ACTION} failed $RET"
     else
         html_passed "${CU_ACTION}"
     fi
 
     return $RET
 }
 
+################################ ocspr ##################################
+# local shell function to call ocsresp, also: writes action and options to
+# stdout, sets variable RET and writes results to the html file results
+#########################################################################
+ocspr()
+{
+    echo "$SCRIPTNAME: ${OR_ACTION} --------------------------"
+
+    OCSPRESP="ocspresp"
+    echo "$OCSPRESP $*"
+    ${PROFTOOL} ${BINDIR}/$OCSPRESP $*
+    RET=$?
+    if [ "$RET" -ne 0 ]; then
+        OCSPFAILED=$RET
+        html_failed "${OR_ACTION} ($RET) "
+        cert_log "ERROR: ${OR_ACTION} failed $RET"
+    else
+        html_passed "${OR_ACTION}"
+    fi
+
+    return $RET
+}
+
 modu()
 {
     echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
 
     MODUTIL="modutil"
     echo "$MODUTIL $*"
     # echo is used to press Enter expected by modutil
     echo | ${BINDIR}/$MODUTIL $*
@@ -1430,16 +1453,24 @@ cert_test_distrust()
   certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
   CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
   certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
   CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
   certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
   RETEXPECTED=0
 }
 
+cert_test_ocspresp()
+{
+  echo "$SCRIPTNAME: OCSP response creation selftest"
+  OR_ACTION="perform selftest"
+  RETEXPECTED=0
+  ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
+}
+
 ############################## cert_cleanup ############################
 # local shell function to finish this script (no exit since it might be
 # sourced)
 ########################################################################
 cert_cleanup()
 {
   cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
   html "</TABLE><BR>" 
@@ -1454,16 +1485,17 @@ cert_all_CA
 cert_extended_ssl 
 cert_ssl 
 cert_smime_client        
 cert_fips
 cert_eccurves
 cert_extensions
 cert_test_password
 cert_test_distrust
+cert_test_ocspresp
 
 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
     cert_crl_ssl
 else
     echo "$SCRIPTNAME: Skipping CRL Tests"
 fi
 
 if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
--- a/security/nss/tests/chains/chains.sh
+++ b/security/nss/tests/chains/chains.sh
@@ -173,17 +173,18 @@ chains_init()
     PK7_NONCE=${CERT_SN_CNT}
     SCEN_CNT=${CERT_SN_CNT}
 
     AIA_FILES="${HOSTDIR}/aiafiles"
 
     CU_DATA=${HOSTDIR}/cu_data
     CRL_DATA=${HOSTDIR}/crl_data
 
-    NSS_AIA_PORT=${NSS_AIA_PORT-8641}
+    DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10)
+    NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT}
     NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"}
     NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp}
 
     if [ -n "${NSS_AIA_PATH}" ]; then
         HTTPPID=${NSS_AIA_PATH}/http_pid.$$
         mkdir -p "${NSS_AIA_PATH}"
         pushd "${NSS_AIA_PATH}"
         start_httpserv
--- a/security/patches/README
+++ b/security/patches/README
@@ -1,12 +1,3 @@
 This directory contains patches that were added locally
 on top of the NSS release.
 
-bug-797572: Export SRTP functions from libssl, needed for WebRTC. This will be
-            included in the final NSS 3.14 release.
-bug-683266.patch - Added so we can customize code signing trust for b2g in
-                   bug 772365. Also requires removal of
-                   security/nss/lib/ckfw/builtins/certdata.c.
-bug-808218.patch - Added so the code in bug 772365 will compile without casts
-bug-812802.patch - Added so that the version of addbuiltin in this repository
-                   can be used (if built) to regenerate b2g-certdata.txt for
-                   bug 772365.
deleted file mode 100644
--- a/security/patches/bug-683266.patch
+++ /dev/null
@@ -1,268 +0,0 @@
-Index: mozilla/security/nss/lib/ckfw/builtins/Makefile
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/ckfw/builtins/Makefile,v
-retrieving revision 1.21
-diff -u -8 -p -r1.21 Makefile
---- mozilla/security/nss/lib/ckfw/builtins/Makefile	25 Apr 2012 14:49:29 -0000	1.21
-+++ mozilla/security/nss/lib/ckfw/builtins/Makefile	29 Nov 2012 01:53:17 -0000
-@@ -39,10 +39,16 @@ EXTRA_SHARED_LIBS += \
- 	-lnspr4 \
- 	$(NULL)
- endif
- 
- 
- include $(CORE_DEPTH)/coreconf/rules.mk
- 
- # Generate certdata.c.
--generate:
--	$(PERL) certdata.perl < certdata.txt
-+
-+# By default, use the unmodified certdata.txt.
-+ifndef NSS_CERTDATA_TXT
-+NSS_CERTDATA_TXT = certdata.txt
-+endif
-+
-+$(OBJDIR)/certdata.c: $(NSS_CERTDATA_TXT) certdata.perl
-+	$(PERL) certdata.perl < $(NSS_CERTDATA_TXT) > $@
-Index: mozilla/security/nss/lib/ckfw/builtins/README
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/ckfw/builtins/README,v
-retrieving revision 1.5
-diff -u -8 -p -r1.5 README
---- mozilla/security/nss/lib/ckfw/builtins/README	13 Apr 2005 01:45:53 -0000	1.5
-+++ mozilla/security/nss/lib/ckfw/builtins/README	29 Nov 2012 01:53:17 -0000
-@@ -15,34 +15,31 @@ environment variable. Then, add the dire
- libraries (DLLs) reside to the platform-specific environment variable that
- specifies your shared library search path: LD_LIBRARY_PATH (most Unix
- variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows).
- 
- 2. Copy newroot.der to this directory.
- 
- 3. In this directory, run addbuiltin to add the new root certificate. The
- argument to the -n option should be replaced by the nickname of the root
--certificate. Then run "gmake generate".
-+certificate.
- 
-     % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der >> certdata.txt
--    % gmake generate
- 
- 4. Edit nssckbi.h to bump the version of the module.
- 
- 5. Run gmake in this directory to build the nssckbi module.
- 
- 6. After you verify that the new nssckbi module is correct, check in
--certdata.txt, certdata.c, and nssckbi.h.
-+certdata.txt and nssckbi.h.
- 
- II. Removing a Builtin Root CA Certificate
- 
- 1. Change directory to this directory.
- 
- 2. Edit certdata.txt and remove the root CA certificate.
- 
--3. Run "gmake generate".
-+3. Edit nssckbi.h to bump the version of the module.
- 
--4. Edit nssckbi.h to bump the version of the module.
--
--5. Run gmake in this directory to build the nssckbi module.
-+4. Run gmake in this directory to build the nssckbi module.
- 
--6. After you verify that the new nssckbi module is correct, check in
--certdata.txt, certdata.c, and nssckbi.h.
-+5. After you verify that the new nssckbi module is correct, check in
-+certdata.txt and nssckbi.h.
-Index: mozilla/security/nss/lib/ckfw/builtins/certdata.perl
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.perl,v
-retrieving revision 1.15
-diff -u -8 -p -r1.15 certdata.perl
---- mozilla/security/nss/lib/ckfw/builtins/certdata.perl	4 Jul 2012 15:21:49 -0000	1.15
-+++ mozilla/security/nss/lib/ckfw/builtins/certdata.perl	29 Nov 2012 01:53:17 -0000
-@@ -20,17 +20,16 @@ $constants{CK_FALSE} = "static const CK_
- while(<>) {
-   my @fields = ();
-   my $size;
- 
-   s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
-   next if (/^\s*$/);
- 
-   if( /(^CVS_ID\s+)(.*)/ ) {
--#    print "The CVS ID is $2\n";
-     $cvsid = $2 . "\"; $cvs_id\"";
-     my $scratch = $cvsid;
-     $size = 1 + $scratch =~ s/[^"\n]//g;
-     @{$objects[0][0]} = ( "CKA_CLASS", "&cko_data", "sizeof(CK_OBJECT_CLASS)" );
-     @{$objects[0][1]} = ( "CKA_TOKEN", "&ck_true", "sizeof(CK_BBOOL)" );
-     @{$objects[0][2]} = ( "CKA_PRIVATE", "&ck_false", "sizeof(CK_BBOOL)" );
-     @{$objects[0][3]} = ( "CKA_MODIFIABLE", "&ck_false", "sizeof(CK_BBOOL)" );
-     @{$objects[0][4]} = ( "CKA_LABEL", "\"CVS ID\"", "7" );
-@@ -124,112 +123,109 @@ for( $i = 0; $i <= $count; $i++ ) {
-   }
- }
- 
- }
- 
- sub doprint {
- my $i;
- 
--open(CFILE, ">certdata.c") || die "Can't open certdata.c: $!";
--
--print CFILE <<EOD
-+print <<EOD
- /* THIS IS A GENERATED FILE */
- /* This Source Code Form is subject to the terms of the Mozilla Public
-  * License, v. 2.0. If a copy of the MPL was not distributed with this
-  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
- #ifdef DEBUG
- static const char CVS_ID[] = $cvsid;
- #endif /* DEBUG */
- 
- #ifndef BUILTINS_H
- #include "builtins.h"
- #endif /* BUILTINS_H */
- 
- EOD
-     ;
- 
- foreach $b (sort values(%constants)) {
--  print CFILE $b;
-+  print $b;
- }
- 
- for( $i = 0; $i <= $count; $i++ ) {
-   if( 0 == $i ) {
--    print CFILE "#ifdef DEBUG\n";
-+    print "#ifdef DEBUG\n";
-   }
- 
--  print CFILE "static const CK_ATTRIBUTE_TYPE nss_builtins_types_$i [] = {\n";
-+  print "static const CK_ATTRIBUTE_TYPE nss_builtins_types_$i [] = {\n";
-   $o = $objects[$i];
-- # print STDOUT "type $i object $o \n";
-   my @ob = @{$o};
-   my $j;
-   for( $j = 0; $j < @ob; $j++ ) {
-     my $l = $ob[$j];
-     my @a = @{$l};
--    print CFILE " $a[0]";
-+    print " $a[0]";
-     if( $j+1 != @ob ) {
--      print CFILE ", ";
-+      print ", ";
-     }
-   }
--  print CFILE "\n};\n";
-+  print "\n};\n";
- 
-   if( 0 == $i ) {
--    print CFILE "#endif /* DEBUG */\n";
-+    print "#endif /* DEBUG */\n";
-   }
- }
- 
- for( $i = 0; $i <= $count; $i++ ) {
-   if( 0 == $i ) {
--    print CFILE "#ifdef DEBUG\n";
-+    print "#ifdef DEBUG\n";
-   }
- 
--  print CFILE "static const NSSItem nss_builtins_items_$i [] = {\n";
-+  print "static const NSSItem nss_builtins_items_$i [] = {\n";
-   $o = $objects[$i];
-   my @ob = @{$o};
-   my $j;
-   for( $j = 0; $j < @ob; $j++ ) {
-     my $l = $ob[$j];
-     my @a = @{$l};
--    print CFILE "  { (void *)$a[1], (PRUint32)$a[2] }";
-+    print "  { (void *)$a[1], (PRUint32)$a[2] }";
-     if( $j+1 != @ob ) {
--      print CFILE ",\n";
-+      print ",\n";
-     } else {
--      print CFILE "\n";
-+      print "\n";
-     }
-   }
--  print CFILE "};\n";
-+  print "};\n";
- 
-   if( 0 == $i ) {
--    print CFILE "#endif /* DEBUG */\n";
-+    print "#endif /* DEBUG */\n";
-   }
- }
- 
--print CFILE "\nbuiltinsInternalObject\n";
--print CFILE "nss_builtins_data[] = {\n";
-+print "\nbuiltinsInternalObject\n";
-+print "nss_builtins_data[] = {\n";
- 
- for( $i = 0; $i <= $count; $i++ ) {
- 
-   if( 0 == $i ) {
--    print CFILE "#ifdef DEBUG\n";
-+    print "#ifdef DEBUG\n";
-   }
- 
--  print CFILE "  { $objsize[$i], nss_builtins_types_$i, nss_builtins_items_$i, {NULL} }";
-+  print "  { $objsize[$i], nss_builtins_types_$i, nss_builtins_items_$i, {NULL} }";
- 
-   if( $i == $count ) {
--    print CFILE "\n";
-+    print "\n";
-   } else {
--    print CFILE ",\n";
-+    print ",\n";
-   }
- 
-   if( 0 == $i ) {
--    print CFILE "#endif /* DEBUG */\n";
-+    print "#endif /* DEBUG */\n";
-   }
- }
- 
--print CFILE "};\n";
-+print "};\n";
- 
--print CFILE "const PRUint32\n";
--print CFILE "#ifdef DEBUG\n";
--print CFILE "  nss_builtins_nObjects = $count+1;\n";
--print CFILE "#else\n";
--print CFILE "  nss_builtins_nObjects = $count;\n";
--print CFILE "#endif /* DEBUG */\n";
-+print "const PRUint32\n";
-+print "#ifdef DEBUG\n";
-+print "  nss_builtins_nObjects = $count+1;\n";
-+print "#else\n";
-+print "  nss_builtins_nObjects = $count;\n";
-+print "#endif /* DEBUG */\n";
- }
-Index: mozilla/security/nss/lib/ckfw/builtins/config.mk
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/ckfw/builtins/config.mk,v
-retrieving revision 1.15
-diff -u -8 -p -r1.15 config.mk
---- mozilla/security/nss/lib/ckfw/builtins/config.mk	25 Apr 2012 14:49:29 -0000	1.15
-+++ mozilla/security/nss/lib/ckfw/builtins/config.mk	29 Nov 2012 01:53:17 -0000
-@@ -19,16 +19,19 @@ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-     RES = $(OBJDIR)/$(LIBRARY_NAME).res
-     RESNAME = $(LIBRARY_NAME).rc
- endif
- 
- ifdef BUILD_IDG
-     DEFINES += -DNSSDEBUG
- endif
- 
-+# Needed for compilation of $(OBJDIR)/certdata.c
-+INCLUDES += -I$(CORE_DEPTH)/nss/lib/ckfw/builtins
-+
- #
- # To create a loadable module on Darwin, we must use -bundle.
- #
- ifeq ($(OS_TARGET),Darwin)
- ifndef USE_64
- DSO_LDOPTS = -bundle
- endif
- endif
deleted file mode 100644
--- a/security/patches/bug-797572
+++ /dev/null
@@ -1,17 +0,0 @@
-diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def
---- a/security/nss/lib/ssl/ssl.def
-+++ b/security/nss/lib/ssl/ssl.def
-@@ -146,11 +146,13 @@ SSL_AuthCertificateComplete;
- DTLS_GetHandshakeTimeout;
- DTLS_ImportFD;
- SSL_ExportKeyingMaterial;
- SSL_VersionRangeGet;
- SSL_VersionRangeGetDefault;
- SSL_VersionRangeGetSupported;
- SSL_VersionRangeSet;
- SSL_VersionRangeSetDefault;
-+SSL_GetSRTPCipher;
-+SSL_SetSRTPCiphers;
- ;+    local:
- ;+*;
- ;+};
deleted file mode 100644
--- a/security/patches/bug-808218.patch
+++ /dev/null
@@ -1,367 +0,0 @@
-Index: mozilla/security/nss/lib/nss/utilwrap.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/nss/utilwrap.c,v
-retrieving revision 1.7
-diff -u -8 -p -r1.7 utilwrap.c
---- mozilla/security/nss/lib/nss/utilwrap.c	25 Apr 2012 14:50:04 -0000	1.7
-+++ mozilla/security/nss/lib/nss/utilwrap.c	27 Nov 2012 03:08:28 -0000
-@@ -642,17 +642,17 @@ char *BTOA_DataToAscii(const unsigned ch
-     return BTOA_DataToAscii_Util(data, len);
- }
- 
- unsigned char *ATOB_AsciiToData(const char *string, unsigned int *lenp)
- {
-     return ATOB_AsciiToData_Util(string, lenp);
- }
-  
--SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii)
-+SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, const char *ascii)
- {
-     return ATOB_ConvertAsciiToItem_Util(binary_item, ascii);
- }
- 
- char *BTOA_ConvertItemToAscii(SECItem *binary_item)
- {
-     return BTOA_ConvertItemToAscii_Util(binary_item);
- }
-Index: mozilla/security/nss/lib/pk11wrap/pk11cxt.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11cxt.c,v
-retrieving revision 1.9
-diff -u -8 -p -r1.9 pk11cxt.c
---- mozilla/security/nss/lib/pk11wrap/pk11cxt.c	25 Apr 2012 14:50:04 -0000	1.9
-+++ mozilla/security/nss/lib/pk11wrap/pk11cxt.c	27 Nov 2012 03:08:28 -0000
-@@ -587,17 +587,17 @@ SECStatus PK11_DigestBegin(PK11Context *
-     if (rv != SECSuccess) {
- 	return SECFailure;
-     }
-     cx->init = PR_TRUE;
-     return SECSuccess;
- }
- 
- SECStatus
--PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in, 
-+PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, const unsigned char *in,
- 								PRInt32 len) {
-     PK11Context *context;
-     unsigned int max_length;
-     unsigned int out_length;
-     SECStatus rv;
- 
-     /* len will be passed to PK11_DigestOp as unsigned. */
-     if (len < 0) {
-@@ -632,17 +632,17 @@ PK11_HashBuf(SECOidTag hashAlg, unsigned
- }
- 
- 
- /*
-  * execute a bulk encryption operation
-  */
- SECStatus
- PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
--				int maxout, unsigned char *in, int inlen)
-+				int maxout, const unsigned char *in, int inlen)
- {
-     CK_RV crv = CKR_OK;
-     CK_ULONG length = maxout;
-     CK_ULONG offset =0;
-     SECStatus rv = SECSuccess;
-     unsigned char *saveOut = out;
-     unsigned char *allocOut = NULL;
- 
-@@ -682,34 +682,36 @@ PK11_CipherOp(PK11Context *context, unsi
- 		random,sizeof(random),out,&length);
- 
- 	    out += length;
- 	    maxout -= length;
- 	    offset = length;
- 	} else if (context->operation == CKA_DECRYPT) {
- 	    length = sizeof(random);
- 	    crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
--		in,sizeof(random),random,&length);
-+		(CK_BYTE_PTR)in,sizeof(random),random,&length);
- 	    inlen -= length;
- 	    in += length;
- 	    context->fortezzaHack = PR_FALSE;
- 	}
-     }
- 
-     switch (context->operation) {
-     case CKA_ENCRYPT:
- 	length = maxout;
- 	crv=PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
--						in, inlen, out, &length);
-+							(CK_BYTE_PTR)in, inlen,
-+							out, &length);
- 	length += offset;
- 	break;
-     case CKA_DECRYPT:
- 	length = maxout;
- 	crv=PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
--						in, inlen, out, &length);
-+							(CK_BYTE_PTR)in, inlen,
-+							out, &length);
- 	break;
-     default:
- 	crv = CKR_OPERATION_NOT_INITIALIZED;
- 	break;
-     }
- 
-     if (crv != CKR_OK) {
-         PORT_SetError( PK11_MapError(crv) );
-Index: mozilla/security/nss/lib/pk11wrap/pk11obj.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11obj.c,v
-retrieving revision 1.28
-diff -u -8 -p -r1.28 pk11obj.c
---- mozilla/security/nss/lib/pk11wrap/pk11obj.c	16 Nov 2012 13:02:39 -0000	1.28
-+++ mozilla/security/nss/lib/pk11wrap/pk11obj.c	27 Nov 2012 03:08:28 -0000
-@@ -595,18 +595,18 @@ pk11_FindAttrInTemplate(CK_ATTRIBUTE *at
-     return PR_FALSE;
- }
- 	
- /*
-  * Recover the Signed data. We need this because our old verify can't
-  * figure out which hash algorithm to use until we decryptted this.
-  */
- SECStatus
--PK11_VerifyRecover(SECKEYPublicKey *key,
--			 	SECItem *sig, SECItem *dsig, void *wincx)
-+PK11_VerifyRecover(SECKEYPublicKey *key, const SECItem *sig,
-+		   SECItem *dsig, void *wincx)
- {
-     PK11SlotInfo *slot = key->pkcs11Slot;
-     CK_OBJECT_HANDLE id = key->pkcs11ID;
-     CK_MECHANISM mech = {0, NULL, 0 };
-     PRBool owner = PR_TRUE;
-     CK_SESSION_HANDLE session;
-     CK_ULONG len;
-     CK_RV crv;
-@@ -655,17 +655,18 @@ PK11_VerifyRecover(SECKEYPublicKey *key,
-     PK11_FreeSlot(slot);
-     return SECSuccess;
- }
- 
- /*
-  * verify a signature from its hash.
-  */
- SECStatus
--PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx)
-+PK11_Verify(SECKEYPublicKey *key, const SECItem *sig, const SECItem *hash,
-+	    void *wincx)
- {
-     PK11SlotInfo *slot = key->pkcs11Slot;
-     CK_OBJECT_HANDLE id = key->pkcs11ID;
-     CK_MECHANISM mech = {0, NULL, 0 };
-     PRBool owner = PR_TRUE;
-     CK_SESSION_HANDLE session;
-     CK_RV crv;
- 
-@@ -724,17 +725,17 @@ PK11_Verify(SECKEYPublicKey *key, SECIte
-     }
-     return SECSuccess;
- }
- 
- /*
-  * sign a hash. The algorithm is determined by the key.
-  */
- SECStatus
--PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash)
-+PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, const SECItem *hash)
- {
-     PK11SlotInfo *slot = key->pkcs11Slot;
-     CK_MECHANISM mech = {0, NULL, 0 };
-     PRBool owner = PR_TRUE;
-     CK_SESSION_HANDLE session;
-     PRBool haslock = PR_FALSE;
-     CK_ULONG len;
-     CK_RV crv;
-Index: mozilla/security/nss/lib/pk11wrap/pk11pub.h
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11pub.h,v
-retrieving revision 1.41
-diff -u -8 -p -r1.41 pk11pub.h
---- mozilla/security/nss/lib/pk11wrap/pk11pub.h	29 Jun 2012 17:46:25 -0000	1.41
-+++ mozilla/security/nss/lib/pk11wrap/pk11pub.h	27 Nov 2012 03:08:28 -0000
-@@ -653,43 +653,44 @@ CERTSignedCrl* PK11_ImportCRL(PK11SlotIn
-  * Return the length in bytes of a signature generated with the
-  * private key.
-  *
-  * Return 0 or -1 on failure.  (XXX Should we fix it to always return
-  * -1 on failure?)
-  */
- int PK11_SignatureLen(SECKEYPrivateKey *key);
- PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
--SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash);
--SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, SECItem *sig,
--						 SECItem *dsig, void * wincx);
--SECStatus PK11_Verify(SECKEYPublicKey *key, SECItem *sig, 
--						SECItem *hash, void *wincx);
-+SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig,
-+		    const SECItem *hash);
-+SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, const SECItem *sig,
-+			     SECItem *dsig, void * wincx);
-+SECStatus PK11_Verify(SECKEYPublicKey *key, const SECItem *sig,
-+		      const SECItem *hash, void *wincx);
- 
- 
- 
- /**********************************************************************
-  *                   Crypto Contexts
-  **********************************************************************/
- void PK11_DestroyContext(PK11Context *context, PRBool freeit);
- PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
- 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
- PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
- PK11Context *PK11_CloneContext(PK11Context *old);
- SECStatus PK11_DigestBegin(PK11Context *cx);
- /*
-  * The output buffer 'out' must be big enough to hold the output of
-  * the hash algorithm 'hashAlg'.
-  */
--SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in,
--					PRInt32 len);
-+SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out,
-+		       const unsigned char *in, PRInt32 len);
- SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in, 
-                         unsigned len);
- SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
--				int maxout, unsigned char *in, int inlen);
-+			int maxout, const unsigned char *in, int inlen);
- SECStatus PK11_Finalize(PK11Context *context);
- SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data, 
- 				unsigned int *outLen, unsigned int length);
- SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save,
- 						int *len, int saveLength);
- 
- /* Save the context's state, with possible allocation.
-  * The caller may supply an already allocated buffer in preAllocBuf,
-Index: mozilla/security/nss/lib/pkcs7/p7decode.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/p7decode.c,v
-retrieving revision 1.29
-diff -u -8 -p -r1.29 p7decode.c
---- mozilla/security/nss/lib/pkcs7/p7decode.c	25 Apr 2012 14:50:06 -0000	1.29
-+++ mozilla/security/nss/lib/pkcs7/p7decode.c	27 Nov 2012 03:08:28 -0000
-@@ -1275,22 +1275,22 @@ SEC_PKCS7ContentIsSigned(SEC_PKCS7Conten
-  * to encrypt the content.  So before we can pass the digest to VerifyDigest,
-  * we need to decrypt it with the bulk encryption key.  Also, in this case,
-  * there should be NO authenticatedAttributes (signerinfo->authAttr should
-  * be NULL).
-  */
- static PRBool
- sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
- 			   SECCertUsage certusage,
--			   SECItem *detached_digest,
-+			   const SECItem *detached_digest,
- 			   HASH_HashType digest_type,
- 			   PRBool keepcerts)
- {
-     SECAlgorithmID **digestalgs, *bulkid;
--    SECItem *digest;
-+    const SECItem *digest;
-     SECItem **digests;
-     SECItem **rawcerts;
-     CERTSignedCrl **crls;
-     SEC_PKCS7SignerInfo **signerinfos, *signerinfo;
-     CERTCertificate *cert, **certs;
-     PRBool goodsig;
-     CERTCertDBHandle *certdb, *defaultdb; 
-     SECOidTag encTag,digestTag;
-@@ -1769,17 +1769,17 @@ SEC_PKCS7VerifySignature(SEC_PKCS7Conten
-  *	for the purpose specified by "certusage".
-  *
-  *	In addition, if "keepcerts" is true, add any new certificates found
-  *	into our local database.
-  */
- PRBool
- SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
- 				 SECCertUsage certusage,
--				 SECItem *detached_digest,
-+				 const SECItem *detached_digest,
- 				 HASH_HashType digest_type,
- 				 PRBool keepcerts)
- {
-     return sec_pkcs7_verify_signature (cinfo, certusage,
- 				       detached_digest, digest_type,
- 				       keepcerts);
- }
- 
-Index: mozilla/security/nss/lib/pkcs7/secpkcs7.h
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/secpkcs7.h,v
-retrieving revision 1.9
-diff -u -8 -p -r1.9 secpkcs7.h
---- mozilla/security/nss/lib/pkcs7/secpkcs7.h	25 Apr 2012 14:50:06 -0000	1.9
-+++ mozilla/security/nss/lib/pkcs7/secpkcs7.h	27 Nov 2012 03:08:28 -0000
-@@ -124,17 +124,17 @@ extern PRBool SEC_PKCS7VerifySignature(S
-  *	The verification checks that the signing cert is valid and trusted
-  *	for the purpose specified by "certusage".
-  *
-  *	In addition, if "keepcerts" is true, add any new certificates found
-  *	into our local database.
-  */
- extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
- 					       SECCertUsage certusage,
--					       SECItem *detached_digest,
-+					       const SECItem *detached_digest,
- 					       HASH_HashType digest_type,
- 					       PRBool keepcerts);
- 
- /*
-  * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
-  *      The passed-in contentInfo is espected to be Signed, and these
-  *      functions return the specified portion of the full signer name.
-  *
-Index: mozilla/security/nss/lib/util/base64.h
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/util/base64.h,v
-retrieving revision 1.4
-diff -u -8 -p -r1.4 base64.h
---- mozilla/security/nss/lib/util/base64.h	25 Apr 2012 14:50:16 -0000	1.4
-+++ mozilla/security/nss/lib/util/base64.h	27 Nov 2012 03:08:29 -0000
-@@ -26,17 +26,17 @@ extern char *BTOA_DataToAscii(const unsi
- ** Return an PORT_Alloc'd string which is the base64 decoded version
- ** of the input string; set *lenp to the length of the returned data.
- */
- extern unsigned char *ATOB_AsciiToData(const char *string, unsigned int *lenp);
-  
- /*
- ** Convert from ascii to binary encoding of an item.
- */
--extern SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii);
-+extern SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, const char *ascii);
- 
- /*
- ** Convert from binary encoding of an item to ascii.
- */
- extern char *BTOA_ConvertItemToAscii(SECItem *binary_item);
- 
- SEC_END_PROTOS
- 
-Index: mozilla/security/nss/lib/util/nssb64d.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/util/nssb64d.c,v
-retrieving revision 1.9
-diff -u -8 -p -r1.9 nssb64d.c
---- mozilla/security/nss/lib/util/nssb64d.c	25 Apr 2012 14:50:16 -0000	1.9
-+++ mozilla/security/nss/lib/util/nssb64d.c	27 Nov 2012 03:08:29 -0000
-@@ -804,17 +804,17 @@ ATOB_AsciiToData(const char *string, uns
-     *lenp = dummy->len;
-     return dummy->data;
- }
-  
- /*
- ** Convert from ascii to binary encoding of an item.
- */
- SECStatus
--ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii)
-+ATOB_ConvertAsciiToItem(SECItem *binary_item, const char *ascii)
- {
-     SECItem *dummy;
- 
-     if (binary_item == NULL) {
- 	PORT_SetError (SEC_ERROR_INVALID_ARGS);
- 	return SECFailure;
-     }
- 
deleted file mode 100644
--- a/security/patches/bug-812802.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Index: mozilla/security/nss/cmd/addbuiltin/addbuiltin.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/cmd/addbuiltin/addbuiltin.c,v
-retrieving revision 1.19
-diff -u -8 -p -r1.19 addbuiltin.c
---- mozilla/security/nss/cmd/addbuiltin/addbuiltin.c	4 Jul 2012 15:21:47 -0000	1.19
-+++ mozilla/security/nss/cmd/addbuiltin/addbuiltin.c	27 Nov 2012 03:48:11 -0000
-@@ -468,16 +468,29 @@ int main(int argc, char **argv)
- 	    "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
- 	            progName);
- 	    exit(1);
- 	}
- #endif
- 	infile = PR_STDIN;
-     }
- 
-+#if defined(WIN32)
-+    /* We must put stdout into O_BINARY mode or else the output will include
-+    ** carriage returns.
-+    */
-+    {
-+	int smrv = _setmode(_fileno(stdout), _O_BINARY);
-+	if (smrv == -1) {
-+	    fprintf(stderr, "%s: Cannot change stdout to binary mode.\n", progName);
-+	    exit(1);
-+	}
-+    }
-+#endif
-+
-     nickname = strdup(addbuiltin.options[opt_Nickname].arg);
-     
-     NSS_NoDB_Init(NULL);
- 
-     if (addbuiltin.options[opt_Distrust].activated ||
-         addbuiltin.options[opt_DistrustCRL].activated) {
-       addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE;
-       addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE;