Merge pull request #17 from roytam1/tls12

TLS 1.2
2018-06-14 03:37:44 -04:00 · 2018-06-14 03:37:44 -04:00 · bb6b8a03fa
parent 8ad99e701f 14c631acd3
commit bb6b8a03fa
2437 changed files with 249243 additions and 161942 deletions
--- a/nsprpub/lib/ds/plarena.c
+++ b/nsprpub/lib/ds/plarena.c
@ -260,6 +260,21 @@ PR_IMPLEMENT(void *) PL_ArenaGrow(
    return newp;
 }

+static void ClearArenaList(PLArena *a, PRInt32 pattern)
+{
+
+    for (; a; a = a->next) {
+        PR_ASSERT(a->base <= a->avail && a->avail <= a->limit);
+        a->avail = a->base;
+	PL_CLEAR_UNUSED_PATTERN(a, pattern);
+    }
+}
+
+PR_IMPLEMENT(void) PL_ClearArenaPool(PLArenaPool *pool, PRInt32 pattern)
+{
+    ClearArenaList(pool->first.next, pattern);
+}
+
 /*
 * Free tail arenas linked after head, which may not be the true list head.
 * Reset pool->current to point to head in case it pointed at a tail arena.
@ -274,12 +289,7 @@ static void FreeArenaList(PLArenaPool *pool, PLArena *head, PRBool reallyFree)
        return;

 #ifdef DEBUG
-    do {
-        PR_ASSERT(a->base <= a->avail && a->avail <= a->limit);
-        a->avail = a->base;
-        PL_CLEAR_UNUSED(a);
-    } while ((a = a->next) != 0);
-    a = *ap;
+    ClearArenaList(a, PL_FREE_PATTERN);
 #endif

    if (reallyFree) {
--- a/nsprpub/lib/ds/plarena.h
+++ b/nsprpub/lib/ds/plarena.h
@ -138,11 +138,12 @@ struct PLArenaPool {
 #define PL_ARENA_MARK(pool) ((void *) (pool)->current->avail)
 #define PR_UPTRDIFF(p,q) ((PRUword)(p) - (PRUword)(q))

+#define PL_CLEAR_UNUSED_PATTERN(a, pattern) \
+	   (PR_ASSERT((a)->avail <= (a)->limit), \
+	   memset((void*)(a)->avail, (pattern), (a)->limit - (a)->avail))
 #ifdef DEBUG
 #define PL_FREE_PATTERN 0xDA
-#define PL_CLEAR_UNUSED(a) (PR_ASSERT((a)->avail <= (a)->limit), \
-                           memset((void*)(a)->avail, PL_FREE_PATTERN, \
-                           (a)->limit - (a)->avail))
+#define PL_CLEAR_UNUSED(a) PL_CLEAR_UNUSED_PATTERN((a), PL_FREE_PATTERN)
 #define PL_CLEAR_ARENA(a)  memset((void*)(a), PL_FREE_PATTERN, \
                           (a)->limit - (PRUword)(a))
 #else
--- a/nsprpub/lib/ds/plarenas.h
+++ b/nsprpub/lib/ds/plarenas.h
@ -108,6 +108,11 @@ PR_EXTERN(void *) PL_ArenaGrow(

 PR_EXTERN(void) PL_ArenaRelease(PLArenaPool *pool, char *mark);

+/*
+** memset contents of all arenas in pool to pattern
+*/
+PR_EXTERN(void) PL_ClearArenaPool(PLArenaPool *pool, PRInt32 pattern);
+
 PR_END_EXTERN_C

 #endif /* defined(PLARENAS_H) */
--- a/nsprpub/lib/ds/plds.def
+++ b/nsprpub/lib/ds/plds.def
@ -81,3 +81,8 @@ libVersionPoint;
 PL_HashTableLookupConst;
 PL_HashTableRawLookupConst;
 ;+} NSPR_4.0;
+;+
+;+NSPR_4.8.5 {
+;+    global:
+PL_ClearArenaPool;
+;+} NSPR_4.1;
--- a/nsprpub/pr/include/prtypes.h
+++ b/nsprpub/pr/include/prtypes.h
@ -277,6 +277,13 @@
 #define PR_MAX(x,y)     ((x)>(y)?(x):(y))
 #define PR_ABS(x)       ((x)<0?-(x):(x))

+/***********************************************************************
+** MACROS:      PR_ARRAY_SIZE
+** DESCRIPTION:
+**  The number of elements in an array.
+***********************************************************************/
+#define PR_ARRAY_SIZE(a) (sizeof(a)/sizeof((a)[0]))
+
 PR_BEGIN_EXTERN_C

 /************************************************************************
--- a/nsprpub/pr/tests/sprintf.c
+++ b/nsprpub/pr/tests/sprintf.c
@ -56,8 +56,6 @@
 #include <stdio.h>
 #include <stdlib.h>

-#define countof(a) (sizeof(a)/sizeof(a[0]))
-
 static char sbuf[20000];


@ -121,15 +119,15 @@ static void TestI(void)
    int f, s, n, p;
    char fmt[20];

-    for (f = 0; f < countof(formats); f++) {
-	for (s = 0; s < countof(signs); s++) {
-	    for (p = 0; p < countof(precs); p++) {
+    for (f = 0; f < PR_ARRAY_SIZE(formats); f++) {
+	for (s = 0; s < PR_ARRAY_SIZE(signs); s++) {
+	    for (p = 0; p < PR_ARRAY_SIZE(precs); p++) {
 		fmt[0] = '%';
 		fmt[1] = 0;
 		if (signs[s]) strcat(fmt, signs[s]);
 		if (precs[p]) strcat(fmt, precs[p]);
 		if (formats[f]) strcat(fmt, formats[f]);
-		for (n = 0; n < countof(nums); n++) {
+		for (n = 0; n < PR_ARRAY_SIZE(nums); n++) {
 		    test_i(fmt, nums[n]);
 		}
 	    }
@ -213,9 +211,9 @@ static void TestL(void)
    int f, s, n, p;
    char fmt[40], sfmt[40];

-    for (f = 0; f < countof(formats); f++) {
-	for (s = 0; s < countof(signs); s++) {
-	    for (p = 0; p < countof(precs); p++) {
+    for (f = 0; f < PR_ARRAY_SIZE(formats); f++) {
+	for (s = 0; s < PR_ARRAY_SIZE(signs); s++) {
+	    for (p = 0; p < PR_ARRAY_SIZE(precs); p++) {
 		fmt[0] = '%';
 		fmt[1] = 0;
 		if (signs[s]) strcat(fmt, signs[s]);
@ -223,7 +221,7 @@ static void TestL(void)
 		strcpy(sfmt, fmt);
 		if (formats[f]) strcat(fmt, formats[f]);
 		if (sformats[f]) strcat(sfmt, sformats[f]);
-		for (n = 0; n < countof(nums); n++) {
+		for (n = 0; n < PR_ARRAY_SIZE(nums); n++) {
 		    test_l(fmt, sfmt, nums[n]);
 		}
 	    }
@ -336,9 +334,9 @@ static void TestLL(void)
    int f, s, n, p;
    char fmt[40], sfmt[40];

-    for (f = 0; f < countof(formats); f++) {
-	for (s = 0; s < countof(signs); s++) {
-	    for (p = 0; p < countof(precs); p++) {
+    for (f = 0; f < PR_ARRAY_SIZE(formats); f++) {
+	for (s = 0; s < PR_ARRAY_SIZE(signs); s++) {
+	    for (p = 0; p < PR_ARRAY_SIZE(precs); p++) {
 		fmt[0] = '%';
 		fmt[1] = 0;
 		if (signs[s]) strcat(fmt, signs[s]);
@ -346,7 +344,7 @@ static void TestLL(void)
 		strcpy(sfmt, fmt);
 		if (formats[f]) strcat(fmt, formats[f]);
 		if (sformats[f]) strcat(sfmt, sformats[f]);
-		for (n = 0; n < countof(nums); n++) {
+		for (n = 0; n < PR_ARRAY_SIZE(nums); n++) {
 		    test_ll(fmt, sfmt, nums[n]);
 		}
 	    }
@ -424,15 +422,15 @@ static void TestS(void)
    int f, s, n, p;
    char fmt[40];

-    for (f = 0; f < countof(formats); f++) {
-	for (s = 0; s < countof(signs); s++) {
-	    for (p = 0; p < countof(precs); p++) {
+    for (f = 0; f < PR_ARRAY_SIZE(formats); f++) {
+	for (s = 0; s < PR_ARRAY_SIZE(signs); s++) {
+	    for (p = 0; p < PR_ARRAY_SIZE(precs); p++) {
 		fmt[0] = '%';
 		fmt[1] = 0;
 		if (signs[s]) strcat(fmt+strlen(fmt), signs[s]);
 		if (precs[p]) strcat(fmt+strlen(fmt), precs[p]);
 		if (formats[f]) strcat(fmt+strlen(fmt), formats[f]);
-		for (n = 0; n < countof(strs); n++) {
+		for (n = 0; n < PR_ARRAY_SIZE(strs); n++) {
 		    test_s(fmt, strs[n]);
 		}
 	    }
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@ -949,6 +949,9 @@ static CipherPref CipherPrefs[] = {
 {"security.ssl3.dhe_dss_des_sha", SSL_DHE_DSS_WITH_DES_CBC_SHA}, // 56-bit DES encryption with DSA, DHE, and a SHA1 MAC
 {"security.ssl3.rsa_null_sha", SSL_RSA_WITH_NULL_SHA}, // No encryption with RSA authentication and a SHA1 MAC
 {"security.ssl3.rsa_null_md5", SSL_RSA_WITH_NULL_MD5}, // No encryption with RSA authentication and an MD5 MAC
+ {"security.ssl3.rsa_seed_sha", TLS_RSA_WITH_SEED_CBC_SHA}, // SEED encryption with RSA and a SHA1 MAC
+ {"security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, // 128-bit AES-GCM encryption with ECDHE-ECDSA
+ {"security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, // 128-bit AES-GCM encryption with ECDHE-RSA
 {NULL, 0} /* end marker */
 };

@ -1527,6 +1530,10 @@ nsNSSComponent::InitializeNSS(PRBool showWarningBox)
      mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
      SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);

+      SSLVersionRange supported;
+      SSL_VersionRangeGetSupported(ssl_variant_stream, &supported);
+      SSL_VersionRangeSetDefault(ssl_variant_stream, &supported);
+
      // Disable any ciphers that NSS might have enabled by default
      for (PRUint16 i = 0; i < SSL_NumImplementedCiphers; ++i)
      {
@ -2031,6 +2038,11 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
    } else if (prefName.Equals("security.enable_tls")) {
      mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
      SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
+
+      SSLVersionRange supported;
+      SSL_VersionRangeGetSupported(ssl_variant_stream, &supported);
+      SSL_VersionRangeSetDefault(ssl_variant_stream, &supported);
+
    } else if (prefName.Equals("security.OCSP.enabled")) {
      setOCSPOptions(mPrefBranch);
    } else {
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@ -1,40 +1,8 @@
 #! gmake
 #
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.

 #######################################################################
 # (1) Include initial platform-independent assignments (MANDATORY).   #
@ -58,9 +26,7 @@ include $(CORE_DEPTH)/coreconf/config.mk
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################

-ifeq ($(OS_TARGET),WINCE)
-DIRS	= lib	# omit cmd since wince has no command line shell
-endif
+

 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
@ -78,23 +44,20 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################

-nss_build_all: build_coreconf build_nspr build_dbm all
+nss_build_all: build_nspr all

-nss_clean_all: clobber_coreconf clobber_nspr clobber_dbm clobber
+nss_clean_all: clobber_nspr clobber

-build_coreconf:
-	cd $(CORE_DEPTH)/coreconf ;  $(MAKE)
-
-clobber_coreconf:
-	cd $(CORE_DEPTH)/coreconf ;  $(MAKE) clobber
-
-NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)/config.status
-NSPR_CONFIGURE = $(CORE_DEPTH)/../nsprpub/configure
+NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status
+NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure

 #
 # Translate coreconf build options to NSPR configure options.
 #

+ifeq ($(OS_TARGET),Android)
+NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) --target=arm-linux-androideabi --with-android-version=$(OS_TARGET_RELEASE)
+endif
 ifdef BUILD_OPT
 NSPR_CONFIGURE_OPTS += --disable-debug --enable-optimize
 endif
@ -127,59 +90,33 @@ USEABSPATH="NO"
 endif
 endif
 ifeq ($(USEABSPATH),"YES")
-NSPR_PREFIX = $(shell pwd)/../../dist/$(OBJDIR_NAME)
+NSPR_PREFIX = $(shell pwd)/../dist/$(OBJDIR_NAME)
 else
 NSPR_PREFIX = $$(topsrcdir)/../dist/$(OBJDIR_NAME)
 endif

 $(NSPR_CONFIG_STATUS): $(NSPR_CONFIGURE)
-	$(NSINSTALL) -D $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)
-	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; \
+	mkdir -p $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+	cd $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) ; \
 	$(NSPR_COMPILERS) sh ../configure \
 	$(NSPR_CONFIGURE_OPTS) \
 	--with-dist-prefix='$(NSPR_PREFIX)' \
 	--with-dist-includedir='$(NSPR_PREFIX)/include'

 build_nspr: $(NSPR_CONFIG_STATUS)
-	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE)
+	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)

 clobber_nspr: $(NSPR_CONFIG_STATUS)
-	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE) clobber
+	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber

-build_dbm:
-ifndef NSS_DISABLE_DBM
-	cd $(CORE_DEPTH)/dbm ; $(MAKE) export libs
-else
-	echo "skipping the build of DBM"
-endif
+build_docs:
+	$(MAKE) -C $(CORE_DEPTH)/doc

-clobber_dbm:
-	cd $(CORE_DEPTH)/dbm ; $(MAKE) clobber
+clean_docs:
+	$(MAKE) -C $(CORE_DEPTH)/doc clean

-moz_import::
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-	$(NSINSTALL) -D $(DIST)/include/nspr
-	cp $(DIST)/../include/nspr/*.h $(DIST)/include/nspr
-	cp $(DIST)/../include/* $(DIST)/include
-ifdef BUILD_OPT
-	cp $(DIST)/../WIN32_O.OBJ/lib/* $(DIST)/lib
-else
-	cp $(DIST)/../WIN32_D.OBJ/lib/* $(DIST)/lib
-endif
-	mv $(DIST)/lib/dbm32.lib $(DIST)/lib/dbm.lib
-else
-ifeq ($(OS_TARGET),OS2)
-	cp -rf $(DIST)/../include $(DIST)
-	cp -rf $(DIST)/../lib $(DIST)
-	cp -f $(DIST)/lib/libmozdbm_s.$(LIB_SUFFIX) $(DIST)/lib/libdbm.$(LIB_SUFFIX)
-else
-	$(NSINSTALL) -L ../../dist include $(DIST)
-	$(NSINSTALL) -L ../../dist lib $(DIST)
-	cp $(DIST)/lib/libmozdbm_s.$(LIB_SUFFIX) $(DIST)/lib/libdbm.$(LIB_SUFFIX)
-endif
-endif
-
-nss_RelEng_bld: build_coreconf import build_dbm all
+nss_RelEng_bld: import all

 package:
 	$(MAKE) -C pkg publish
+
--- a/security/nss/automation/buildbot-slave/bbenv-example.sh
+++ b/security/nss/automation/buildbot-slave/bbenv-example.sh
@ -0,0 +1,69 @@
+#! /bin/bash
+
+# Each buildbot-slave requires a bbenv.sh file that defines
+# machine specific variables. This is an example file.
+
+
+HOST=$(hostname | cut -d. -f1)
+export HOST
+
+# if your machine's IP isn't registered in DNS,
+# you must set appropriate environment variables
+# that can be resolved locally.
+# For example, if localhost.localdomain works on your system, set:
+#HOST=localhost
+#DOMSUF=localdomain
+#export DOMSUF
+
+ARCH=$(uname -s)
+
+ulimit -c unlimited 2> /dev/null
+
+export NSS_ENABLE_ECC=1
+export NSS_ECC_MORE_THAN_SUITE_B=1
+export NSPR_LOG_MODULES="pkix:1"
+
+#export JAVA_HOME_32=
+#export JAVA_HOME_64=
+
+#enable if you have PKITS data
+#export PKITS_DATA=$HOME/pkits/data/
+
+NSS_BUILD_TARGET="clean nss_build_all"
+JSS_BUILD_TARGET="clean all"
+
+MAKE=gmake
+AWK=awk
+PATCH=patch
+
+if [ "${ARCH}" = "SunOS" ]; then
+    AWK=nawk
+    PATCH=gpatch
+    ARCH=SunOS/$(uname -p)
+fi
+
+if [ "${ARCH}" = "Linux" -a -f /etc/system-release ]; then
+   VERSION=`sed -e 's; release ;;' -e 's; (.*)$;;' -e 's;Red Hat Enterprise Linux Server;RHEL;' -e 's;Red Hat Enterprise Linux Workstation;RHEL;' /etc/system-release`
+   ARCH=Linux/${VERSION}
+   echo ${ARCH}
+fi
+
+PROCESSOR=$(uname -p)
+if [ "${PROCESSOR}" = "ppc64" ]; then
+    ARCH="${ARCH}/ppc64"
+fi
+if [ "${PROCESSOR}" = "powerpc" ]; then
+    ARCH="${ARCH}/ppc"
+fi
+
+PORT_64_DBG=8543
+PORT_64_OPT=8544
+PORT_32_DBG=8545
+PORT_32_OPT=8546
+
+if [ "${NSS_TESTS}" = "memleak" ]; then
+    PORT_64_DBG=8547
+    PORT_64_OPT=8548
+    PORT_32_DBG=8549
+    PORT_32_OPT=8550
+fi
--- a/security/nss/automation/buildbot-slave/build.sh
+++ b/security/nss/automation/buildbot-slave/build.sh
@ -0,0 +1,378 @@
+#! /bin/bash
+
+# Ensure a failure of the first command inside a pipe
+# won't be hidden by commands later in the pipe.
+# (e.g. as in ./dosomething | grep)
+
+set -o pipefail
+
+proc_args()
+{
+    while [ -n "$1" ]; do
+        OPT=$(echo $1 | cut -d= -f1)
+        VAL=$(echo $1 | cut -d= -f2)
+
+        case $OPT in
+            "--build-nss")
+                BUILD_NSS=1
+                ;;
+            "--test-nss")
+                TEST_NSS=1
+                ;;
+            "--build-jss")
+                BUILD_JSS=1
+                ;;
+            "--test-jss")
+                TEST_JSS=1
+                ;;
+            "--memtest")
+                NSS_TESTS="memleak"
+                export NSS_TESTS
+                ;;
+            "--nojsssign")
+                NO_JSS_SIGN=1
+                ;;
+            *)
+                echo "Usage: $0 ..."
+                echo "    --memtest   - run the memory leak tests"
+                echo "    --nojsssign - try to sign jss"
+                echo "    --build-nss"
+                echo "    --build-jss"
+                echo "    --test-nss"
+                echo "    --test-jss"
+                exit 1
+                ;;
+        esac 
+
+        shift
+    done
+}
+
+set_env()
+{
+    TOPDIR=$(pwd)
+    HGDIR=$(pwd)$(echo "/hg")
+    OUTPUTDIR=$(pwd)$(echo "/output")
+    LOG_ALL="${OUTPUTDIR}/all.log"
+    LOG_TMP="${OUTPUTDIR}/tmp.log"
+
+    echo "hello" |grep --line-buffered hello >/dev/null 2>&1
+    [ $? -eq 0 ] && GREP_BUFFER="--line-buffered"
+}
+
+print_log()
+{
+    DATE=$(date "+TB [%Y-%m-%d %H:%M:%S]")
+    echo "${DATE} $*"
+    echo "${DATE} $*" >> ${LOG_ALL}
+}
+
+print_result()
+{
+    TESTNAME=$1
+    RET=$2
+    EXP=$3
+
+    if [ ${RET} -eq ${EXP} ]; then
+        print_log "${TESTNAME} PASSED"
+    else
+        print_log "${TESTNAME} FAILED"
+    fi
+}
+
+print_env()
+{
+    print_log "######## Environment variables ########"
+
+    uname -a | tee -a ${LOG_ALL}
+    if [ -e "/etc/redhat-release" ]; then
+        cat "/etc/redhat-release" | tee -a ${LOG_ALL}
+    fi
+    # don't print the MAIL command, it might contain a password    
+    env | grep -v "^MAIL=" | tee -a ${LOG_ALL}
+}
+
+set_cycle()
+{
+    BITS=$1
+    OPT=$2
+
+    if [ "${BITS}" = "64" ]; then
+        USE_64=1
+        JAVA_HOME=${JAVA_HOME_64} 
+        PORT_DBG=${PORT_64_DBG}
+        PORT_OPT=${PORT_64_OPT}
+    else
+        USE_64=
+        JAVA_HOME=${JAVA_HOME_32} 
+        PORT_DBG=${PORT_32_DBG}
+        PORT_OPT=${PORT_32_OPT}
+    fi
+    export USE_64
+    export JAVA_HOME
+
+    BUILD_OPT=
+    if [ "${OPT}" = "OPT" ]; then
+        BUILD_OPT=1
+        XPCLASS=xpclass.jar
+        PORT=${PORT_OPT}
+    else
+        BUILD_OPT=
+        XPCLASS=xpclass_dbg.jar
+        PORT=${PORT_DBG}
+    fi
+    export BUILD_OPT
+
+    PORT_JSS_SERVER=$(expr ${PORT} + 20)
+    PORT_JSSE_SERVER=$(expr ${PORT} + 40)
+
+    export PORT
+    export PORT_JSS_SERVER
+    export PORT_JSSE_SERVER
+}
+
+build_nss()
+{
+    print_log "######## NSS - build - ${BITS} bits - ${OPT} ########"
+
+    print_log "$ cd ${HGDIR}/nss"
+    cd ${HGDIR}/nss
+
+    print_log "$ ${MAKE} ${NSS_BUILD_TARGET}"
+    #${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
+    ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
+    RET=$?
+    print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
+
+    if [ ${RET} -eq 0 ]; then
+        return 0
+    else
+        tail -100 ${LOG_ALL}
+        return ${RET}
+    fi
+}
+
+build_jss()
+{
+    print_log "######## JSS - build - ${BITS} bits - ${OPT} ########"
+
+    print_log "$ cd ${HGDIR}/jss"
+    cd ${HGDIR}/jss
+
+    print_log "$ ${MAKE} ${JSS_BUILD_TARGET}"
+    #${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
+    ${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
+    RET=$?
+    print_result "JSS build - ${BITS} bits - ${OPT}" ${RET} 0
+    [ ${RET} -eq 0 ] || return ${RET}
+
+    print_log "$ cd ${HGDIR}/dist"
+    cd ${HGDIR}/dist
+
+    if [ -z "${NO_JSS_SIGN}" ]; then
+	print_log "cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa"
+	cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa >> ${LOG_ALL} 2>&1
+	RET=$?
+	print_result "JSS - sign JAR files - ${BITS} bits - ${OPT}" ${RET} 0
+	[ ${RET} -eq 0 ] || return ${RET}
+    fi
+    print_log "${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS}"
+    ${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS} >> ${LOG_ALL} 2>&1
+    RET=$?
+    print_result "JSS - verify JAR files - ${BITS} bits - ${OPT}" ${RET} 0
+    [ ${RET} -eq 0 ] || return ${RET}
+
+    return 0
+}
+
+test_nss()
+{
+    print_log "######## NSS - tests - ${BITS} bits - ${OPT} ########"
+
+    if [ "${OS_TARGET}" = "Android" ]; then
+	print_log "$ cd ${HGDIR}/nss/tests/remote"
+	cd ${HGDIR}/nss/tests/remote
+	print_log "$ make test_android"
+	make test_android 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #"
+	OUTPUTFILE=${HGDIR}/tests_results/security/*.1/output.log
+    else
+	print_log "$ cd ${HGDIR}/nss/tests"
+	cd ${HGDIR}/nss/tests
+	print_log "$ ./all.sh"
+	./all.sh 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #"
+	OUTPUTFILE=${LOG_TMP}
+    fi
+
+    cat ${LOG_TMP} >> ${LOG_ALL}
+    tail -n2 ${HGDIR}/tests_results/security/*.1/results.html | grep END_OF_TEST >> ${LOG_ALL}
+    RET=$?
+
+    print_log "######## details of detected failures (if any) ########"
+    grep -B50 FAIL ${OUTPUTFILE}
+    [ $? -eq 1 ] || RET=1
+
+    print_result "NSS - tests - ${BITS} bits - ${OPT}" ${RET} 0
+    return ${RET}
+}
+
+test_jss()
+{
+    print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########"
+
+    print_log "$ cd ${HGDIR}/jss"
+    cd ${HGDIR}/jss
+
+    print_log "$ ${MAKE} platform"
+    PLATFORM=$(${MAKE} platform)
+    print_log "PLATFORM=${PLATFORM}"
+
+    print_log "$ cd ${HGDIR}/jss/org/mozilla/jss/tests"
+    cd ${HGDIR}/jss/org/mozilla/jss/tests
+
+    print_log "$ perl all.pl dist ${HGDIR}/dist/${PLATFORM}"
+    perl all.pl dist ${HGDIR}/dist/${PLATFORM} 2>&1 | tee ${LOG_TMP}
+    cat ${LOG_TMP} >> ${LOG_ALL}
+
+    tail -n2 ${LOG_TMP} | grep JSSTEST_RATE > /dev/null
+    RET=$?
+
+    grep FAIL ${LOG_TMP} 
+    [ $? -eq 1 ] || RET=1
+
+    print_result "JSS - tests - ${BITS} bits - ${OPT}" ${RET} 0
+    return ${RET}
+}
+
+build_and_test()
+{
+    if [ -n "${BUILD_NSS}" ]; then
+        build_nss
+        [ $? -eq 0 ] || return 1
+    fi
+
+    if [ -n "${TEST_NSS}" ]; then
+        test_nss
+        [ $? -eq 0 ] || return 1
+    fi
+
+    if [ -n "${BUILD_JSS}" ]; then
+        build_jss
+        [ $? -eq 0 ] || return 1
+    fi
+
+    if [ -n "${TEST_JSS}" ]; then
+        test_jss
+        [ $? -eq 0 ] || return 1
+    fi
+
+    return 0
+}
+
+run_cycle()
+{
+    print_env
+    build_and_test
+    RET=$?
+
+    grep ^TinderboxPrint ${LOG_ALL}
+
+    return ${RET}
+}
+
+prepare()
+{
+    rm -rf ${OUTPUTDIR}.oldest >/dev/null 2>&1
+    mv ${OUTPUTDIR}.older ${OUTPUTDIR}.oldest >/dev/null 2>&1
+    mv ${OUTPUTDIR}.old ${OUTPUTDIR}.older >/dev/null 2>&1
+    mv ${OUTPUTDIR}.last ${OUTPUTDIR}.old >/dev/null 2>&1
+    mv ${OUTPUTDIR} ${OUTPUTDIR}.last >/dev/null 2>&1
+    mkdir -p ${OUTPUTDIR}
+
+    if [ -n "${NSS_ENABLE_ECC}" -a -n "${NSS_ECC_MORE_THAN_SUITE_B}" ]; then
+        cd ${HGDIR}/nss
+        ECF="lib/freebl/ecl/ecl-curve.h"
+	print_log "hg revert -r NSS_3_11_1_RTM ${ECF}"
+        hg revert -r NSS_3_11_1_RTM security/nss/${ECF}
+        cp -f security/nss/${ECF} ${ECF}
+    fi
+
+    return 0
+}
+
+move_results()
+{
+    cd ${HGDIR}
+    if [ -n "${TEST_NSS}" ]; then
+	mv -f tests_results ${OUTPUTDIR}
+    fi
+    tar -c -z --dereference -f ${OUTPUTDIR}/dist.tgz dist
+    rm -rf dist
+}
+
+run_all()
+{
+    set_cycle ${BITS} ${OPT}
+    prepare
+    run_cycle
+    RESULT=$?
+    print_log "### result of run_cycle is ${RESULT}"
+    move_results
+    return ${RESULT}
+}
+
+main()
+{
+    VALID=0
+    RET=1
+
+    for BITS in 32 64; do
+        echo ${RUN_BITS} | grep ${BITS} > /dev/null
+        [ $? -eq 0 ] || continue
+        for OPT in DBG OPT; do
+            echo ${RUN_OPT} | grep ${OPT} > /dev/null
+            [ $? -eq 0 ] || continue
+
+            VALID=1
+            set_env
+            run_all
+            RET=$?
+	    print_log "### result of run_all is ${RET}"
+        done
+    done
+
+    if [ ${VALID} -ne 1 ]; then
+        echo "Need to set valid bits/opt values."
+        return 1
+    fi
+
+    return ${RET}
+}
+
+#function killallsub()
+#{
+#    FINAL_RET=$?
+#    for proc in `jobs -p`
+#    do
+#        kill -9 $proc
+#    done
+#    return ${FINAL_RET}
+#}
+#trap killallsub EXIT
+
+#IS_RUNNING_FILE="./build-is-running"
+
+#if [ -a $IS_RUNNING_FILE ]; then
+#    echo "exiting, because old job is still running"
+#    exit 1
+#fi
+
+#touch $IS_RUNNING_FILE
+
+echo "tinderbox args: $0 $@"
+. ${ENVVARS}
+proc_args "$@"
+main
+
+#RET=$?
+#rm $IS_RUNNING_FILE
+#exit ${RET}
--- a/security/nss/automation/buildbot-slave/reboot.bat
+++ b/security/nss/automation/buildbot-slave/reboot.bat
@ -0,0 +1,6 @@
+IF EXIST ..\buildbot-is-building (
+    del ..\buildbot-is-building
+    shutdown /r /t 0
+
+    timeout /t 120
+)
--- a/security/nss/automation/buildbot-slave/startbuild.bat
+++ b/security/nss/automation/buildbot-slave/startbuild.bat
@ -0,0 +1,14 @@
+echo running > ..\buildbot-is-building
+
+echo running: "%MOZILLABUILD%\msys\bin\bash" -c "hg/tinder/buildbot/build.sh %*"
+"%MOZILLABUILD%\msys\bin\bash" -c "hg/tinder/buildbot/build.sh %*"
+
+if %errorlevel% neq 0 (
+  set EXITCODE=1
+) else (
+  set EXITCODE=0
+)
+
+del ..\buildbot-is-building
+
+exit /b %EXITCODE%
--- a/security/nss/cmd/Makefile
+++ b/security/nss/cmd/Makefile
@ -1,43 +1,11 @@
 #! gmake
 # 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.

-CORE_DEPTH = ../..
-DEPTH = ../..
+CORE_DEPTH = ..
+DEPTH = ..

 include manifest.mn
 include $(CORE_DEPTH)/coreconf/config.mk
@ -46,8 +14,19 @@ ifdef BUILD_LIBPKIX_TESTS
 DIRS += libpkix
 endif

-ifndef USE_SYSTEM_ZLIB
-ZLIB_SRCDIR = zlib  # Add the zlib directory to DIRS.
+ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+BLTEST_SRCDIR =
+FIPSTEST_SRCDIR =
+SHLIBSIGN_SRCDIR =
+else
+BLTEST_SRCDIR = bltest
+FIPSTEST_SRCDIR = fipstest
+SHLIBSIGN_SRCDIR = shlibsign
+endif
+
+LOWHASHTEST_SRCDIR=
+ifeq ($(FREEBL_LOWHASH),1)
+LOWHASHTEST_SRCDIR = lowhashtest  # Add the lowhashtest directory to DIRS.
 endif

 INCLUDES += \
--- a/security/nss/cmd/addbuiltin/Makefile
+++ b/security/nss/cmd/addbuiltin/Makefile
@ -1,40 +1,8 @@
 #! gmake
 # 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.

 #######################################################################
 # (1) Include initial platform-independent assignments (MANDATORY).   #
--- a/security/nss/cmd/addbuiltin/addbuiltin.c
+++ b/security/nss/cmd/addbuiltin/addbuiltin.c
@ -1,43 +1,9 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

 /*
 * Tool for converting builtin CA certs.
- *
- * $Id: addbuiltin.c,v 1.14 2007/02/14 00:35:52 alexei.volkov.bugs%sun.com Exp $
 */

 #include "nssrenam.h"
@ -68,20 +34,22 @@ char *getTrustString(unsigned int trust)
 {
    if (trust & CERTDB_TRUSTED) {
 	if (trust & CERTDB_TRUSTED_CA) {
-		return "CKT_NETSCAPE_TRUSTED_DELEGATOR|CKT_NETSCAPE_TRUSTED";
+		return "CKT_NSS_TRUSTED_DELEGATOR";
 	} else {
-		return "CKT_NETSCAPE_TRUSTED";
+		return "CKT_NSS_TRUSTED";
 	}
    } else {
 	if (trust & CERTDB_TRUSTED_CA) {
-		return "CKT_NETSCAPE_TRUSTED_DELEGATOR";
+		return "CKT_NSS_TRUSTED_DELEGATOR";
 	} else if (trust & CERTDB_VALID_CA) {
-		return "CKT_NETSCAPE_VALID_DELEGATOR";
+		return "CKT_NSS_VALID_DELEGATOR";
+	} else if (trust & CERTDB_TERMINAL_RECORD) {
+		return "CKT_NSS_NOT_TRUSTED";
 	} else {
-		return "CKT_NETSCAPE_TRUST_UNKNOWN";
+		return "CKT_NSS_MUST_VERIFY_TRUST";
 	}
    }
-    return "CKT_NETSCAPE_TRUST_UNKNOWN"; /* not reached */
+    return "CKT_NSS_TRUST_UNKNOWN"; /* not reached */
 }

 static const SEC_ASN1Template serialTemplate[] = {
@ -89,14 +57,115 @@ static const SEC_ASN1Template serialTemplate[] = {
    { 0 }
 };

+void print_crl_info(CERTName *name, SECItem *serial)
+{
+    PRBool saveWrapeState = SECU_GetWrapEnabled();
+    SECU_EnableWrap(PR_FALSE);
+
+    SECU_PrintNameQuotesOptional(stdout, name, "# Issuer", 0, PR_FALSE);
+    printf("\n");
+    
+    SECU_PrintInteger(stdout, serial, "# Serial Number", 0);
+
+    SECU_EnableWrap(saveWrapeState);
+}
+
 static SECStatus
-ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust)
+ConvertCRLEntry(SECItem *sdder, PRInt32 crlentry, char *nickname)
+{
+    int rv;
+    PLArenaPool *arena = NULL;
+    CERTSignedCrl *newCrl = NULL;
+    CERTCrlEntry *entry;
+    
+    CERTName *name = NULL;
+    SECItem *derName = NULL;
+    SECItem *serial = NULL;
+    
+    rv = SEC_ERROR_NO_MEMORY;
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena)
+    	return rv;
+
+    newCrl = CERT_DecodeDERCrlWithFlags(arena, sdder, SEC_CRL_TYPE,
+					CRL_DECODE_DEFAULT_OPTIONS);
+    if (!newCrl)
+    	return SECFailure;
+    
+    name = &newCrl->crl.name;
+    derName = &newCrl->crl.derName;
+    
+    if (newCrl->crl.entries != NULL) {
+	PRInt32 iv = 0;
+	while ((entry = newCrl->crl.entries[iv++]) != NULL) {
+	    if (crlentry == iv) {
+		serial = &entry->serialNumber;
+		break;
+	    }
+	}
+    }
+    
+    if (!name || !derName || !serial)
+    	return SECFailure;
+    
+    printf("\n# Distrust \"%s\"\n",nickname);
+    print_crl_info(name, serial);
+
+    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
+    printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
+    printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
+    printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
+    printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
+    
+    printf("CKA_ISSUER MULTILINE_OCTAL\n");
+    dumpbytes(derName->data,derName->len);
+    printf("END\n");
+    printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
+    printf("\\002\\%03o", serial->len); /* 002: type integer; len >=3 digits */
+    dumpbytes(serial->data,serial->len);
+    printf("END\n");
+    
+    printf("CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED\n");
+    printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED\n");
+    printf("CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED\n");
+    printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE\n");
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return rv;
+}
+
+void print_info(SECItem *sdder, CERTCertificate *c)
+{
+    PRBool saveWrapeState = SECU_GetWrapEnabled();
+    SECU_EnableWrap(PR_FALSE);
+
+    SECU_PrintNameQuotesOptional(stdout, &c->issuer, "# Issuer", 0, PR_FALSE);
+    printf("\n");
+    
+    SECU_PrintInteger(stdout, &c->serialNumber, "# Serial Number", 0);
+
+    SECU_PrintNameQuotesOptional(stdout, &c->subject, "# Subject", 0, PR_FALSE);
+    printf("\n");
+
+    SECU_PrintTimeChoice(stdout, &c->validity.notBefore, "# Not Valid Before", 0);
+    SECU_PrintTimeChoice(stdout, &c->validity.notAfter,  "# Not Valid After ", 0);
+    
+    SECU_PrintFingerprints(stdout, sdder, "# Fingerprint", 0);
+
+    SECU_EnableWrap(saveWrapeState);
+}
+
+static SECStatus
+ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust,
+                   PRBool excludeCert, PRBool excludeHash)
 {
    SECStatus rv = SECSuccess;
    CERTCertificate *cert;
    unsigned char sha1_hash[SHA1_LENGTH];
    unsigned char md5_hash[MD5_LENGTH];
    SECItem *serial = NULL;
+    PRBool step_up = PR_FALSE;
+    const char *trust_info;

    cert = CERT_DecodeDERCertificate(sdder, PR_FALSE, nickname);
    if (!cert) {
@ -106,42 +175,56 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust)
    if (!serial) {
 	return SECFailure;
    }
+    
+    if (!excludeCert) {
+	printf("\n#\n# Certificate \"%s\"\n#\n",nickname);
+	print_info(sdder, cert);
+	printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n");
+	printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
+	printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
+	printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
+	printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
+	printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n");
+	printf("CKA_SUBJECT MULTILINE_OCTAL\n");
+	dumpbytes(cert->derSubject.data,cert->derSubject.len);
+	printf("END\n");
+	printf("CKA_ID UTF8 \"0\"\n");
+	printf("CKA_ISSUER MULTILINE_OCTAL\n");
+	dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
+	printf("END\n");
+	printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
+	dumpbytes(serial->data,serial->len);
+	printf("END\n");
+	printf("CKA_VALUE MULTILINE_OCTAL\n");
+	dumpbytes(sdder->data,sdder->len);
+	printf("END\n");
+    }
+    
+    if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) 
+         == CERTDB_TERMINAL_RECORD)
+      trust_info = "Distrust";
+    else
+      trust_info = "Trust for";
+    
+    printf("\n# %s \"%s\"\n", trust_info, nickname);
+    print_info(sdder, cert);

-    printf("\n#\n# Certificate \"%s\"\n#\n",nickname);
-    printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n");
+    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
    printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
    printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
    printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
    printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
-    printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n");
-    printf("CKA_SUBJECT MULTILINE_OCTAL\n");
-    dumpbytes(cert->derSubject.data,cert->derSubject.len);
-    printf("END\n");
-    printf("CKA_ID UTF8 \"0\"\n");
-    printf("CKA_ISSUER MULTILINE_OCTAL\n");
-    dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
-    printf("END\n");
-    printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
-    dumpbytes(serial->data,serial->len);
-    printf("END\n");
-    printf("CKA_VALUE MULTILINE_OCTAL\n");
-    dumpbytes(sdder->data,sdder->len);
-    printf("END\n");
-
-    PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
-    PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
-    printf("\n# Trust for Certificate \"%s\"\n",nickname);
-    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST\n");
-    printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
-    printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
-    printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
-    printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
-    printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n");
-    dumpbytes(sha1_hash,SHA1_LENGTH);
-    printf("END\n");
-    printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n");
-    dumpbytes(md5_hash,MD5_LENGTH);
-    printf("END\n");
+    
+    if (!excludeHash) {
+	PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
+	printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n");
+	dumpbytes(sha1_hash,SHA1_LENGTH);
+	printf("END\n");
+	PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
+	printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n");
+	dumpbytes(md5_hash,MD5_LENGTH);
+	printf("END\n");
+    }

    printf("CKA_ISSUER MULTILINE_OCTAL\n");
    dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
@ -151,24 +234,24 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust)
    printf("END\n");
    
    printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n",
-				 getTrustString(trust->sslFlags));
+				getTrustString(trust->sslFlags));
    printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n",
-				 getTrustString(trust->emailFlags));
+				getTrustString(trust->emailFlags));
    printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
-				 getTrustString(trust->objectSigningFlags));
+				getTrustString(trust->objectSigningFlags));
 #ifdef notdef
-    printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED\n");*/
-    printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n");
+    printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
 #endif
+    
+    step_up = (trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
    printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
-                trust->sslFlags & CERTDB_GOVT_APPROVED_CA ? 
-                "CK_TRUE" : "CK_FALSE");
-
+                step_up ? "CK_TRUE" : "CK_FALSE");

    PORT_Free(sdder->data);
    return(rv);
@ -177,43 +260,11 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust)

 void printheader() {
    printf("# \n"
-"# ***** BEGIN LICENSE BLOCK *****\n"
-"# Version: MPL 1.1/GPL 2.0/LGPL 2.1\n"
-"#\n"
-"# The contents of this file are subject to the Mozilla Public License Version\n"
-"# 1.1 (the \"License\"); you may not use this file except in compliance with\n"
-"# the License. You may obtain a copy of the License at\n"
-"# http://www.mozilla.org/MPL/\n"
-"#\n"
-"# Software distributed under the License is distributed on an \"AS IS\" basis,\n"
-"# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License\n"
-"# for the specific language governing rights and limitations under the\n"
-"# License.\n"
-"#\n"
-"# The Original Code is the Netscape security libraries..\n"
-"#\n"
-"# The Initial Developer of the Original Code is\n"
-"# Netscape Communications Corporation.\n"
-"# Portions created by the Initial Developer are Copyright (C) 1994-2000\n"
-"# the Initial Developer. All Rights Reserved.\n"
-"#\n"
-"# Contributor(s):\n"
-"#\n"
-"# Alternatively, the contents of this file may be used under the terms of\n"
-"# either the GNU General Public License Version 2 or later (the \"GPL\"), or\n"
-"# the GNU Lesser General Public License Version 2.1 or later (the \"LGPL\"),\n"
-"# in which case the provisions of the GPL or the LGPL are applicable instead\n"
-"# of those above. If you wish to allow use of your version of this file only\n"
-"# under the terms of either the GPL or the LGPL, and not to allow others to\n"
-"# use your version of this file under the terms of the MPL, indicate your\n"
-"# decision by deleting the provisions above and replace them with the notice\n"
-"# and other provisions required by the GPL or the LGPL. If you do not delete\n"
-"# the provisions above, a recipient may use your version of this file under\n"
-"# the terms of any one of the MPL, the GPL or the LGPL.\n"
-"#\n"
-"# ***** END LICENSE BLOCK *****\n"
+"# This Source Code Form is subject to the terms of the Mozilla Public\n"
+"# License, v. 2.0. If a copy of the MPL was not distributed with this\n"
+"# file, You can obtain one at http://mozilla.org/MPL/2.0/.\n"
     "#\n"
-     "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.14 $ $Date: 2007/02/14 00:35:52 $\"\n"
+     "CVS_ID \"@(#) $RCSfile$ $Revision$ $Date$\"\n"
     "\n"
     "#\n"
     "# certdata.txt\n"
@ -237,7 +288,7 @@ void printheader() {
     "#  CKA_ISSUER               DER+base64              (varies)\n"
     "#  CKA_SERIAL_NUMBER        DER+base64              (varies)\n"
     "#  CKA_VALUE                DER+base64              (varies)\n"
-     "#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)\n"
+     "#  CKA_NSS_EMAIL            ASCII7                  (unused here)\n"
     "#\n"
     "#    Trust\n"
     "#\n"
@ -274,7 +325,7 @@ void printheader() {
     "# have to go looking for others.\n"
     "#\n"
     "BEGINDATA\n"
-     "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST\n"
+     "CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST\n"
     "CKA_TOKEN CK_BBOOL CK_TRUE\n"
     "CKA_PRIVATE CK_BBOOL CK_FALSE\n"
     "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
@ -283,41 +334,71 @@ void printheader() {

 static void Usage(char *progName)
 {
-    fprintf(stderr, "%s -n nickname -t trust [-i certfile]\n", progName);
+    fprintf(stderr, "%s -t trust -n nickname [-i certfile] [-c] [-h]\n", progName);
    fprintf(stderr, 
            "\tRead a der-encoded cert from certfile or stdin, and output\n"
            "\tit to stdout in a format suitable for the builtin root module.\n"
-            "\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n"
-            "\t(pipe through atob if the cert is b64-encoded)\n", progName);
-    fprintf(stderr, "%-15s nickname to assign to builtin cert.\n", 
-                    "-n nickname");
+            "\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n",
+            progName);
+    fprintf(stderr, "%s -D -n label [-i certfile]\n", progName);
+    fprintf(stderr, 
+            "\tRead a der-encoded cert from certfile or stdin, and output\n"
+            "\ta distrust record.\n"
+	    "\t(-D is equivalent to -t p,p,p -c -h)\n");
+    fprintf(stderr, "%s -C -e crl-entry-number -n label [-i crlfile]\n", progName);
+    fprintf(stderr, 
+            "\tRead a CRL from crlfile or stdin, and output\n"
+            "\ta distrust record (issuer+serial).\n"
+	    "\t(-C implies -c -h)\n");
    fprintf(stderr, "%-15s trust flags (cCTpPuw).\n", "-t trust");
-    fprintf(stderr, "%-15s file to read (default stdin)\n", "-i certfile");
+    fprintf(stderr, "%-15s nickname to assign to builtin cert, or\n", 
+                    "-n nickname");
+    fprintf(stderr, "%-15s a label for the distrust record.\n", "");
+    fprintf(stderr, "%-15s exclude the certificate (only add a trust record)\n", "-c");
+    fprintf(stderr, "%-15s exclude hash from trust record\n", "-h");
+    fprintf(stderr, "%-15s     (useful to distrust any matching issuer/serial)\n", "");
+    fprintf(stderr, "%-15s     (not allowed when adding positive trust)\n", "");
+    fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e");
+    fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file");
+    fprintf(stderr, "%-15s     (pipe through atob if the cert is b64-encoded)\n", "");
    exit(-1);
 }

 enum {
    opt_Input = 0,
    opt_Nickname,
-    opt_Trust
+    opt_Trust,
+    opt_Distrust,
+    opt_ExcludeCert,
+    opt_ExcludeHash,
+    opt_DistrustCRL,
+    opt_CRLEnry
 };

 static secuCommandFlag addbuiltin_options[] =
 {
-	{ /* opt_Input         */  'i', PR_TRUE, 0, PR_FALSE },
-	{ /* opt_Nickname      */  'n', PR_TRUE, 0, PR_FALSE },
-	{ /* opt_Trust         */  't', PR_TRUE, 0, PR_FALSE }
+	{ /* opt_Input         */  'i', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_Nickname      */  'n', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_Trust         */  't', PR_TRUE,  0, PR_FALSE },
+        { /* opt_Distrust      */  'D', PR_FALSE, 0, PR_FALSE },
+        { /* opt_ExcludeCert   */  'c', PR_FALSE, 0, PR_FALSE },
+        { /* opt_ExcludeHash   */  'h', PR_FALSE, 0, PR_FALSE },
+        { /* opt_DistrustCRL   */  'C', PR_FALSE, 0, PR_FALSE },
+        { /* opt_CRLEnry       */  'e', PR_TRUE,  0, PR_FALSE },
 };

 int main(int argc, char **argv)
 {
    SECStatus rv;
-    char *nickname;
-    char *trusts;
+    char *nickname = NULL;
+    char *trusts = NULL;
    char *progName;
    PRFileDesc *infile;
    CERTCertTrust trust = { 0 };
-    SECItem derCert = { 0 };
+    SECItem derItem = { 0 };
+    PRInt32 crlentry = 0;
+    PRInt32 mutuallyExclusiveOpts = 0;
+    PRBool decodeTrust = PR_FALSE;

    secuCommand addbuiltin = { 0 };
    addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
@ -330,12 +411,40 @@ int main(int argc, char **argv)

    if (rv != SECSuccess)
 	Usage(progName);
+    
+    if (addbuiltin.options[opt_Trust].activated)
+      ++mutuallyExclusiveOpts;
+    if (addbuiltin.options[opt_Distrust].activated)
+      ++mutuallyExclusiveOpts;
+    if (addbuiltin.options[opt_DistrustCRL].activated)
+      ++mutuallyExclusiveOpts;

-    if (!addbuiltin.options[opt_Nickname].activated &&
-        !addbuiltin.options[opt_Trust].activated) {
-	fprintf(stderr, "%s: you must specify both a nickname and trust.\n",
-		progName);
-	Usage(progName);
+    if (mutuallyExclusiveOpts != 1) {
+        fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n",
+                progName);
+        Usage(progName);
+    }
+    
+    if (addbuiltin.options[opt_DistrustCRL].activated) {
+	if (!addbuiltin.options[opt_CRLEnry].activated) {
+	    fprintf(stderr, "%s: you must specify the CRL entry number.\n",
+		    progName);
+	    Usage(progName);
+	}
+	else {
+	    crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
+	    if (crlentry < 1) {
+		fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
+			progName);
+		Usage(progName);
+	    }
+	}
+    }
+
+    if (!addbuiltin.options[opt_Nickname].activated) {
+        fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n",
+                progName);
+        Usage(progName);
    }

    if (addbuiltin.options[opt_Input].activated) {
@ -362,25 +471,70 @@ int main(int argc, char **argv)
 	infile = PR_STDIN;
    }

-    nickname = strdup(addbuiltin.options[opt_Nickname].arg);
-    trusts = strdup(addbuiltin.options[opt_Trust].arg);
+#if defined(WIN32)
+    /* We must put stdout into O_BINARY mode or else the output will include
+    ** carriage returns.
+    */
+    {
+	int smrv = _setmode(_fileno(stdout), _O_BINARY);
+	if (smrv == -1) {
+	    fprintf(stderr, "%s: Cannot change stdout to binary mode.\n", progName);
+	    exit(1);
+	}
+    }
+#endif

+    nickname = strdup(addbuiltin.options[opt_Nickname].arg);
+    
    NSS_NoDB_Init(NULL);

-    rv = CERT_DecodeTrustString(&trust, trusts);
-    if (rv) {
-	fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
-	Usage(progName);
+    if (addbuiltin.options[opt_Distrust].activated ||
+        addbuiltin.options[opt_DistrustCRL].activated) {
+      addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE;
+      addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE;
+    }
+    
+    if (addbuiltin.options[opt_Distrust].activated) {
+        trusts = strdup("p,p,p");
+	decodeTrust = PR_TRUE;
+    }
+    else if (addbuiltin.options[opt_Trust].activated) {
+        trusts = strdup(addbuiltin.options[opt_Trust].arg);
+	decodeTrust = PR_TRUE;
+    }
+    
+    if (decodeTrust) {
+	rv = CERT_DecodeTrustString(&trust, trusts);
+	if (rv) {
+	    fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
+	    Usage(progName);
+	}
+    }
+    
+    if (addbuiltin.options[opt_Trust].activated &&
+        addbuiltin.options[opt_ExcludeHash].activated) {
+	if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) 
+	    != CERTDB_TERMINAL_RECORD) {
+	    fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName);
+	    Usage(progName);
+	}
    }

-    SECU_FileToItem(&derCert, infile);
+    SECU_FileToItem(&derItem, infile);
    
    /*printheader();*/
-
-    rv = ConvertCertificate(&derCert, nickname, &trust);
-    if (rv) {
-	fprintf(stderr, "%s: failed to convert certificate.\n", progName);
-	exit(1);
+    
+    if (addbuiltin.options[opt_DistrustCRL].activated) {
+	rv = ConvertCRLEntry(&derItem, crlentry, nickname);
+    }
+    else {
+	rv = ConvertCertificate(&derItem, nickname, &trust, 
+				addbuiltin.options[opt_ExcludeCert].activated,
+				addbuiltin.options[opt_ExcludeHash].activated);
+	if (rv) {
+	    fprintf(stderr, "%s: failed to convert certificate.\n", progName);
+	    exit(1);
+	}
    }
    
    if (NSS_Shutdown() != SECSuccess) {
--- a/security/nss/cmd/addbuiltin/manifest.mn
+++ b/security/nss/cmd/addbuiltin/manifest.mn
@ -1,41 +1,9 @@
 # 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.

-CORE_DEPTH = ../../..
+CORE_DEPTH = ../..

 # MODULE public and private header  directories are implicitly REQUIRED.
 MODULE = nss 
--- a/security/nss/cmd/atob/Makefile
+++ b/security/nss/cmd/atob/Makefile
@ -1,40 +1,8 @@
 #! gmake
 # 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.

 #######################################################################
 # (1) Include initial platform-independent assignments (MANDATORY).   #
--- a/security/nss/cmd/atob/atob.c
+++ b/security/nss/cmd/atob/atob.c
@ -1,38 +1,6 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

 #include "plgetopt.h"
 #include "secutil.h"
--- a/security/nss/cmd/atob/manifest.mn
+++ b/security/nss/cmd/atob/manifest.mn
@ -1,41 +1,9 @@
 # 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.

-CORE_DEPTH	= ../../..
+CORE_DEPTH	= ../..

 # MODULE public and private header  directories are implicitly REQUIRED.
 MODULE = nss 
--- a/security/nss/cmd/bltest/Makefile
+++ b/security/nss/cmd/bltest/Makefile
@ -1,40 +1,8 @@
 #! gmake
 #
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.

 #######################################################################
 # (1) Include initial platform-independent assignments (MANDATORY).   #
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
--- a/security/nss/cmd/bltest/manifest.mn
+++ b/security/nss/cmd/bltest/manifest.mn
@ -1,40 +1,8 @@
 # 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..

 MODULE = nss

--- a/security/nss/cmd/bltest/tests/README
+++ b/security/nss/cmd/bltest/tests/README
@ -46,4 +46,11 @@ trusted implementation.  bltest will generate a key and store it in
    bltest -E -m rsa -i plaintext0 -o ciphertext0 -e 65537 -g 32 -a
    mv tmp.key key0

+RSA-OAEP/RSA-PSS:
+RSA-OAEP and RSA-PSS have a number of additional parameters to feed in.
+- "seedN": The seed or salt to use when encrypting/signing
+- "hashN" / "maskhashN" - The base digest algorithm and the digest algorithm
+   to use with MGF1, respectively. This should be an ASCII string specifying
+   one of the hash algorithms recognized by bltest (eg: "sha1", "sha256")
+
 [note: specifying a keysize (-g) when using RSA is important!]
--- a/security/nss/cmd/bltest/tests/aes_cbc/ciphertext0
+++ b/security/nss/cmd/bltest/tests/aes_cbc/ciphertext0
@ -1 +1 @@
-oJLgOzZ1GiWt3DGo2sPKaA==
+oJLgOzZ1GiWt3DGo2sPKaOnyGuRz5sZwmDyn4dvAqd8=
--- a/security/nss/cmd/bltest/tests/aes_cbc/plaintext0
+++ b/security/nss/cmd/bltest/tests/aes_cbc/plaintext0
@ -1 +1 @@
-0123456789abcdef
+0123456789abcdef0123456789abcdef
--- a/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_0.txt
+++ b/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_0.txt
@ -0,0 +1,28 @@
+Test="F.5.1 CTR-AES128.Encrypt"
+Type=Encrypt
+Key=2b7e151628aed2a6abf7158809cf4f3c
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Output Block=ec8cdf7398607cb0f2d21675ea9ea1e4
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+Ciphertext=874d6191b620e3261bef6864990db6ce
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
+Output Block=362b7c3c6773516318a077d7fc5073ae
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+Ciphertext=9806f66b7970fdff8617187bb9fffdff
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
+Output Block=6a2cc3787889374fbeb4c81b17ba6c44
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+Ciphertext=5ae4df3edbd5d35e5b4f09020db03eab
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
+Output Block=e89c399ff0f198c6d40a31db156cabfe
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+Ciphertext=1e031dda2fbe03d1792170a0f3009cee
+}
--- a/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_1.txt
+++ b/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_1.txt
@ -0,0 +1,28 @@
+Test="F.5.3 CTR-AES192.Encrypt"
+Type=Encrypt
+Key=8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Output Block=717d2dc639128334a6167a488ded7921 
+Plaintext=6bc1bee22e409f96e93d7e117393172a 
+Ciphertext=1abc932417521ca24f2b0459fe7e6e0b
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 
+Output Block=a72eb3bb14a556734b7bad6ab16100c5 
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51 
+Ciphertext=090339ec0aa6faefd5ccc2c6f4ce8e94
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 
+Output Block=2efeae2d72b722613446dc7f4c2af918 
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef 
+Ciphertext=1e36b26bd1ebc670d1bd1d665620abf7
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 
+Output Block=b9e783b30dd7924ff7bc9b97beaa8740 
+Plaintext=f69f2445df4f9b17ad2b417be66c3710 
+Ciphertext=4f78a7f6d29809585a97daec58c6b050
+}
--- a/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_2.txt
+++ b/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_2.txt
@ -0,0 +1,28 @@
+Test="F.5.5 CTR-AES256.Encrypt"
+Type=Encrypt
+Key=603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Output Block=0bdf7df1591716335e9a8b15c860c502
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+Ciphertext=601ec313775789a5b7a7f504bbf3d228
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
+Output Block=5a6e699d536119065433863c8f657b94
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+Ciphertext=f443e3ca4d62b59aca84e990cacaf5c5
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
+Output Block=1bc12c9c01610d5d0d8bd6a3378eca62
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+Ciphertext=2b0930daa23de94ce87017ba2d84988d
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
+Output Block=2956e1c8693536b1bee99c73a31576b6
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+Ciphertext=dfc9c58db67aada613c2dd08457941a6
+}
--- a/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_tests_source.txt
+++ b/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_tests_source.txt
@ -0,0 +1,199 @@
+#
+# From NIST Special Publication 800-38A; 2001 Edition ;
+# "Recommendation for Block Cipher Modes of Operation: Methods and Techniques"
+# Morris Dworkin
+# Appendix F Example Vectors for Modes of Operation of the AES
+#
+# In this appendix, three examples are provided for each of the modes in this recommendation with
+# the AES algorithm [2] as the underlying block cipher: one example is given for each of the
+# allowed key sizes (128, 192, and 256 bits). Some intermediate results are presented. For the five
+# confidentiality modes, examples are provided for both encryption and decryption. Examples are
+# provided for 1-bit, 8-bit, and 128 bit CFB. The plaintext for all but two of these examples is
+# equivalent to the following string of hexadecimal characters, formatted into four 128 bit blocks:
+#
+#     6bc1bee22e409f96e93d7e117393172a 
+#     ae2d8a571e03ac9c9eb76fac45af8e51 
+#     30c81c46a35ce411e5fbc1191a0a52ef 
+#     f69f2445df4f9b17ad2b417be66c3710. 
+#
+# For the example of 1-bit CFB, the plaintext is the first 16 bits in the above string; for the example
+# of 8-bit CFB, the plaintext is the first 18 octets in the above string. All strings are presented in
+# hexadecimal notation, except in the example of 1-bit CFB, where the plaintext and ciphertext
+# segments are single bits.
+#
+#
+#  F.5 CTR Example Vectors
+
+Test="F.5.1 CTR-AES128.Encrypt"
+Type=Encrypt
+Key=2b7e151628aed2a6abf7158809cf4f3c
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Output Block=ec8cdf7398607cb0f2d21675ea9ea1e4
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+Ciphertext=874d6191b620e3261bef6864990db6ce
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
+Output Block=362b7c3c6773516318a077d7fc5073ae
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+Ciphertext=9806f66b7970fdff8617187bb9fffdff
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
+Output Block=6a2cc3787889374fbeb4c81b17ba6c44
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+Ciphertext=5ae4df3edbd5d35e5b4f09020db03eab
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
+Output Block=e89c399ff0f198c6d40a31db156cabfe
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+Ciphertext=1e031dda2fbe03d1792170a0f3009cee
+}
+
+Test="F.5.2 CTR-AES128.Decrypt"
+Type=Decrypt
+Key=2b7e151628aed2a6abf7158809cf4f3c
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Output Block=ec8cdf7398607cb0f2d21675ea9ea1e4
+Ciphertext=874d6191b620e3261bef6864990db6ce
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
+Output Block=362b7c3c6773516318a077d7fc5073ae
+Ciphertext=9806f66b7970fdff8617187bb9fffdff
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
+Output Block=6a2cc3787889374fbeb4c81b17ba6c44
+Ciphertext=5ae4df3edbd5d35e5b4f09020db03eab
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
+Output Block=e89c399ff0f198c6d40a31db156cabfe
+Ciphertext=1e031dda2fbe03d1792170a0f3009cee
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+}
+
+Test="F.5.3 CTR-AES192.Encrypt"
+Type=Encrypt
+Key=8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Output Block=717d2dc639128334a6167a488ded7921 
+Plaintext=6bc1bee22e409f96e93d7e117393172a 
+Ciphertext=1abc932417521ca24f2b0459fe7e6e0b
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 
+Output Block=a72eb3bb14a556734b7bad6ab16100c5 
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51 
+Ciphertext=090339ec0aa6faefd5ccc2c6f4ce8e94
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 
+Output Block=2efeae2d72b722613446dc7f4c2af918 
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef 
+Ciphertext=1e36b26bd1ebc670d1bd1d665620abf7
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 
+Output Block=b9e783b30dd7924ff7bc9b97beaa8740 
+Plaintext=f69f2445df4f9b17ad2b417be66c3710 
+Ciphertext=4f78a7f6d29809585a97daec58c6b050
+}
+
+Test="F.5.4 CTR-AES192.Decrypt"
+Type="Decrypt"
+Key=8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Output Block=717d2dc639128334a6167a488ded7921 
+Ciphertext=1abc932417521ca24f2b0459fe7e6e0b
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+} 
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 
+Output Block=a72eb3bb14a556734b7bad6ab16100c5 
+Ciphertext=090339ec0aa6faefd5ccc2c6f4ce8e94
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+} 
+Block #3 
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 
+Output Block=2efeae2d72b722613446dc7f4c2af918 
+Ciphertext=1e36b26bd1ebc670d1bd1d665620abf7
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+}
+Block #4 
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 
+Output Block=b9e783b30dd7924ff7bc9b97beaa8740 
+Ciphertext=4f78a7f6d29809585a97daec58c6b050
+Plaintext=f69f2445df4f9b17ad2b417be66c3710 
+}
+
+Test="F.5.5 CTR-AES256.Encrypt"
+Type=Encrypt
+Key=603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Output Block=0bdf7df1591716335e9a8b15c860c502
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+Ciphertext=601ec313775789a5b7a7f504bbf3d228
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
+Output Block=5a6e699d536119065433863c8f657b94
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+Ciphertext=f443e3ca4d62b59aca84e990cacaf5c5
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
+Output Block=1bc12c9c01610d5d0d8bd6a3378eca62
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+Ciphertext=2b0930daa23de94ce87017ba2d84988d
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
+Output Block=2956e1c8693536b1bee99c73a31576b6
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+Ciphertext=dfc9c58db67aada613c2dd08457941a6
+}
+
+Test="F.5.6 CTR-AES256.Decrypt"
+Type=Decrypt
+Key=603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+OutputBlock=0bdf7df1591716335e9a8b15c860c502 
+Ciphertext=601ec313775789a5b7a7f504bbf3d228
+Plaintext=6bc1bee22e409f96e93d7e117393172a 
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 
+OutputBlock=5a6e699d536119065433863c8f657b94 
+Ciphertext=f443e3ca4d62b59aca84e990cacaf5c5 
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51 
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 
+OutputBlock=1bc12c9c01610d5d0d8bd6a3378eca62 
+Ciphertext=2b0930daa23de94ce87017ba2d84988d 
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef 
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 
+OutputBlock=2956e1c8693536b1bee99c73a31576b6 
+Ciphertext=dfc9c58db67aada613c2dd08457941a6 
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+}
+
--- a/security/nss/cmd/bltest/tests/aes_ctr/ciphertext0
+++ b/security/nss/cmd/bltest/tests/aes_ctr/ciphertext0
@ -0,0 +1,2 @@
+h01hkbYg4yYb72hkmQ22zpgG9mt5cP3/hhcYe7n//f9a5N8+29XTXltPCQINsD6r
+HgMd2i++A9F5IXCg8wCc7g==
--- a/security/nss/cmd/bltest/tests/aes_ctr/ciphertext1
+++ b/security/nss/cmd/bltest/tests/aes_ctr/ciphertext1
@ -0,0 +1,2 @@
+GryTJBdSHKJPKwRZ/n5uCwkDOewKpvrv1czCxvTOjpQeNrJr0evGcNG9HWZWIKv3
+T3in9tKYCVhal9rsWMawUA==
--- a/security/nss/cmd/bltest/tests/aes_ctr/ciphertext2
+++ b/security/nss/cmd/bltest/tests/aes_ctr/ciphertext2
@ -0,0 +1,2 @@
+YB7DE3dXiaW3p/UEu/PSKPRD48pNYrWayoTpkMrK9cUrCTDaoj3pTOhwF7othJiN
+38nFjbZ6raYTwt0IRXlBpg==
--- a/security/nss/cmd/bltest/tests/aes_ctr/iv0
+++ b/security/nss/cmd/bltest/tests/aes_ctr/iv0
@ -0,0 +1 @@
+πρςστυφχψωϊϋόύώ<EFBFBD>
--- a/security/nss/cmd/bltest/tests/aes_ctr/iv1
+++ b/security/nss/cmd/bltest/tests/aes_ctr/iv1
@ -0,0 +1 @@
+πρςστυφχψωϊϋόύώ<EFBFBD>
--- a/security/nss/cmd/bltest/tests/aes_ctr/iv2
+++ b/security/nss/cmd/bltest/tests/aes_ctr/iv2
@ -0,0 +1 @@
+πρςστυφχψωϊϋόύώ<EFBFBD>
--- a/security/nss/cmd/bltest/tests/aes_ctr/key0
+++ b/security/nss/cmd/bltest/tests/aes_ctr/key0
@ -0,0 +1 @@
+~(╝р╕╚В┬	оO<
--- a/security/nss/cmd/bltest/tests/aes_ctr/key1
+++ b/security/nss/cmd/bltest/tests/aes_ctr/key1
@ -0,0 +1 @@
+<EFBFBD>s<EFBFBD><EFBFBD><EFBFBD>dR<64><10>+<2B><>y<EFBFBD>b<EFBFBD><62><EFBFBD>R,k{
--- a/security/nss/cmd/bltest/tests/aes_ctr/key2
+++ b/security/nss/cmd/bltest/tests/aes_ctr/key2
@ -0,0 +1 @@
+`=ëÊq¾+s®ð…}w<>5,;a×-˜£	ßô
--- a/security/nss/cmd/bltest/tests/aes_ctr/mktst.sh
+++ b/security/nss/cmd/bltest/tests/aes_ctr/mktst.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+for i in 0 1 2
+do
+    file="aes_ctr_$i.txt"
+    grep Key $file | sed -e 's;Key=;;' | hex > key$i
+    grep "Init. Counter"  $file | sed -e 's;Init. Counter=;;' | hex > iv$i
+    grep "Ciphertext"  $file | sed -e 's;Ciphertext=;;' | hex | btoa > ciphertext$i
+    grep "Plaintext"  $file | sed -e 's;Plaintext=;;' | hex  > plaintext$i
+done
--- a/security/nss/cmd/bltest/tests/aes_ctr/numtests
+++ b/security/nss/cmd/bltest/tests/aes_ctr/numtests
@ -0,0 +1 @@
+3
--- a/security/nss/cmd/bltest/tests/aes_ctr/plaintext0
+++ b/security/nss/cmd/bltest/tests/aes_ctr/plaintext0
@ -0,0 +1,2 @@
+kÁ¾â.@Ÿ–é=~s“*®-ŠW¬œž·o¬E¯ŽQ0ÈF£\äåûÁ
+RïöŸ$EßO›+A{æl7
--- a/security/nss/cmd/bltest/tests/aes_ctr/plaintext1
+++ b/security/nss/cmd/bltest/tests/aes_ctr/plaintext1
@ -0,0 +1,2 @@
+kÁ¾â.@Ÿ–é=~s“*®-ŠW¬œž·o¬E¯ŽQ0ÈF£\äåûÁ
+RïöŸ$EßO›+A{æl7
--- a/security/nss/cmd/bltest/tests/aes_ctr/plaintext2
+++ b/security/nss/cmd/bltest/tests/aes_ctr/plaintext2
@ -0,0 +1,2 @@
+kÁ¾â.@Ÿ–é=~s“*®-ŠW¬œž·o¬E¯ŽQ0ÈF£\äåûÁ
+RïöŸ$EßO›+A{æl7
--- a/security/nss/cmd/bltest/tests/aes_cts/aes-cts-type-1-vectors.txt
+++ b/security/nss/cmd/bltest/tests/aes_cts/aes-cts-type-1-vectors.txt
@ -0,0 +1,47 @@
+# Raeburn                     Standards Track                    [Page 12]
+# 
+# RFC 3962             AES Encryption for Kerberos 5         February 2005
+# 
+# Some test vectors for CBC with ciphertext stealing, using an initial
+# vector of all-zero.
+#
+# Original Test vectors were for AES CTS-3 (Kerberos). These test vectors have been modified for AES CTS-1 (NIST)
+#
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20
+Output:   97 c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f
+Next IV:  c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22
+Next IV:  fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
+Next IV:  39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e
+Next IV:  b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8
+Next IV:  9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8
+
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 61 6e 64 20 77 6f 6e 74 6f 6e 20 73 6f 75 70 2e
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40
+Next IV:  48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40
+
+
--- a/security/nss/cmd/bltest/tests/aes_cts/aes_cts_0.txt
+++ b/security/nss/cmd/bltest/tests/aes_cts/aes_cts_0.txt
@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20
+Output:   97 c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f
+Next IV:  c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f
+
--- a/security/nss/cmd/bltest/tests/aes_cts/aes_cts_1.txt
+++ b/security/nss/cmd/bltest/tests/aes_cts/aes_cts_1.txt
@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22
+Next IV:  fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22
+
--- a/security/nss/cmd/bltest/tests/aes_cts/aes_cts_2.txt
+++ b/security/nss/cmd/bltest/tests/aes_cts/aes_cts_2.txt
@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
+Next IV:  39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
+
--- a/security/nss/cmd/bltest/tests/aes_cts/aes_cts_3.txt
+++ b/security/nss/cmd/bltest/tests/aes_cts/aes_cts_3.txt
@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e
+Next IV:  b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e
+
--- a/security/nss/cmd/bltest/tests/aes_cts/aes_cts_4.txt
+++ b/security/nss/cmd/bltest/tests/aes_cts/aes_cts_4.txt
@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8
+Next IV:  9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8
+
--- a/security/nss/cmd/bltest/tests/aes_cts/aes_cts_5.txt
+++ b/security/nss/cmd/bltest/tests/aes_cts/aes_cts_5.txt
@ -0,0 +1,6 @@
+Key:      63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
+IV:       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Input:    49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 61 6e 64 20 77 6f 6e 74 6f 6e 20 73 6f 75 70 2e
+Output:   97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40
+Next IV:  48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40
+
--- a/security/nss/cmd/bltest/tests/aes_cts/ciphertext0
+++ b/security/nss/cmd/bltest/tests/aes_cts/ciphertext0
@ -0,0 +1 @@
+l8Y1NWjyv4y02KWANi2n/38=
--- a/security/nss/cmd/bltest/tests/aes_cts/ciphertext1
+++ b/security/nss/cmd/bltest/tests/aes_cts/ciphertext1
@ -0,0 +1 @@
+l2hyaNbszMDAeyXiXs/l/AB4Pg79ssHURdTI7/ftIg==
--- a/security/nss/cmd/bltest/tests/aes_cts/ciphertext2
+++ b/security/nss/cmd/bltest/tests/aes_cts/ciphertext2
@ -0,0 +1 @@
+l2hyaNbszMDAeyXiXs/lhDkxJSOnhmLVvn/LzJjr9ag=
--- a/security/nss/cmd/bltest/tests/aes_cts/ciphertext3
+++ b/security/nss/cmd/bltest/tests/aes_cts/ciphertext3
@ -0,0 +1 @@
+l2hyaNbszMDAeyXiXs/lhDkxJSOnhmLVvn/LzJjr9bP//ZQMFqGMG1VJ0vg4Ap4=
--- a/security/nss/cmd/bltest/tests/aes_cts/ciphertext4
+++ b/security/nss/cmd/bltest/tests/aes_cts/ciphertext4
@ -0,0 +1 @@
+l2hyaNbszMDAeyXiXs/lhDkxJSOnhmLVvn/LzJjr9aidrYu7lsTNwDvBA+GhlLvY
--- a/security/nss/cmd/bltest/tests/aes_cts/ciphertext5
+++ b/security/nss/cmd/bltest/tests/aes_cts/ciphertext5
@ -0,0 +1,2 @@
+l2hyaNbszMDAeyXiXs/lhDkxJSOnhmLVvn/LzJjr9aidrYu7lsTNwDvBA+GhlLvY
+SAfv6DbuiaUmcw28L3vIQA==
--- a/security/nss/cmd/bltest/tests/aes_cts/iv0
+++ b/security/nss/cmd/bltest/tests/aes_cts/iv0
--- a/security/nss/cmd/bltest/tests/aes_cts/iv1
+++ b/security/nss/cmd/bltest/tests/aes_cts/iv1
--- a/security/nss/cmd/bltest/tests/aes_cts/iv2
+++ b/security/nss/cmd/bltest/tests/aes_cts/iv2
--- a/security/nss/cmd/bltest/tests/aes_cts/iv3
+++ b/security/nss/cmd/bltest/tests/aes_cts/iv3
--- a/security/nss/cmd/bltest/tests/aes_cts/iv4
+++ b/security/nss/cmd/bltest/tests/aes_cts/iv4
--- a/security/nss/cmd/bltest/tests/aes_cts/iv5
+++ b/security/nss/cmd/bltest/tests/aes_cts/iv5
--- a/security/nss/cmd/bltest/tests/aes_cts/key0
+++ b/security/nss/cmd/bltest/tests/aes_cts/key0
@ -0,0 +1 @@
+chicken teriyaki
--- a/security/nss/cmd/bltest/tests/aes_cts/key1
+++ b/security/nss/cmd/bltest/tests/aes_cts/key1
@ -0,0 +1 @@
+chicken teriyaki
--- a/security/nss/cmd/bltest/tests/aes_cts/key2
+++ b/security/nss/cmd/bltest/tests/aes_cts/key2
@ -0,0 +1 @@
+chicken teriyaki
--- a/security/nss/cmd/bltest/tests/aes_cts/key3
+++ b/security/nss/cmd/bltest/tests/aes_cts/key3
@ -0,0 +1 @@
+chicken teriyaki
--- a/security/nss/cmd/bltest/tests/aes_cts/key4
+++ b/security/nss/cmd/bltest/tests/aes_cts/key4
@ -0,0 +1 @@
+chicken teriyaki
--- a/security/nss/cmd/bltest/tests/aes_cts/key5
+++ b/security/nss/cmd/bltest/tests/aes_cts/key5
@ -0,0 +1 @@
+chicken teriyaki
--- a/security/nss/cmd/bltest/tests/aes_cts/mktst.sh
+++ b/security/nss/cmd/bltest/tests/aes_cts/mktst.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+for i in 0 1 2 3 4 5
+do
+    file="aes_cts_$i.txt"
+    grep "Key" $file | sed -e 's;Key:;;' | hex > key$i
+    grep "IV"  $file | sed -e 's;IV:;;' | hex > iv$i
+    grep "Input"  $file | sed -e 's;Input:;;' | hex  > plaintext$i
+    grep "Output"  $file | sed -e 's;Output:;;' | hex | btoa > ciphertext$i
+done
--- a/security/nss/cmd/bltest/tests/aes_cts/numtests
+++ b/security/nss/cmd/bltest/tests/aes_cts/numtests
@ -0,0 +1 @@
+6
--- a/security/nss/cmd/bltest/tests/aes_cts/plaintext0
+++ b/security/nss/cmd/bltest/tests/aes_cts/plaintext0
@ -0,0 +1 @@
+I would like the 
--- a/security/nss/cmd/bltest/tests/aes_cts/plaintext1
+++ b/security/nss/cmd/bltest/tests/aes_cts/plaintext1
@ -0,0 +1 @@
+I would like the General Gau's 
--- a/security/nss/cmd/bltest/tests/aes_cts/plaintext2
+++ b/security/nss/cmd/bltest/tests/aes_cts/plaintext2
@ -0,0 +1 @@
+I would like the General Gau's C
--- a/security/nss/cmd/bltest/tests/aes_cts/plaintext3
+++ b/security/nss/cmd/bltest/tests/aes_cts/plaintext3
@ -0,0 +1 @@
+I would like the General Gau's Chicken, please,
--- a/security/nss/cmd/bltest/tests/aes_cts/plaintext4
+++ b/security/nss/cmd/bltest/tests/aes_cts/plaintext4
@ -0,0 +1 @@
+I would like the General Gau's Chicken, please, 
--- a/security/nss/cmd/bltest/tests/aes_cts/plaintext5
+++ b/security/nss/cmd/bltest/tests/aes_cts/plaintext5
@ -0,0 +1 @@
+I would like the General Gau's Chicken, please, and wonton soup.
--- a/security/nss/cmd/bltest/tests/aes_ecb/ciphertext0
+++ b/security/nss/cmd/bltest/tests/aes_ecb/ciphertext0
@ -1 +1 @@
-PVuaCIiaKQhblgFCbVMTTg==
+PVuaCIiaKQhblgFCbVMTTg==
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad0
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad0
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad1
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad1
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad10
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad10
@ -0,0 +1 @@
+<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>ｭﾚﾒ
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad11
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad11
@ -0,0 +1 @@
+<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>ｭﾚﾒ
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad12
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad12
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad13
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad13
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad14
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad14
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad15
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad15
@ -0,0 +1 @@
+<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>ｭﾚﾒ
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad16
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad16
@ -0,0 +1 @@
+<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>ｭﾚﾒ
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad17
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad17
@ -0,0 +1 @@
+<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>ｭﾚﾒ
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad2
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad2
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad3
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad3
@ -0,0 +1 @@
+<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>ｭﾚﾒ
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad4
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad4
@ -0,0 +1 @@
+<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>ｭﾚﾒ
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad5
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad5
@ -0,0 +1 @@
+<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>ｭﾚﾒ
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad6
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad6
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad7
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad7
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad8
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad8
--- a/security/nss/cmd/bltest/tests/aes_gcm/aad9
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad9
@ -0,0 +1 @@
+<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>ｭﾚﾒ
--- a/security/nss/cmd/bltest/tests/aes_gcm/ciphertext0
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext0
@ -0,0 +1 @@
+WOL8zvp+MGE2fx1XpOdFWg==
--- a/security/nss/cmd/bltest/tests/aes_gcm/ciphertext1
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext1
@ -0,0 +1 @@
+A4jazmC2o5LzKMK5cbL+eKtuR9Qs7BO99TpnshJXvd8=
--- a/security/nss/cmd/bltest/tests/aes_gcm/ciphertext10
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext10
@ -0,0 +1,2 @@
+DxD1ma4UoVTtJLNuJTJNuMVmYy7yu7NPg0coD8RQcFf93CnfmkcfdcZlQdTU2tHJ
+6ToZpY6LRz+g8GL3ZdzFf89iOiQJT8ykDTUz+A==
--- a/security/nss/cmd/bltest/tests/aes_gcm/ciphertext11
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext11
@ -0,0 +1,2 @@
+0n6IaBzjJDxIMBZaj9z5/x3podjmtEfvbve3mChmbkWB55ASrzTd2eLwN1ibKS2z
+5nwDZ0X6Iufptzc73PVm/ykcJbu4Vo/D03am2Q==
--- a/security/nss/cmd/bltest/tests/aes_gcm/ciphertext12
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext12
@ -0,0 +1 @@
+Uw+K+8dFNrmpY7TxxMtziw==
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`<EFBFBD>s<EFBFBD><EFBFBD><EFBFBD>dR<64><10>+<2B><>y<EFBFBD>b<EFBFBD><62><EFBFBD>R,k{`
				`@ -0,0 +1 @@`
				`l2hyaNbszMDAeyXiXs/l/AB4Pg79ssHURdTI7/ftIg==`
				`@ -0,0 +1 @@`
				`l2hyaNbszMDAeyXiXs/lhDkxJSOnhmLVvn/LzJjr9ag=`
				`@ -0,0 +1 @@`
				`I would like the General Gau's Chicken, please,`
				`@ -0,0 +1 @@`
				`<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>燁ﾎﾞｭｾ<EFBFBD>ｭﾚﾒ`
				`@ -0,0 +1 @@`
				`A4jazmC2o5LzKMK5cbL+eKtuR9Qs7BO99TpnshJXvd8=`