fixup commit for tag 'NSS_3_11_20060331_TAG'NSS_3_11_20060331_TAG

18 files changed, 4 insertions, 2756 deletions

diff --git a/security/coreconf/SunOS5.11.mk b/security/coreconf/SunOS5.11.mk
deleted file mode 100644
index 5bcf4e897..000000000
--- a/security/coreconf/SunOS5.11.mk
+++ /dev/null
@@ -1,46 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-SOL_CFLAGS += -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.11)
-	OS_DEFINES += -DSOLARIS2_11
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
diff --git a/security/coreconf/SunOS5.11_i86pc.mk b/security/coreconf/SunOS5.11_i86pc.mk
deleted file mode 100644
index 1237f90aa..000000000
--- a/security/coreconf/SunOS5.11_i86pc.mk
+++ /dev/null
@@ -1,53 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-SOL_CFLAGS	= -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(USE_64),1)
-    CPU_ARCH		= x86_64
-else
-    CPU_ARCH		= x86
-    OS_DEFINES		+= -Di386
-endif
-
-ifeq ($(OS_RELEASE),5.11_i86pc)
-	OS_DEFINES += -DSOLARIS2_11
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc
diff --git a/security/nss/cmd/dbck/dbrecover.c b/security/nss/cmd/dbck/dbrecover.c
deleted file mode 100644
index db65d0e5c..000000000
--- a/security/nss/cmd/dbck/dbrecover.c
+++ /dev/null
@@ -1,702 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-enum {
-    dbInvalidCert = 0,
-    dbNoSMimeProfile,
-    dbOlderCert,
-    dbBadCertificate,
-    dbCertNotWrittenToDB
-};
-
-typedef struct dbRestoreInfoStr
-{
-    NSSLOWCERTCertDBHandle *handle;
-    PRBool verbose;
-    PRFileDesc *out;
-    int nCerts;
-    int nOldCerts;
-    int dbErrors[5];
-    PRBool removeType[3];
-    PRBool promptUser[3];
-} dbRestoreInfo;
-
-char *
-IsEmailCert(CERTCertificate *cert)
-{
-    char *email, *tmp1, *tmp2;
-    PRBool isCA;
-    int len;
-
-    if (!cert->subjectName) {
-	return NULL;
-    }
-
-    tmp1 = PORT_Strstr(cert->subjectName, "E=");
-    tmp2 = PORT_Strstr(cert->subjectName, "MAIL=");
-    /* XXX Nelson has cert for KTrilli which does not have either
-     * of above but is email cert (has cert->emailAddr). 
-     */
-    if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) {
-	return NULL;
-    }
-
-    /*  Server or CA cert, not personal email.  */
-    isCA = CERT_IsCACert(cert, NULL);
-    if (isCA)
-	return NULL;
-
-    /*  XXX CERT_IsCACert advertises checking the key usage ext.,
-	but doesn't appear to. */
-    /*  Check the key usage extension.  */
-    if (cert->keyUsagePresent) {
-	/*  Must at least be able to sign or encrypt (not neccesarily
-	 *  both if it is one of a dual cert).  
-	 */
-	if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || 
-              (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT)))
-	    return NULL;
-
-	/*  CA cert, not personal email.  */
-	if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN))
-	    return NULL;
-    }
-
-    if (cert->emailAddr && cert->emailAddr[0]) {
-	email = PORT_Strdup(cert->emailAddr);
-    } else {
-	if (tmp1)
-	    tmp1 += 2; /* "E="  */
-	else
-	    tmp1 = tmp2 + 5; /* "MAIL=" */
-	len = strcspn(tmp1, ", ");
-	email = (char*)PORT_Alloc(len+1);
-	PORT_Strncpy(email, tmp1, len);
-	email[len] = '\0';
-    }
-
-    return email;
-}
-
-SECStatus
-deleteit(CERTCertificate *cert, void *arg)
-{
-    return SEC_DeletePermCertificate(cert);
-}
-
-/*  Different than DeleteCertificate - has the added bonus of removing
- *  all certs with the same DN.  
- */
-SECStatus
-deleteAllEntriesForCert(NSSLOWCERTCertDBHandle *handle, CERTCertificate *cert,
-                        PRFileDesc *outfile)
-{
-#if 0
-    certDBEntrySubject *subjectEntry;
-    certDBEntryNickname *nicknameEntry;
-    certDBEntrySMime *smimeEntry;
-    int i;
-#endif
-
-    if (outfile) {
-	PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n");
-	PR_fprintf(outfile, "Deleting redundant certificate:\n");
-	dumpCertificate(cert, -1, outfile);
-    }
-
-    CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL);
-#if 0
-    CERT_LockDB(handle);
-    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
-    /*  It had better be there, or created a bad db.  */
-    PORT_Assert(subjectEntry);
-    for (i=0; i<subjectEntry->ncerts; i++) {
-	DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]);
-    }
-    DeleteDBSubjectEntry(handle, &cert->derSubject);
-    if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
-	smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr);
-	if (smimeEntry) {
-	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-	                              &smimeEntry->subjectName))
-		/*  Only delete it if it's for this subject!  */
-		DeleteDBSMimeEntry(handle, subjectEntry->emailAddr);
-	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-	}
-    }
-    if (subjectEntry->nickname) {
-	nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname);
-	if (nicknameEntry) {
-	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-	                              &nicknameEntry->subjectName))
-		/*  Only delete it if it's for this subject!  */
-		DeleteDBNicknameEntry(handle, subjectEntry->nickname);
-	    SEC_DestroyDBEntry((certDBEntry*)nicknameEntry);
-	}
-    }
-    SEC_DestroyDBEntry((certDBEntry*)subjectEntry);
-    CERT_UnlockDB(handle);
-#endif
-    return SECSuccess;
-}
-
-void
-getCertsToDelete(char *numlist, int len, int *certNums, int nCerts)
-{
-    int j, num;
-    char *numstr, *numend, *end;
-
-    numstr = numlist;
-    end = numstr + len - 1;
-    while (numstr != end) {
-	numend = strpbrk(numstr, ", \n");
-	*numend = '\0';
-	if (PORT_Strlen(numstr) == 0)
-	    return;
-	num = PORT_Atoi(numstr);
-	if (numstr == numlist)
-	    certNums[0] = num;
-	for (j=1; j<nCerts+1; j++) {
-	    if (num == certNums[j]) {
-		certNums[j] = -1;
-		break;
-	    }
-	}
-	if (numend == end)
-	    break;
-	numstr = strpbrk(numend+1, "0123456789");
-    }
-}
-
-PRBool
-userSaysDeleteCert(CERTCertificate **certs, int nCerts,
-                   int errtype, dbRestoreInfo *info, int *certNums)
-{
-    char response[32];
-    int32 nb;
-    int i;
-    /*  User wants to remove cert without prompting.  */
-    if (info->promptUser[errtype] == PR_FALSE)
-	return (info->removeType[errtype]);
-    switch (errtype) {
-    case dbInvalidCert:
-	PR_fprintf(PR_STDOUT, "********  Expired ********\n");
-	PR_fprintf(PR_STDOUT, "Cert has expired.\n\n");
-	dumpCertificate(certs[0], -1, PR_STDOUT);
-	PR_fprintf(PR_STDOUT,
-	           "Keep it? (y/n - this one, Y/N - all expired certs) [n] ");
-	break;
-    case dbNoSMimeProfile:
-	PR_fprintf(PR_STDOUT, "********  No Profile ********\n");
-	PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n");
-	dumpCertificate(certs[0], -1, PR_STDOUT);
-	PR_fprintf(PR_STDOUT,
-	      "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] ");
-	break;
-    case dbOlderCert:
-	PR_fprintf(PR_STDOUT, "*******  Redundant nickname/email *******\n\n");
-	PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n");
-	for (i=0; i<nCerts; i++)
-	    dumpCertificate(certs[i], i, PR_STDOUT);
-	PR_fprintf(PR_STDOUT, 
-	"Enter the certs you would like to keep from those listed above.\n");
-	PR_fprintf(PR_STDOUT, 
-	"Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n");
-	PR_fprintf(PR_STDOUT, 
-	"The first cert in the list will be the primary cert\n");
-	PR_fprintf(PR_STDOUT, 
-	" accessed by the nickname/email handle.\n");
-	PR_fprintf(PR_STDOUT, 
-	"List cert numbers to keep here, or hit enter\n");
-	PR_fprintf(PR_STDOUT, 
-	" to always keep only the newest cert:  ");
-	break;
-    default:
-    }
-    nb = PR_Read(PR_STDIN, response, sizeof(response));
-    PR_fprintf(PR_STDOUT, "\n\n");
-    if (errtype == dbOlderCert) {
-	if (!isdigit(response[0])) {
-	    info->promptUser[errtype] = PR_FALSE;
-	    info->removeType[errtype] = PR_TRUE;
-	    return PR_TRUE;
-	}
-	getCertsToDelete(response, nb, certNums, nCerts);
-	return PR_TRUE;
-    }
-    /*  User doesn't want to be prompted for this type anymore.  */
-    if (response[0] == 'Y') {
-	info->promptUser[errtype] = PR_FALSE;
-	info->removeType[errtype] = PR_FALSE;
-	return PR_FALSE;
-    } else if (response[0] == 'N') {
-	info->promptUser[errtype] = PR_FALSE;
-	info->removeType[errtype] = PR_TRUE;
-	return PR_TRUE;
-    }
-    return (response[0] != 'y') ? PR_TRUE : PR_FALSE;
-}
-
-SECStatus
-addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, 
-            NSSLOWCERTCertDBHandle *oldhandle)
-{
-    SECStatus rv = SECSuccess;
-    PRBool allowOverride;
-    PRBool userCert;
-    SECCertTimeValidity validity;
-    CERTCertificate *oldCert = NULL;
-    CERTCertificate *dbCert = NULL;
-    CERTCertificate *newCert = NULL;
-    CERTCertTrust *trust;
-    certDBEntrySMime *smimeEntry = NULL;
-    char *email = NULL;
-    char *nickname = NULL;
-    int nCertsForSubject = 1;
-
-    oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE,
-                                        certEntry->nickname);
-    if (!oldCert) {
-	info->dbErrors[dbBadCertificate]++;
-	SEC_DestroyDBEntry((certDBEntry*)certEntry);
-	return SECSuccess;
-    }
-
-    oldCert->dbEntry = certEntry;
-    oldCert->trust = &certEntry->trust;
-    oldCert->dbhandle = oldhandle;
-
-    trust = oldCert->trust;
-
-    info->nOldCerts++;
-
-    if (info->verbose)
-	PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n");
-
-    if (oldCert->nickname)
-	nickname = PORT_Strdup(oldCert->nickname);
-
-    /*  Always keep user certs.  Skip ahead.  */
-    /*  XXX if someone sends themselves a signed message, it is possible
-	for their cert to be imported as an "other" cert, not a user cert.
-	this mucks with smime entries...  */
-    userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
-               (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
-               (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
-    if (userCert)
-	goto createcert;
-
-    /*  If user chooses so, ignore expired certificates.  */
-    allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
-                         (oldCert->keyUsage == certUsageSSLServerWithStepUp));
-    validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
-    /*  If cert expired and user wants to delete it, ignore it. */
-    if ((validity != secCertTimeValid) && 
-	 userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) {
-	info->dbErrors[dbInvalidCert]++;
-	if (info->verbose) {
-	    PR_fprintf(info->out, "Deleting expired certificate:\n");
-	    dumpCertificate(oldCert, -1, info->out);
-	}
-	goto cleanup;
-    }
-
-    /*  New database will already have default certs, don't attempt
-	to overwrite them.  */
-    dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert);
-    if (dbCert) {
-	info->nCerts++;
-	if (info->verbose) {
-	    PR_fprintf(info->out, "Added certificate to database:\n");
-	    dumpCertificate(oldCert, -1, info->out);
-	}
-	goto cleanup;
-    }
-    
-    /*  Determine if cert is S/MIME and get its email if so.  */
-    email = IsEmailCert(oldCert);
-
-    /*
-	XXX  Just create empty profiles?
-    if (email) {
-	SECItem *profile = CERT_FindSMimeProfile(oldCert);
-	if (!profile &&
-	    userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) {
-	    info->dbErrors[dbNoSMimeProfile]++;
-	    if (info->verbose) {
-		PR_fprintf(info->out, 
-		           "Deleted cert missing S/MIME profile.\n");
-		dumpCertificate(oldCert, -1, info->out);
-	    }
-	    goto cleanup;
-	} else {
-	    SECITEM_FreeItem(profile);
-	}
-    }
-    */
-
-createcert:
-
-    /*  Sometimes happens... */
-    if (!nickname && userCert)
-	nickname = PORT_Strdup(oldCert->subjectName);
-
-    /*  Create a new certificate, copy of the old one.  */
-    newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, 
-                                      nickname, PR_FALSE, PR_TRUE);
-    if (!newCert) {
-	PR_fprintf(PR_STDERR, "Unable to create new certificate.\n");
-	dumpCertificate(oldCert, -1, PR_STDERR);
-	info->dbErrors[dbBadCertificate]++;
-	goto cleanup;
-    }
-
-    /*  Add the cert to the new database.  */
-    rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust);
-    if (rv) {
-	PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n");
-	dumpCertificate(oldCert, -1, PR_STDERR);
-	info->dbErrors[dbCertNotWrittenToDB]++;
-	goto cleanup;
-    }
-
-    if (info->verbose) {
-	PR_fprintf(info->out, "Added certificate to database:\n");
-	dumpCertificate(oldCert, -1, info->out);
-    }
-
-    /*  If the cert is an S/MIME cert, and the first with it's subject,
-     *  modify the subject entry to include the email address,
-     *  CERT_AddTempCertToPerm does not do email addresses and S/MIME entries.
-     */
-    if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */
-#if 0
-	UpdateSubjectWithEmailAddr(newCert, email);
-#endif
-	SECItem emailProfile, profileTime;
-	rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime);
-	/*  calls UpdateSubjectWithEmailAddr  */
-	if (rv == SECSuccess)
-	    rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime);
-    }
-
-    info->nCerts++;
-
-cleanup:
-
-    if (nickname)
-	PORT_Free(nickname);
-    if (email)
-	PORT_Free(email);
-    if (oldCert)
-	CERT_DestroyCertificate(oldCert);
-    if (dbCert)
-	CERT_DestroyCertificate(dbCert);
-    if (newCert)
-	CERT_DestroyCertificate(newCert);
-    if (smimeEntry)
-	SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-    return SECSuccess;
-}
-
-#if 0
-SECStatus
-copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata)
-{
-    SECStatus rv;
-    NSSLOWCERTCertDBHandle *newdb = (NSSLOWCERTCertDBHandle *)pdata;
-    certDBEntryCommon common;
-    SECItem dbkey;
-
-    common.type = type;
-    common.version = CERT_DB_FILE_VERSION;
-    common.flags = data->data[2];
-    common.arena = NULL;
-
-    dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char));
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len);
-    dbkey.data[0] = type;
-
-    rv = WriteDBEntry(newdb, &common, &dbkey, data);
-
-    PORT_Free(dbkey.data);
-    return rv;
-}
-#endif
-
-int
-certIsOlder(CERTCertificate **cert1, CERTCertificate** cert2)
-{
-    return !CERT_IsNewer(*cert1, *cert2);
-}
-
-int
-findNewestSubjectForEmail(NSSLOWCERTCertDBHandle *handle, int subjectNum,
-                          certDBArray *dbArray, dbRestoreInfo *info,
-                          int *subjectWithSMime, int *smimeForSubject)
-{
-    int newestSubject;
-    int subjectsForEmail[50];
-    int i, j, ns, sNum;
-    certDBEntryListNode *subjects = &dbArray->subjects;
-    certDBEntryListNode *smime = &dbArray->smime;
-    certDBEntrySubject *subjectEntry1, *subjectEntry2;
-    certDBEntrySMime *smimeEntry;
-    CERTCertificate **certs;
-    CERTCertificate *cert;
-    CERTCertTrust *trust;
-    PRBool userCert;
-    int *certNums;
-
-    ns = 0;
-    subjectEntry1 = (certDBEntrySubject*)&subjects.entries[subjectNum];
-    subjectsForEmail[ns++] = subjectNum;
-
-    *subjectWithSMime = -1;
-    *smimeForSubject = -1;
-    newestSubject = subjectNum;
-
-    cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
-    if (cert) {
-	trust = cert->trust;
-	userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
-	          (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
-	         (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
-	CERT_DestroyCertificate(cert);
-    }
-
-    /*
-     * XXX Should we make sure that subjectEntry1->emailAddr is not
-     * a null pointer or an empty string before going into the next
-     * two for loops, which pass it to PORT_Strcmp?
-     */
-
-    /*  Loop over the remaining subjects.  */
-    for (i=subjectNum+1; i<subjects.numEntries; i++) {
-	subjectEntry2 = (certDBEntrySubject*)&subjects.entries[i];
-	if (!subjectEntry2)
-	    continue;
-	if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] &&
-	     PORT_Strcmp(subjectEntry1->emailAddr, 
-	                 subjectEntry2->emailAddr) == 0) {
-	    /*  Found a subject using the same email address.  */
-	    subjectsForEmail[ns++] = i;
-	}
-    }
-
-    /*  Find the S/MIME entry for this email address.  */
-    for (i=0; i<smime.numEntries; i++) {
-	smimeEntry = (certDBEntrySMime*)&smime.entries[i];
-	if (smimeEntry->common.arena == NULL)
-	    continue;
-	if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && 
-	    PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) {
-	    /*  Find which of the subjects uses this S/MIME entry.  */
-	    for (j=0; j<ns && *subjectWithSMime < 0; j++) {
-		sNum = subjectsForEmail[j];
-		subjectEntry2 = (certDBEntrySubject*)&subjects.entries[sNum];
-		if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName,
-		                          &subjectEntry2->derSubject)) {
-		    /*  Found the subject corresponding to the S/MIME entry. */
-		    *subjectWithSMime = sNum;
-		    *smimeForSubject = i;
-		}
-	    }
-	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-	    PORT_Memset(smimeEntry, 0, sizeof(certDBEntry));
-	    break;
-	}
-    }
-
-    if (ns <= 1)
-	return subjectNum;
-
-    if (userCert)
-	return *subjectWithSMime;
-
-    /*  Now find which of the subjects has the newest cert.  */
-    certs = (CERTCertificate**)PORT_Alloc(ns*sizeof(CERTCertificate*));
-    certNums = (int*)PORT_Alloc((ns+1)*sizeof(int));
-    certNums[0] = 0;
-    for (i=0; i<ns; i++) {
-	sNum = subjectsForEmail[i];
-	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
-	certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
-	certNums[i+1] = i;
-    }
-    /*  Sort the array by validity.  */
-    qsort(certs, ns, sizeof(CERTCertificate*), 
-          (int (*)(const void *, const void *))certIsOlder);
-    newestSubject = -1;
-    for (i=0; i<ns; i++) {
-	sNum = subjectsForEmail[i];
-	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
-	if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject,
-	                          &certs[0]->derSubject))
-	    newestSubject = sNum;
-	else
-	    SEC_DestroyDBEntry((certDBEntry*)subjectEntry1);
-    }
-    if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) {
-	for (i=1; i<ns+1; i++) {
-	    if (certNums[i] >= 0 && certNums[i] != certNums[0]) {
-		deleteAllEntriesForCert(handle, certs[certNums[i]], info->out);
-		info->dbErrors[dbOlderCert]++;
-	    }
-	}
-    }
-    CERT_DestroyCertArray(certs, ns);
-    return newestSubject;
-}
-
-NSSLOWCERTCertDBHandle *
-DBCK_ReconstructDBFromCerts(NSSLOWCERTCertDBHandle *oldhandle, char *newdbname,
-                            PRFileDesc *outfile, PRBool removeExpired,
-                            PRBool requireProfile, PRBool singleEntry,
-                            PRBool promptUser)
-{
-    SECStatus rv;
-    dbRestoreInfo info;
-    certDBEntryContentVersion *oldContentVersion;
-    certDBArray dbArray;
-    int i;
-
-    PORT_Memset(&dbArray, 0, sizeof(dbArray));
-    PORT_Memset(&info, 0, sizeof(info));
-    info.verbose = (outfile) ? PR_TRUE : PR_FALSE;
-    info.out = (outfile) ? outfile : PR_STDOUT;
-    info.removeType[dbInvalidCert] = removeExpired;
-    info.removeType[dbNoSMimeProfile] = requireProfile;
-    info.removeType[dbOlderCert] = singleEntry;
-    info.promptUser[dbInvalidCert]  = promptUser;
-    info.promptUser[dbNoSMimeProfile]  = promptUser;
-    info.promptUser[dbOlderCert]  = promptUser;
-
-    /*  Allocate a handle to fill with CERT_OpenCertDB below.  */
-    info.handle = PORT_ZNew(NSSLOWCERTCertDBHandle);
-    if (!info.handle) {
-	fprintf(stderr, "unable to get database handle");
-	return NULL;
-    }
-
-    /*  Create a certdb with the most recent set of roots.  */
-    rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE);
-
-    if (rv) {
-	fprintf(stderr, "could not open certificate database");
-	goto loser;
-    }
-
-    /*  Create certificate, subject, nickname, and email records.
-     *  mcom_db seems to have a sequential access bug.  Though reads and writes
-     *  should be allowed during traversal, they seem to screw up the sequence.
-     *  So, stuff all the cert entries into an array, and loop over the array
-     *  doing read/writes in the db.
-     */
-    fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs);
-    for (elem = PR_LIST_HEAD(&dbArray->certs.link);
-         elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) {
-	node = LISTNODE_CAST(elem);
-	addCertToDB((certDBEntryCert*)&node->entry, &info, oldhandle);
-	/* entries get destroyed in addCertToDB */
-    }
-#if 0
-    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, 
-                               copyDBEntry, info.handle);
-#endif
-
-    /*  Fix up the pointers between (nickname|S/MIME) --> (subject).
-     *  Create S/MIME entries for S/MIME certs.
-     *  Have the S/MIME entry point to the last-expiring cert using
-     *  an email address.
-     */
-#if 0
-    CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info);
-#endif
-
-    freeDBEntryList(&dbArray.certs.link);
-
-    /*  Copy over the version record.  */
-    /*  XXX Already exists - and _must_ be correct... */
-    /*
-    versionEntry = ReadDBVersionEntry(oldhandle);
-    rv = WriteDBVersionEntry(info.handle, versionEntry);
-    */
-
-    /*  Copy over the content version record.  */
-    /*  XXX Can probably get useful info from old content version?
-     *      Was this db created before/after this tool?  etc.
-     */
-#if 0
-    oldContentVersion = ReadDBContentVersionEntry(oldhandle);
-    CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); 
-#endif
-
-#if 0
-    /*  Copy over the CRL & KRL records.  */
-    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, 
-                               copyDBEntry, info.handle);
-    /*  XXX Only one KRL, just do db->get? */
-    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, 
-                               copyDBEntry, info.handle);
-#endif
-
-    PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts);
-
-    PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts);
-    PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", 
-                       info.dbErrors[dbInvalidCert]);
-    PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", 
-                       info.dbErrors[dbNoSMimeProfile]);
-    PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", 
-                       info.dbErrors[dbOlderCert]);
-    PR_fprintf(info.out, "     Rejected %d corrupt certificates.\n", 
-                       info.dbErrors[dbBadCertificate]);
-    PR_fprintf(info.out, "     Rejected %d certificates which did not write to the DB.\n", 
-                       info.dbErrors[dbCertNotWrittenToDB]);
-
-    if (rv)
-	goto loser;
-
-    return info.handle;
-
-loser:
-    if (info.handle) 
-	PORT_Free(info.handle);
-    return NULL;
-}
-
diff --git a/security/nss/cmd/fipstest/dsa.sh b/security/nss/cmd/fipstest/dsa.sh
deleted file mode 100755
index 50dd20d4a..000000000
--- a/security/nss/cmd/fipstest/dsa.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST DSA Validation System
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-request=KeyPair.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa keypair $request > $response
-
-request=PQGGen.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa pqggen $request > $response
-
-request=PQGVer.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa pqgver $request > $response
-
-request=SigGen.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa siggen $request > $response
-
-request=SigVer.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa sigver $request > $response
diff --git a/security/nss/cmd/fipstest/rng.sh b/security/nss/cmd/fipstest/rng.sh
deleted file mode 100644
index 4b62a998d..000000000
--- a/security/nss/cmd/fipstest/rng.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST RNG Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-vst_requests="
-FIPS186_VST.req
-FIPS186_VSTGEN.req
-"
-mct_requests="
-FIPS186_MCT.req
-FIPS186_MCTGEN.req
-"
-
-for request in $vst_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest rng vst $request > $response
-done
-for request in $mct_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest rng mct $request > $response
-done
diff --git a/security/nss/cmd/fipstest/rsa.sh b/security/nss/cmd/fipstest/rsa.sh
deleted file mode 100644
index 4b68a58bc..000000000
--- a/security/nss/cmd/fipstest/rsa.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST RSA Validation System
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-
-request=SigGen15.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest rsa siggen $request > $response
-
-request=SigVer15.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest rsa sigver $request > $response
diff --git a/security/nss/lib/certhigh/manifest.mn b/security/nss/lib/certhigh/manifest.mn
index 98eb9876d..bd8de3771 100644
--- a/security/nss/lib/certhigh/manifest.mn
+++ b/security/nss/lib/certhigh/manifest.mn
@@ -43,7 +43,6 @@ EXPORTS = \
 
 PRIVATE_EXPORTS = \
 	ocspti.h \
-	ocspi.h \
 	$(NULL)
 
 MODULE = nss
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
index 53f2c3e13..9eda390b4 100644
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -68,59 +68,6 @@
 #include <stdarg.h>
 
 
-static struct OCSPGlobalStruct {
-    PRLock *lock;
-    const SEC_HttpClientFcn *defaultHttpClientFcn;
-} OCSP_Global = { NULL, NULL };
-
-SECStatus
-SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable)
-{
-    if (!OCSP_Global.lock) {
-      PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-      return SECFailure;
-    }
-    
-    PR_Lock(OCSP_Global.lock);
-    OCSP_Global.defaultHttpClientFcn = fcnTable;
-    PR_Unlock(OCSP_Global.lock);
-    
-    return SECSuccess;
-}
-
-/* this function is called at NSS initialization time */
-SECStatus InitOCSPGlobal(void)
-{
-  if (OCSP_Global.lock != NULL) {
-    /* already initialized */
-    return SECSuccess;
-  }
-  
-  OCSP_Global.lock = PR_NewLock();
-  
-  return (OCSP_Global.lock) ? SECSuccess : SECFailure;
-}
-
-/*
- * A return value of NULL means: 
- *   The application did not register it's own HTTP client.
- */
-static const SEC_HttpClientFcn *GetRegisteredHttpClient()
-{
-    const SEC_HttpClientFcn *retval;
-
-    if (!OCSP_Global.lock) {
-      PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-      return NULL;
-    }
-
-    PR_Lock(OCSP_Global.lock);
-    retval = OCSP_Global.defaultHttpClientFcn;
-    PR_Unlock(OCSP_Global.lock);
-    
-    return retval;
-}
-
 /*
  * The following structure is only used internally.  It is allocated when
  * someone turns on OCSP checking, and hangs off of the status-configuration
@@ -2186,110 +2133,6 @@ ocsp_GetEncodedResponse(PRArenaPool *arena, PRFileDesc *sock)
     return result;
 }
 
-/*
- * Limit the size of http responses we are willing to accept.
- */
-#define MAX_WANTED_OCSP_RESPONSE_LEN 64*1024
-
-static SECItem *
-fetchOcspHttpClientV1(PRArenaPool *arena, 
-                      const SEC_HttpClientFcnV1 *hcv1, 
-                      char *location, 
-                      SECItem *encodedRequest)
-{
-    char *hostname = NULL;
-    char *path = NULL;
-    PRUint16 port;
-    SECItem *encodedResponse = NULL;
-    SEC_HTTP_SERVER_SESSION pServerSession = NULL;
-    SEC_HTTP_REQUEST_SESSION pRequestSession = NULL;
-    PRUint16 myHttpResponseCode;
-    const char *myHttpResponseData;
-    PRUint32 myHttpResponseDataLen;
-
-    if (ocsp_ParseURL(location, &hostname, &port, &path) == SECFailure) {
-        PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
-        goto loser;
-    }
-    
-    PORT_Assert(hostname != NULL);
-    PORT_Assert(path != NULL);
-
-    if ((*hcv1->createSessionFcn)(
-            hostname, 
-            port, 
-            &pServerSession) != SECSuccess) {
-        PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
-        goto loser;
-    }
-
-    /* We use a non-zero timeout, which means:
-       - the client will use blocking I/O
-       - TryFcn will not return WOULD_BLOCK nor a poll descriptor
-       - it's sufficient to call TryFcn once
-    */
-
-    if ((*hcv1->createFcn)(
-            pServerSession,
-            "http",
-            path,
-            "POST",
-            PR_TicksPerSecond() * 60,
-            &pRequestSession) != SECSuccess) {
-        PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
-        goto loser;
-    }
-
-    if ((*hcv1->setPostDataFcn)(
-            pRequestSession, 
-            (char*)encodedRequest->data,
-            encodedRequest->len,
-            "application/ocsp-request") != SECSuccess) {
-        PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
-        goto loser;
-    }
-
-    /* we don't want result objects larger than this: */
-    myHttpResponseDataLen = MAX_WANTED_OCSP_RESPONSE_LEN;
-
-    if ((*hcv1->trySendAndReceiveFcn)(
-            pRequestSession, 
-            NULL,
-            &myHttpResponseCode,
-            NULL,
-            NULL,
-            &myHttpResponseData,
-            &myHttpResponseDataLen) != SECSuccess) {
-        PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
-        goto loser;
-    }
-
-    if (myHttpResponseCode != 200) {
-        PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-        goto loser;
-    }
-
-    encodedResponse = SECITEM_AllocItem(arena, NULL, myHttpResponseDataLen);
-
-    if (!encodedResponse) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        goto loser;
-    }
-
-    PORT_Memcpy(encodedResponse->data, myHttpResponseData, myHttpResponseDataLen);
-
-loser:
-    if (pRequestSession != NULL) 
-        (*hcv1->freeFcn)(pRequestSession);
-    if (pServerSession != NULL)
-        (*hcv1->freeSessionFcn)(pServerSession);
-    if (path != NULL)
-	PORT_Free(path);
-    if (hostname != NULL)
-	PORT_Free(hostname);
-    
-    return encodedResponse;
-}
 
 /*
  * FUNCTION: CERT_GetEncodedOCSPResponse
@@ -2349,7 +2192,6 @@ CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
     SECItem *encodedResponse = NULL;
     PRFileDesc *sock = NULL;
     SECStatus rv;
-    const SEC_HttpClientFcn *registeredHttpClient = NULL;
 
     request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
 				     signerCert);
@@ -2365,27 +2207,11 @@ CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
     if (encodedRequest == NULL)
 	goto loser;
 
-    registeredHttpClient = GetRegisteredHttpClient();
-
-    if (registeredHttpClient
-            &&
-            registeredHttpClient->version == 1) {
-        encodedResponse = fetchOcspHttpClientV1(
-                              arena,
-                              &registeredHttpClient->fcnTable.ftable1,
-                              location,
-                              encodedRequest);
-    }
-    else {
-      /* use internal http client */
-    
-      sock = ocsp_SendEncodedRequest(location, encodedRequest);
-      if (sock == NULL)
-	  goto loser;
-
-      encodedResponse = ocsp_GetEncodedResponse(arena, sock);
-    }
+    sock = ocsp_SendEncodedRequest(location, encodedRequest);
+    if (sock == NULL)
+	goto loser;
 
+    encodedResponse = ocsp_GetEncodedResponse(arena, sock);
     if (encodedResponse != NULL && pRequest != NULL) {
 	*pRequest = request;
 	request = NULL;			/* avoid destroying below */
diff --git a/security/nss/lib/certhigh/ocsp.h b/security/nss/lib/certhigh/ocsp.h
index 810bc010c..c188f6780 100644
--- a/security/nss/lib/certhigh/ocsp.h
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -56,18 +56,6 @@
 SEC_BEGIN_PROTOS
 
 /*
- * This function registers the HttpClient with whose functions the
- * HttpClientFcn structure have been populated as the default Http
- * client.
- *
- * The function table must be a global object.
- * The caller must ensure that NSS will be able to call
- * the registered functions for the lifetime of the process.
- */
-extern SECStatus
-SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable);
-
-/*
  * FUNCTION: CERT_EnableOCSPChecking
  *   Turns on OCSP checking for the given certificate database.
  * INPUTS:
diff --git a/security/nss/lib/certhigh/ocspi.h b/security/nss/lib/certhigh/ocspi.h
deleted file mode 100644
index a1c1ccb78..000000000
--- a/security/nss/lib/certhigh/ocspi.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * ocspi.h - NSS internal interfaces to OCSP code
- *
- * $Id$
- */
-
-#ifndef _OCSPI_H_
-#define _OCSPI_H_
-
-SECStatus InitOCSPGlobal(void);
-
-#endif /* _OCSPI_H_ */
diff --git a/security/nss/lib/certhigh/ocspt.h b/security/nss/lib/certhigh/ocspt.h
index 18ca8ecb6..5171d9cdb 100644
--- a/security/nss/lib/certhigh/ocspt.h
+++ b/security/nss/lib/certhigh/ocspt.h
@@ -59,235 +59,4 @@ typedef struct CERTOCSPCertIDStr CERTOCSPCertID;
 typedef struct CERTOCSPCertStatusStr CERTOCSPCertStatus;
 typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
 
-/*
- * This interface is described in terms of an HttpClient which
- * supports at least a specified set of functions. (An implementer may
- * provide HttpClients with additional functionality accessible only to
- * users with a particular implementation in mind.) The basic behavior
- * is provided by defining a set of functions, listed in an
- * SEC_HttpServerFcnStruct. If the implementor of a SpecificHttpClient
- * registers his SpecificHttpClient as the default HttpClient, then his
- * functions will be called by the user of an HttpClient, such as an
- * OCSPChecker.
- *
- * The implementer of a specific HttpClient (e.g., the NSS-provided
- * DefaultHttpClient), populates an SEC_HttpClientFcnStruct, uses it to
- * register his client, and waits for his functions to be called.
- *
- * For future expandability, the SEC_HttpClientFcnStruct is defined as a
- * union, with the version field acting as a selector. The proposed
- * initial version of the structure is given following the definition
- * of the union. The HttpClientState structure is implementation-
- * dependent, and should be opaque to the user.
- */
-
-typedef void * SEC_HTTP_SERVER_SESSION;
-typedef void * SEC_HTTP_REQUEST_SESSION;
-
-/*
- * This function creates a SEC_HTTP_SERVER_SESSION object. The implementer of a
- * specific HttpClient will allocate the necessary space, when this
- * function is called, and will free it when the corresponding FreeFcn
- * is called. The SEC_HTTP_SERVER_SESSION object is passed, as an opaque object,
- * to subsequent calls.
- *
- * If the function returns SECSuccess, the returned SEC_HTTP_SERVER_SESSION
- * must be cleaned up with a call to SEC_HttpServer_FreeSession,
- * after processing is finished.
- */
-typedef SECStatus (*SEC_HttpServer_CreateSessionFcn)(
-   const char *host,
-   PRUint16 portnum,
-   SEC_HTTP_SERVER_SESSION *pSession);
-
-/*
- * This function is called to allow the implementation to attempt to keep
- * the connection alive. Depending on the underlying platform, it might
- * immediately return SECSuccess without having performed any operations.
- * (If a connection has not been kept alive, a subsequent call to
- * SEC_HttpRequest_TrySendAndReceiveFcn should reopen the connection
- * automatically.)
- *
- * If the connection uses nonblocking I/O, this function may return
- * SECWouldBlock and store a nonzero value at "pPollDesc". In that case
- * the caller may wait on the poll descriptor, and should call this function
- * again until SECSuccess (and a zero value at "pPollDesc") is obtained.
- */ 
-typedef SECStatus (*SEC_HttpServer_KeepAliveSessionFcn)(
-   SEC_HTTP_SERVER_SESSION session,
-   PRPollDesc **pPollDesc);
-
-/*
- * This function frees the client SEC_HTTP_SERVER_SESSION object, closes all
- * SEC_HTTP_REQUEST_SESSIONs created for that server, discards all partial results,
- * frees any memory that was allocated by the client, and invalidates any
- * response pointers that might have been returned by prior server or request
- * functions.
- */ 
-typedef SECStatus (*SEC_HttpServer_FreeSessionFcn)(
-   SEC_HTTP_SERVER_SESSION session);
-
-/*
- * This function creates a SEC_HTTP_REQUEST_SESSION object. The implementer of a
- * specific HttpClient will allocate the necessary space, when this
- * function is called, and will free it when the corresponding FreeFcn
- * is called. The SEC_HTTP_REQUEST_SESSION object is passed, as an opaque object,
- * to subsequent calls.
- *
- * An implementation that does not support the requested protocol variant
- * (usually "http", but could eventually allow "https") or request method
- * should return SECFailure.
- *
- * Timeout values may include the constants PR_INTERVAL_NO_TIMEOUT (wait
- * forever) or PR_INTERVAL_NO_WAIT (nonblocking I/O).
- *
- * If the function returns SECSuccess, the returned SEC_HTTP_REQUEST_SESSION
- * must be cleaned up with a call to SEC_HttpRequest_FreeSession,
- * after processing is finished.
- */
-typedef SECStatus (*SEC_HttpRequest_CreateFcn)(
-   SEC_HTTP_SERVER_SESSION session,
-   const char *http_protocol_variant, /* usually "http" */
-   const char *path_and_query_string,
-   const char *http_request_method, 
-   const PRIntervalTime timeout, 
-   SEC_HTTP_REQUEST_SESSION *pRequest);
-
-/*
- * This function sets data to be sent to the server for an HTTP request
- * of http_request_method == POST. If a particular implementation 
- * supports it, the details for the POST request can be set by calling 
- * this function, prior to activating the request with TrySendAndReceiveFcn.
- *
- * An implementation that does not support the POST method should 
- * implement a SetPostDataFcn function that returns immediately.
- *
- * Setting http_content_type is optional, the parameter may
- * by NULL or the empty string.
- */ 
-typedef SECStatus (*SEC_HttpRequest_SetPostDataFcn)(
-   SEC_HTTP_REQUEST_SESSION request,
-   const char *http_data, 
-   const PRUint32 http_data_len,
-   const char *http_content_type);
-
-/*
- * This function sets an additional HTTP protocol request header.
- * If a particular implementation supports it, one or multiple headers
- * can be added to the request by calling this function once or multiple
- * times, prior to activating the request with TryFcn.
- *
- * An implementation that does not support setting additional headers
- * should implement an AddRequestHeaderFcn function that returns immediately.
- */ 
-typedef SECStatus (*SEC_HttpRequest_AddHeaderFcn)(
-   SEC_HTTP_REQUEST_SESSION request,
-   const char *http_header_name, 
-   const char *http_header_value);
-
-/*
- * This function initiates or continues an HTTP request. After
- * parameters have been set with the Create function and, optionally,
- * modified or enhanced with the AddParams function, this call creates
- * the socket connection and initiates the communication.
- *
- * If a timeout value of zero is specified, indicating non-blocking
- * I/O, the client creates a non-blocking socket, and returns a status
- * of SECWouldBlock and a non-NULL PRPollDesc if the operation is not
- * complete. In that case all other return parameters are undefined.
- * The caller is expected to repeat the call, possibly after using
- * PRPoll to determine that a completion has occurred, until a return
- * value of SECSuccess (and a NULL value for pPollDesc) or a return
- * value of SECFailure (indicating failure on the network level)
- * is obtained.
- *
- * http_response_data_len is both input and output parameter.
- * If a pointer to a PRUint32 is supplied, the http client is
- * expected to check the given integer value and always set an out
- * value, even on failure.
- * An input value of zero means, the caller will accept any response len.
- * A different input value indicates the maximum response value acceptable
- * to the caller.
- * If data is successfully read and the size is acceptable to the caller,
- * the function will return SECSuccess and set http_response_data_len to
- * the size of the block returned in http_response_data.
- * If the data read from the http server is larger than the acceptable
- * size, the function will return SECFailure.
- * http_response_data_len will be set to a value different from zero to
- * indicate the reason of the failure.
- * An out value of "0" means, the failure was unrelated to the 
- * acceptable size.
- * An out value of "1" means, the result data is larger than the
- * accpeptable size, but the real size is not yet known to the http client 
- * implementation and it stopped retrieving it,
- * Any other out value combined with a return value of SECFailure
- * will indicate the actual size of the server data.
- *
- * The caller is permitted to provide NULL values for any of the
- * http_response arguments, indicating the caller is not interested in
- * those values. If the caller does provide an address, the HttpClient
- * stores at that address a pointer to the corresponding argument, at
- * the completion of the operation.
- *
- * All returned pointers will be owned by the the HttpClient
- * implementation and will remain valid until the call to 
- * SEC_HttpRequest_FreeFcn.
- */ 
-typedef SECStatus (*SEC_HttpRequest_TrySendAndReceiveFcn)(
-   SEC_HTTP_REQUEST_SESSION request,
-   PRPollDesc **pPollDesc,
-   PRUint16 *http_response_code, 
-   const char **http_response_content_type, 
-   const char **http_response_headers, 
-   const char **http_response_data, 
-   PRUint32 *http_response_data_len); 
-
-/*
- * Calling CancelFcn asks for premature termination of the request.
- *
- * Future calls to SEC_HttpRequest_TrySendAndReceive should
- * by avoided, but in this case the HttpClient implementation 
- * is expected to return immediately with SECFailure.
- *
- * After calling CancelFcn, a separate call to SEC_HttpRequest_FreeFcn 
- * is still necessary to free resources.
- */ 
-typedef SECStatus (*SEC_HttpRequest_CancelFcn)(
-   SEC_HTTP_REQUEST_SESSION request);
-
-/*
- * Before calling this function, it must be assured the request
- * has been completed, i.e. either SEC_HttpRequest_TrySendAndReceiveFcn has
- * returned SECSuccess, or the request has been canceled with
- * a call to SEC_HttpRequest_CancelFcn.
- * 
- * This function frees the client state object, closes all sockets, 
- * discards all partial results, frees any memory that was allocated 
- * by the client, and invalidates all response pointers that might
- * have been returned by SEC_HttpRequest_TrySendAndReceiveFcn
- */ 
-typedef SECStatus (*SEC_HttpRequest_FreeFcn)(
-   SEC_HTTP_REQUEST_SESSION request);
-
-typedef struct SEC_HttpClientFcnV1Struct {
-   SEC_HttpServer_CreateSessionFcn createSessionFcn;
-   SEC_HttpServer_KeepAliveSessionFcn keepAliveSessionFcn;
-   SEC_HttpServer_FreeSessionFcn freeSessionFcn;
-   SEC_HttpRequest_CreateFcn createFcn;
-   SEC_HttpRequest_SetPostDataFcn setPostDataFcn;
-   SEC_HttpRequest_AddHeaderFcn addHeaderFcn;
-   SEC_HttpRequest_TrySendAndReceiveFcn trySendAndReceiveFcn;
-   SEC_HttpRequest_CancelFcn cancelFcn;
-   SEC_HttpRequest_FreeFcn freeFcn;
-} SEC_HttpClientFcnV1;
-
-typedef struct SEC_HttpClientFcnStruct {
-   PRInt16 version;
-   union {
-      SEC_HttpClientFcnV1 ftable1;
-      /* SEC_HttpClientFcnV2 ftable2; */
-      /* ...                      */
-   } fcnTable;
-} SEC_HttpClientFcn;
-
 #endif /* _OCSPT_H_ */
diff --git a/security/nss/lib/freebl/ecl/ecp_256.c b/security/nss/lib/freebl/ecl/ecp_256.c
deleted file mode 100644
index 15d29ab6e..000000000
--- a/security/nss/lib/freebl/ecl/ecp_256.c
+++ /dev/null
@@ -1,429 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp.h"
-#include "mpi.h"
-#include "mplogic.h"
-#include "mpi-priv.h"
-#include <stdlib.h>
-
-/* Fast modular reduction for p256 = 2^256 - 2^224 + 2^192+ 2^96 - 1.  a can be r. 
- * Uses algorithm 2.29 from Hankerson, Menezes, Vanstone. Guide to 
- * Elliptic Curve Cryptography. */
-mp_err
-ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_size a_used = MP_USED(a);
-	int a_bits = mpl_significant_bits(a);
-	mp_digit carry;
-
-#ifdef ECL_THIRTY_TWO_BIT
-	mp_digit a8=0, a9=0, a10=0, a11=0, a12=0, a13=0, a14=0, a15=0;
-	mp_digit r0, r1, r2, r3, r4, r5, r6, r7;
-	int r8; /* must be a signed value ! */
-#else
-	mp_digit a4=0, a5=0, a6=0, a7=0;
-	mp_digit a4h, a4l, a5h, a5l, a6h, a6l, a7h, a7l;
-	mp_digit r0, r1, r2, r3;
-	int r4; /* must be a signed value ! */
-#endif
-	/* for polynomials larger than twice the field size 
-	 * use regular reduction */
-	if (a_bits < 256) {
-		if (a == r) return MP_OKAY;
-		return mp_copy(a,r);
-	}
-	if (a_bits > 512)  {
-		MP_CHECKOK(mp_mod(a, &meth->irr, r));
-	} else {
-
-#ifdef ECL_THIRTY_TWO_BIT
-		switch (a_used) {
-		case 16:
-			a15 = MP_DIGIT(a,15);
-		case 15:
-			a14 = MP_DIGIT(a,14);
-		case 14:
-			a13 = MP_DIGIT(a,13);
-		case 13:
-			a12 = MP_DIGIT(a,12);
-		case 12:
-			a11 = MP_DIGIT(a,11);
-		case 11:
-			a10 = MP_DIGIT(a,10);
-		case 10:
-			a9 = MP_DIGIT(a,9);
-		case 9:
-			a8 = MP_DIGIT(a,8);
-		}
-
-		r0 = MP_DIGIT(a,0);
-		r1 = MP_DIGIT(a,1);
-		r2 = MP_DIGIT(a,2);
-		r3 = MP_DIGIT(a,3);
-		r4 = MP_DIGIT(a,4);
-		r5 = MP_DIGIT(a,5);
-		r6 = MP_DIGIT(a,6);
-		r7 = MP_DIGIT(a,7);
-
-		/* sum 1 */
-		MP_ADD_CARRY(r3, a11, r3, 0,     carry);
-		MP_ADD_CARRY(r4, a12, r4, carry, carry);
-		MP_ADD_CARRY(r5, a13, r5, carry, carry);
-		MP_ADD_CARRY(r6, a14, r6, carry, carry);
-		MP_ADD_CARRY(r7, a15, r7, carry, carry);
-		r8 = carry;
-		MP_ADD_CARRY(r3, a11, r3, 0,     carry);
-		MP_ADD_CARRY(r4, a12, r4, carry, carry);
-		MP_ADD_CARRY(r5, a13, r5, carry, carry);
-		MP_ADD_CARRY(r6, a14, r6, carry, carry);
-		MP_ADD_CARRY(r7, a15, r7, carry, carry);
-		r8 += carry;
-		/* sum 2 */
-		MP_ADD_CARRY(r3, a12, r3, 0,     carry);
-		MP_ADD_CARRY(r4, a13, r4, carry, carry);
-		MP_ADD_CARRY(r5, a14, r5, carry, carry);
-		MP_ADD_CARRY(r6, a15, r6, carry, carry);
-		MP_ADD_CARRY(r7,   0, r7, carry, carry);
-		r8 += carry;
-		/* combine last bottom of sum 3 with second sum 2 */
-		MP_ADD_CARRY(r0, a8,  r0, 0,     carry);
-		MP_ADD_CARRY(r1, a9,  r1, carry, carry);
-		MP_ADD_CARRY(r2, a10, r2, carry, carry);
-		MP_ADD_CARRY(r3, a12, r3, carry, carry);
-		MP_ADD_CARRY(r4, a13, r4, carry, carry);
-		MP_ADD_CARRY(r5, a14, r5, carry, carry);
-		MP_ADD_CARRY(r6, a15, r6, carry, carry);
-		MP_ADD_CARRY(r7, a15, r7, carry, carry); /* from sum 3 */
-		r8 += carry;
-		/* sum 3 (rest of it)*/
-		MP_ADD_CARRY(r6, a14, r6, 0,     carry);
-		MP_ADD_CARRY(r7,   0, r7, carry, carry);
-		r8 += carry;
-		/* sum 4 (rest of it)*/
-		MP_ADD_CARRY(r0, a9,  r0, 0,     carry);
-		MP_ADD_CARRY(r1, a10, r1, carry, carry);
-		MP_ADD_CARRY(r2, a11, r2, carry, carry);
-		MP_ADD_CARRY(r3, a13, r3, carry, carry);
-		MP_ADD_CARRY(r4, a14, r4, carry, carry);
-		MP_ADD_CARRY(r5, a15, r5, carry, carry);
-		MP_ADD_CARRY(r6, a13, r6, carry, carry);
-		MP_ADD_CARRY(r7, a8,  r7, carry, carry);
-		r8 += carry;
-		/* diff 5 */
-		MP_SUB_BORROW(r0, a11, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a12, r1, carry, carry);
-		MP_SUB_BORROW(r2, a13, r2, carry, carry);
-		MP_SUB_BORROW(r3,   0, r3, carry, carry);
-		MP_SUB_BORROW(r4,   0, r4, carry, carry);
-		MP_SUB_BORROW(r5,   0, r5, carry, carry);
-		MP_SUB_BORROW(r6, a8,  r6, carry, carry);
-		MP_SUB_BORROW(r7, a10, r7, carry, carry);
-		r8 -= carry;
-		/* diff 6 */
-		MP_SUB_BORROW(r0, a12, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a13, r1, carry, carry);
-		MP_SUB_BORROW(r2, a14, r2, carry, carry);
-		MP_SUB_BORROW(r3, a15, r3, carry, carry);
-		MP_SUB_BORROW(r4,   0, r4, carry, carry);
-		MP_SUB_BORROW(r5,   0, r5, carry, carry);
-		MP_SUB_BORROW(r6, a9,  r6, carry, carry);
-		MP_SUB_BORROW(r7, a11, r7, carry, carry);
-		r8 -= carry;
-		/* diff 7 */
-		MP_SUB_BORROW(r0, a13, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a14, r1, carry, carry);
-		MP_SUB_BORROW(r2, a15, r2, carry, carry);
-		MP_SUB_BORROW(r3, a8,  r3, carry, carry);
-		MP_SUB_BORROW(r4, a9,  r4, carry, carry);
-		MP_SUB_BORROW(r5, a10, r5, carry, carry);
-		MP_SUB_BORROW(r6, 0,   r6, carry, carry);
-		MP_SUB_BORROW(r7, a12, r7, carry, carry);
-		r8 -= carry;
-		/* diff 8 */
-		MP_SUB_BORROW(r0, a14, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a15, r1, carry, carry);
-		MP_SUB_BORROW(r2, 0,   r2, carry, carry);
-		MP_SUB_BORROW(r3, a9,  r3, carry, carry);
-		MP_SUB_BORROW(r4, a10, r4, carry, carry);
-		MP_SUB_BORROW(r5, a11, r5, carry, carry);
-		MP_SUB_BORROW(r6, 0,   r6, carry, carry);
-		MP_SUB_BORROW(r7, a13, r7, carry, carry);
-		r8 -= carry;
-
-		/* reduce the overflows */
-		while (r8 > 0) {
-			mp_digit r8_d = r8;
-			MP_ADD_CARRY(r0, r8_d,         r0, 0,     carry);
-			MP_ADD_CARRY(r1, 0,            r1, carry, carry);
-			MP_ADD_CARRY(r2, 0,            r2, carry, carry);
-			MP_ADD_CARRY(r3, -r8_d,        r3, carry, carry);
-			MP_ADD_CARRY(r4, MP_DIGIT_MAX, r4, carry, carry);
-			MP_ADD_CARRY(r5, MP_DIGIT_MAX, r5, carry, carry);
-			MP_ADD_CARRY(r6, -(r8_d+1),    r6, carry, carry);
-			MP_ADD_CARRY(r7, (r8_d-1),     r7, carry, carry);
-			r8 = carry;
-		}
-
-		/* reduce the underflows */
-		while (r8 < 0) {
-			mp_digit r8_d = -r8;
-			MP_SUB_BORROW(r0, r8_d,         r0, 0,     carry);
-			MP_SUB_BORROW(r1, 0,            r1, carry, carry);
-			MP_SUB_BORROW(r2, 0,            r2, carry, carry);
-			MP_SUB_BORROW(r3, -r8_d,        r3, carry, carry);
-			MP_SUB_BORROW(r4, MP_DIGIT_MAX, r4, carry, carry);
-			MP_SUB_BORROW(r5, MP_DIGIT_MAX, r5, carry, carry);
-			MP_SUB_BORROW(r6, -(r8_d+1),    r6, carry, carry);
-			MP_SUB_BORROW(r7, (r8_d-1),     r7, carry, carry);
-			r8 = -carry;
-		}
-		if (a != r) {
-			MP_CHECKOK(s_mp_pad(r,8));
-		}
-		MP_SIGN(r) = MP_ZPOS;
-		MP_USED(r) = 8;
-
-		MP_DIGIT(r,7) = r7;
-		MP_DIGIT(r,6) = r6;
-		MP_DIGIT(r,5) = r5;
-		MP_DIGIT(r,4) = r4;
-		MP_DIGIT(r,3) = r3;
-		MP_DIGIT(r,2) = r2;
-		MP_DIGIT(r,1) = r1;
-		MP_DIGIT(r,0) = r0;
-
-		/* final reduction if necessary */
-		if ((r7 == MP_DIGIT_MAX) &&
-			((r6 > 1) || ((r6 == 1) &&
-			(r5 || r4 || r3 || 
-				((r2 == MP_DIGIT_MAX) && (r1 == MP_DIGIT_MAX)
-				  && (r0 == MP_DIGIT_MAX)))))) {
-			MP_CHECKOK(mp_sub(r, &meth->irr, r));
-		}
-#ifdef notdef
-			
-
-		/* smooth the negatives */
-		while (MP_SIGN(r) != MP_ZPOS) {
-			MP_CHECKOK(mp_add(r, &meth->irr, r));
-		}
-		while (MP_USED(r) > 8) {
-			MP_CHECKOK(mp_sub(r, &meth->irr, r));
-		}
-
-		/* final reduction if necessary */
-		if (MP_DIGIT(r,7) >= MP_DIGIT(&meth->irr,7)) {
-		    if (mp_cmp(r,&meth->irr) != MP_LT) {
-			MP_CHECKOK(mp_sub(r, &meth->irr, r));
-		    }
-		}
-#endif
-		s_mp_clamp(r);
-#else
-		switch (a_used) {
-		case 8:
-			a7 = MP_DIGIT(a,7);
-		case 7:
-			a6 = MP_DIGIT(a,6);
-		case 6:
-			a5 = MP_DIGIT(a,5);
-		case 5:
-			a4 = MP_DIGIT(a,4);
-		}
-		a7l = a7 << 32;
-		a7h = a7 >> 32;
-		a6l = a6 << 32;
-		a6h = a6 >> 32;
-		a5l = a5 << 32;
-		a5h = a5 >> 32;
-		a4l = a4 << 32;
-		a4h = a4 >> 32;
-		r3 = MP_DIGIT(a,3);
-		r2 = MP_DIGIT(a,2);
-		r1 = MP_DIGIT(a,1);
-		r0 = MP_DIGIT(a,0);
-
-		/* sum 1 */
-		MP_ADD_CARRY(r1, a5h << 32, r1, 0,     carry);
-		MP_ADD_CARRY(r2, a6,        r2, carry, carry);
-		MP_ADD_CARRY(r3, a7,        r3, carry, carry);
-		r4 = carry;
-		MP_ADD_CARRY(r1, a5h << 32, r1, 0,     carry);
-		MP_ADD_CARRY(r2, a6,        r2, carry, carry);
-		MP_ADD_CARRY(r3, a7,        r3, carry, carry);
-		r4 += carry;
-		/* sum 2 */
-		MP_ADD_CARRY(r1, a6l,       r1, 0,     carry);
-		MP_ADD_CARRY(r2, a6h | a7l, r2, carry, carry);
-		MP_ADD_CARRY(r3, a7h,       r3, carry, carry);
-		r4 += carry;
-		MP_ADD_CARRY(r1, a6l,       r1, 0,     carry);
-		MP_ADD_CARRY(r2, a6h | a7l, r2, carry, carry);
-		MP_ADD_CARRY(r3, a7h,       r3, carry, carry);
-		r4 += carry;
-
-		/* sum 3 */
-		MP_ADD_CARRY(r0, a4,        r0, 0,     carry);
-		MP_ADD_CARRY(r1, a5l >> 32, r1, carry, carry);
-		MP_ADD_CARRY(r2, 0,         r2, carry, carry);
-		MP_ADD_CARRY(r3, a7,        r3, carry, carry);
-		r4 += carry;
-		/* sum 4 */
-		MP_ADD_CARRY(r0, a4h | a5l,     r0, 0,     carry);
-		MP_ADD_CARRY(r1, a5h|(a6h<<32), r1, carry, carry);
-		MP_ADD_CARRY(r2, a7,            r2, carry, carry);
-		MP_ADD_CARRY(r3, a6h | a4l,     r3, carry, carry);
-		r4 += carry;
-		/* diff 5 */
-		MP_SUB_BORROW(r0, a5h | a6l,    r0, 0,     carry);
-		MP_SUB_BORROW(r1, a6h,          r1, carry, carry);
-		MP_SUB_BORROW(r2, 0,            r2, carry, carry);
-		MP_SUB_BORROW(r3, (a4l>>32)|a5l,r3, carry, carry);
-		r4 -= carry;
-		/* diff 6 */
-		MP_SUB_BORROW(r0, a6,  		r0, 0,     carry);
-		MP_SUB_BORROW(r1, a7,           r1, carry, carry);
-		MP_SUB_BORROW(r2, 0,            r2, carry, carry);
-		MP_SUB_BORROW(r3, a4h|(a5h<<32),r3, carry, carry);
-		r4 -= carry;
-		/* diff 7 */
-		MP_SUB_BORROW(r0, a6h|a7l,	r0, 0,     carry);
-		MP_SUB_BORROW(r1, a7h|a4l,      r1, carry, carry);
-		MP_SUB_BORROW(r2, a4h|a5l,      r2, carry, carry);
-		MP_SUB_BORROW(r3, a6l,          r3, carry, carry);
-		r4 -= carry;
-		/* diff 8 */
-		MP_SUB_BORROW(r0, a7,	        r0, 0,     carry);
-		MP_SUB_BORROW(r1, a4h<<32,      r1, carry, carry);
-		MP_SUB_BORROW(r2, a5,           r2, carry, carry);
-		MP_SUB_BORROW(r3, a6h<<32,      r3, carry, carry);
-		r4 -= carry;
-
-		/* reduce the overflows */
-		while (r4 > 0) {
-			mp_digit r4_long = r4;
-			mp_digit r4l = (r4_long << 32);
-			MP_ADD_CARRY(r0, r4_long,      r0, 0,     carry);
-			MP_ADD_CARRY(r1, -r4l,         r1, carry, carry);
-			MP_ADD_CARRY(r2, MP_DIGIT_MAX, r2, carry, carry);
-			MP_ADD_CARRY(r3, r4l-r4_long-1,r3, carry, carry);
-			r4 = carry;
-		}
-
-		/* reduce the underflows */
-		while (r4 < 0) {
-			mp_digit r4_long = -r4;
-			mp_digit r4l = (r4_long << 32);
-			MP_SUB_BORROW(r0, r4_long,      r0, 0,     carry);
-			MP_SUB_BORROW(r1, -r4l,         r1, carry, carry);
-			MP_SUB_BORROW(r2, MP_DIGIT_MAX, r2, carry, carry);
-			MP_SUB_BORROW(r3, r4l-r4_long-1,r3, carry, carry);
-			r4 = -carry;
-		}
-
-		if (a != r) {
-			MP_CHECKOK(s_mp_pad(r,4));
-		}
-		MP_SIGN(r) = MP_ZPOS;
-		MP_USED(r) = 4;
-
-		MP_DIGIT(r,3) = r3;
-		MP_DIGIT(r,2) = r2;
-		MP_DIGIT(r,1) = r1;
-		MP_DIGIT(r,0) = r0;
-
-		/* final reduction if necessary */
-		if ((r3 > 0xFFFFFFFF00000001ULL) ||
-			((r3 == 0xFFFFFFFF00000001ULL) && 
-			(r2 || (r1 >> 32)|| 
-			       (r1 == 0xFFFFFFFFULL && r0 == MP_DIGIT_MAX)))) {
-			/* very rare, just use mp_sub */
-			MP_CHECKOK(mp_sub(r, &meth->irr, r));
-		}
-			
-		s_mp_clamp(r);
-#endif
-	}
-
-  CLEANUP:
-	return res;
-}
-
-/* Compute the square of polynomial a, reduce modulo p256. Store the
- * result in r.  r could be a.  Uses optimized modular reduction for p256. 
- */
-mp_err
-ec_GFp_nistp256_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_sqr(a, r));
-	MP_CHECKOK(ec_GFp_nistp256_mod(r, r, meth));
-  CLEANUP:
-	return res;
-}
-
-/* Compute the product of two polynomials a and b, reduce modulo p256.
- * Store the result in r.  r could be a or b; a could be b.  Uses
- * optimized modular reduction for p256. */
-mp_err
-ec_GFp_nistp256_mul(const mp_int *a, const mp_int *b, mp_int *r,
-					const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_mul(a, b, r));
-	MP_CHECKOK(ec_GFp_nistp256_mod(r, r, meth));
-  CLEANUP:
-	return res;
-}
-
-/* Wire in fast field arithmetic and precomputation of base point for
- * named curves. */
-mp_err
-ec_group_set_gfp256(ECGroup *group, ECCurveName name)
-{
-	if (name == ECCurve_NIST_P256) {
-		group->meth->field_mod = &ec_GFp_nistp256_mod;
-		group->meth->field_mul = &ec_GFp_nistp256_mul;
-		group->meth->field_sqr = &ec_GFp_nistp256_sqr;
-	}
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_384.c b/security/nss/lib/freebl/ecl/ecp_384.c
deleted file mode 100644
index 4ad4137d2..000000000
--- a/security/nss/lib/freebl/ecl/ecp_384.c
+++ /dev/null
@@ -1,293 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp.h"
-#include "mpi.h"
-#include "mplogic.h"
-#include "mpi-priv.h"
-#include <stdlib.h>
-
-/* Fast modular reduction for p384 = 2^384 - 2^128 - 2^96 + 2^32 - 1.  a can be r. 
- * Uses algorithm 2.30 from Hankerson, Menezes, Vanstone. Guide to 
- * Elliptic Curve Cryptography. */
-mp_err
-ec_GFp_nistp384_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	int a_bits = mpl_significant_bits(a);
-	int i;
-
-	/* m1, m2 are statically-allocated mp_int of exactly the size we need */
-	mp_int m[10];
-
-#ifdef ECL_THIRTY_TWO_BIT
-	mp_digit s[10][12];
-	for (i = 0; i < 10; i++) {
-		MP_SIGN(&m[i]) = MP_ZPOS;
-		MP_ALLOC(&m[i]) = 12;
-		MP_USED(&m[i]) = 12;
-		MP_DIGITS(&m[i]) = s[i];
-	}
-#else
-	mp_digit s[10][6];
-	for (i = 0; i < 10; i++) {
-		MP_SIGN(&m[i]) = MP_ZPOS;
-		MP_ALLOC(&m[i]) = 6;
-		MP_USED(&m[i]) = 6;
-		MP_DIGITS(&m[i]) = s[i];
-	}
-#endif
-
-#ifdef ECL_THIRTY_TWO_BIT
-	/* for polynomials larger than twice the field size or polynomials 
-	 * not using all words, use regular reduction */
-	if ((a_bits > 768) || (a_bits <= 736)) {
-		MP_CHECKOK(mp_mod(a, &meth->irr, r));
-	} else {
-		for (i = 0; i < 12; i++) {
-			s[0][i] = MP_DIGIT(a, i);
-		}
-		s[1][0] = 0;
-		s[1][1] = 0;
-		s[1][2] = 0;
-		s[1][3] = 0;
-		s[1][4] = MP_DIGIT(a, 21);
-		s[1][5] = MP_DIGIT(a, 22);
-		s[1][6] = MP_DIGIT(a, 23);
-		s[1][7] = 0;
-		s[1][8] = 0;
-		s[1][9] = 0;
-		s[1][10] = 0;
-		s[1][11] = 0;
-		for (i = 0; i < 12; i++) {
-			s[2][i] = MP_DIGIT(a, i+12);
-		}
-		s[3][0] = MP_DIGIT(a, 21);
-		s[3][1] = MP_DIGIT(a, 22);
-		s[3][2] = MP_DIGIT(a, 23);
-		for (i = 3; i < 12; i++) {
-			s[3][i] = MP_DIGIT(a, i+9);
-		}
-		s[4][0] = 0;
-		s[4][1] = MP_DIGIT(a, 23);
-		s[4][2] = 0;
-		s[4][3] = MP_DIGIT(a, 20);
-		for (i = 4; i < 12; i++) {
-			s[4][i] = MP_DIGIT(a, i+8);
-		}
-		s[5][0] = 0;
-		s[5][1] = 0;
-		s[5][2] = 0;
-		s[5][3] = 0;
-		s[5][4] = MP_DIGIT(a, 20);
-		s[5][5] = MP_DIGIT(a, 21);
-		s[5][6] = MP_DIGIT(a, 22);
-		s[5][7] = MP_DIGIT(a, 23);
-		s[5][8] = 0;
-		s[5][9] = 0;
-		s[5][10] = 0;
-		s[5][11] = 0;
-		s[6][0] = MP_DIGIT(a, 20);
-		s[6][1] = 0;
-		s[6][2] = 0;
-		s[6][3] = MP_DIGIT(a, 21);
-		s[6][4] = MP_DIGIT(a, 22);
-		s[6][5] = MP_DIGIT(a, 23);
-		s[6][6] = 0;
-		s[6][7] = 0;
-		s[6][8] = 0;
-		s[6][9] = 0;
-		s[6][10] = 0;
-		s[6][11] = 0;
-		s[7][0] = MP_DIGIT(a, 23);
-		for (i = 1; i < 12; i++) {
-			s[7][i] = MP_DIGIT(a, i+11);
-		}
-		s[8][0] = 0;
-		s[8][1] = MP_DIGIT(a, 20);
-		s[8][2] = MP_DIGIT(a, 21);
-		s[8][3] = MP_DIGIT(a, 22);
-		s[8][4] = MP_DIGIT(a, 23);
-		s[8][5] = 0;
-		s[8][6] = 0;
-		s[8][7] = 0;
-		s[8][8] = 0;
-		s[8][9] = 0;
-		s[8][10] = 0;
-		s[8][11] = 0;
-		s[9][0] = 0;
-		s[9][1] = 0;
-		s[9][2] = 0;
-		s[9][3] = MP_DIGIT(a, 23);
-		s[9][4] = MP_DIGIT(a, 23);
-		s[9][5] = 0;
-		s[9][6] = 0;
-		s[9][7] = 0;
-		s[9][8] = 0;
-		s[9][9] = 0;
-		s[9][10] = 0;
-		s[9][11] = 0;
-
-		MP_CHECKOK(mp_add(&m[0], &m[1], r));
-		MP_CHECKOK(mp_add(r, &m[1], r));
-		MP_CHECKOK(mp_add(r, &m[2], r));
-		MP_CHECKOK(mp_add(r, &m[3], r));
-		MP_CHECKOK(mp_add(r, &m[4], r));
-		MP_CHECKOK(mp_add(r, &m[5], r));
-		MP_CHECKOK(mp_add(r, &m[6], r));
-		MP_CHECKOK(mp_sub(r, &m[7], r));
-		MP_CHECKOK(mp_sub(r, &m[8], r));
-		MP_CHECKOK(mp_submod(r, &m[9], &meth->irr, r));
-		s_mp_clamp(r);
-	}
-#else
-	/* for polynomials larger than twice the field size or polynomials 
-	 * not using all words, use regular reduction */
-	if ((a_bits > 768) || (a_bits <= 736)) {
-		MP_CHECKOK(mp_mod(a, &meth->irr, r));
-	} else {
-		for (i = 0; i < 6; i++) {
-			s[0][i] = MP_DIGIT(a, i);
-		}
-		s[1][0] = 0;
-		s[1][1] = 0;
-		s[1][2] = (MP_DIGIT(a, 10) >> 32) | (MP_DIGIT(a, 11) << 32);
-		s[1][3] = MP_DIGIT(a, 11) >> 32;
-		s[1][4] = 0;
-		s[1][5] = 0;
-		for (i = 0; i < 6; i++) {
-			s[2][i] = MP_DIGIT(a, i+6);
-		}
-		s[3][0] = (MP_DIGIT(a, 10) >> 32) | (MP_DIGIT(a, 11) << 32);
-		s[3][1] = (MP_DIGIT(a, 11) >> 32) | (MP_DIGIT(a, 6) << 32);
-		for (i = 2; i < 6; i++) {
-			s[3][i] = (MP_DIGIT(a, i+4) >> 32) | (MP_DIGIT(a, i+5) << 32);
-		}
-		s[4][0] = (MP_DIGIT(a, 11) >> 32) << 32;
-		s[4][1] = MP_DIGIT(a, 10) << 32;
-		for (i = 2; i < 6; i++) {
-			s[4][i] = MP_DIGIT(a, i+4);
-		}
-		s[5][0] = 0;
-		s[5][1] = 0;
-		s[5][2] = MP_DIGIT(a, 10);
-		s[5][3] = MP_DIGIT(a, 11);
-		s[5][4] = 0;
-		s[5][5] = 0;
-		s[6][0] = (MP_DIGIT(a, 10) << 32) >> 32;
-		s[6][1] = (MP_DIGIT(a, 10) >> 32) << 32;
-		s[6][2] = MP_DIGIT(a, 11);
-		s[6][3] = 0;
-		s[6][4] = 0;
-		s[6][5] = 0;
-		s[7][0] = (MP_DIGIT(a, 11) >> 32) | (MP_DIGIT(a, 6) << 32);
-		for (i = 1; i < 6; i++) {
-			s[7][i] = (MP_DIGIT(a, i+5) >> 32) | (MP_DIGIT(a, i+6) << 32);
-		}
-		s[8][0] = MP_DIGIT(a, 10) << 32;
-		s[8][1] = (MP_DIGIT(a, 10) >> 32) | (MP_DIGIT(a, 11) << 32);
-		s[8][2] = MP_DIGIT(a, 11) >> 32;
-		s[8][3] = 0;
-		s[8][4] = 0;
-		s[8][5] = 0;
-		s[9][0] = 0;
-		s[9][1] = (MP_DIGIT(a, 11) >> 32) << 32;
-		s[9][2] = MP_DIGIT(a, 11) >> 32;
-		s[9][3] = 0;
-		s[9][4] = 0;
-		s[9][5] = 0;
-
-		MP_CHECKOK(mp_add(&m[0], &m[1], r));
-		MP_CHECKOK(mp_add(r, &m[1], r));
-		MP_CHECKOK(mp_add(r, &m[2], r));
-		MP_CHECKOK(mp_add(r, &m[3], r));
-		MP_CHECKOK(mp_add(r, &m[4], r));
-		MP_CHECKOK(mp_add(r, &m[5], r));
-		MP_CHECKOK(mp_add(r, &m[6], r));
-		MP_CHECKOK(mp_sub(r, &m[7], r));
-		MP_CHECKOK(mp_sub(r, &m[8], r));
-		MP_CHECKOK(mp_submod(r, &m[9], &meth->irr, r));
-		s_mp_clamp(r);
-	}
-#endif
-
-  CLEANUP:
-	return res;
-}
-
-/* Compute the square of polynomial a, reduce modulo p384. Store the
- * result in r.  r could be a.  Uses optimized modular reduction for p384. 
- */
-mp_err
-ec_GFp_nistp384_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_sqr(a, r));
-	MP_CHECKOK(ec_GFp_nistp384_mod(r, r, meth));
-  CLEANUP:
-	return res;
-}
-
-/* Compute the product of two polynomials a and b, reduce modulo p384.
- * Store the result in r.  r could be a or b; a could be b.  Uses
- * optimized modular reduction for p384. */
-mp_err
-ec_GFp_nistp384_mul(const mp_int *a, const mp_int *b, mp_int *r,
-					const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_mul(a, b, r));
-	MP_CHECKOK(ec_GFp_nistp384_mod(r, r, meth));
-  CLEANUP:
-	return res;
-}
-
-/* Wire in fast field arithmetic and precomputation of base point for
- * named curves. */
-mp_err
-ec_group_set_gfp384(ECGroup *group, ECCurveName name)
-{
-	if (name == ECCurve_NIST_P384) {
-		group->meth->field_mod = &ec_GFp_nistp384_mod;
-		group->meth->field_mul = &ec_GFp_nistp384_mul;
-		group->meth->field_sqr = &ec_GFp_nistp384_sqr;
-	}
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_521.c b/security/nss/lib/freebl/ecl/ecp_521.c
deleted file mode 100644
index 685d19b9f..000000000
--- a/security/nss/lib/freebl/ecl/ecp_521.c
+++ /dev/null
@@ -1,170 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp.h"
-#include "mpi.h"
-#include "mplogic.h"
-#include "mpi-priv.h"
-#include <stdlib.h>
-
-#define ECP521_DIGITS ECL_CURVE_DIGITS(521)
-
-/* Fast modular reduction for p521 = 2^521 - 1.  a can be r. Uses
- * algorithm 2.31 from Hankerson, Menezes, Vanstone. Guide to 
- * Elliptic Curve Cryptography. */
-mp_err
-ec_GFp_nistp521_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	int a_bits = mpl_significant_bits(a);
-	int i;
-
-	/* m1, m2 are statically-allocated mp_int of exactly the size we need */
-	mp_int m1;
-
-	mp_digit s1[ECP521_DIGITS] = { 0 };
-
-	MP_SIGN(&m1) = MP_ZPOS;
-	MP_ALLOC(&m1) = ECP521_DIGITS;
-	MP_USED(&m1) = ECP521_DIGITS;
-	MP_DIGITS(&m1) = s1;
-
-	if (a_bits < 521) {
-		if (a==r) return MP_OKAY;
-		return mp_copy(a, r);
-	}
-	/* for polynomials larger than twice the field size or polynomials 
-	 * not using all words, use regular reduction */
-	if (a_bits > (521*2)) {
-		MP_CHECKOK(mp_mod(a, &meth->irr, r));
-	} else {
-#define FIRST_DIGIT (ECP521_DIGITS-1)
-		for (i = FIRST_DIGIT; i < MP_USED(a)-1; i++) {
-			s1[i-FIRST_DIGIT] = (MP_DIGIT(a, i) >> 9) 
-				| (MP_DIGIT(a, 1+i) << (MP_DIGIT_BIT-9));
-		}
-		s1[i-FIRST_DIGIT] = MP_DIGIT(a, i) >> 9;
-
-		if ( a != r ) {
-			MP_CHECKOK(s_mp_pad(r,ECP521_DIGITS));
-			for (i = 0; i < ECP521_DIGITS; i++) {
-				MP_DIGIT(r,i) = MP_DIGIT(a, i);
-			}
-		}
-		MP_USED(r) = ECP521_DIGITS;
-		MP_DIGIT(r,FIRST_DIGIT) &=  0x1FF;
-
-		MP_CHECKOK(s_mp_add(r, &m1));
-		if (MP_DIGIT(r, FIRST_DIGIT) & 0x200) {
-			MP_CHECKOK(s_mp_add_d(r,1));
-			MP_DIGIT(r,FIRST_DIGIT) &=  0x1FF;
-		}
-		s_mp_clamp(r);
-	}
-
-  CLEANUP:
-	return res;
-}
-
-/* Compute the square of polynomial a, reduce modulo p521. Store the
- * result in r.  r could be a.  Uses optimized modular reduction for p521. 
- */
-mp_err
-ec_GFp_nistp521_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_sqr(a, r));
-	MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth));
-  CLEANUP:
-	return res;
-}
-
-/* Compute the product of two polynomials a and b, reduce modulo p521.
- * Store the result in r.  r could be a or b; a could be b.  Uses
- * optimized modular reduction for p521. */
-mp_err
-ec_GFp_nistp521_mul(const mp_int *a, const mp_int *b, mp_int *r,
-					const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_mul(a, b, r));
-	MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth));
-  CLEANUP:
-	return res;
-}
-
-/* Divides two field elements. If a is NULL, then returns the inverse of
- * b. */
-mp_err
-ec_GFp_nistp521_div(const mp_int *a, const mp_int *b, mp_int *r,
-		   const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_int t;
-
-	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
-	if (a == NULL) {
-		return mp_invmod(b, &meth->irr, r);
-	} else {
-		/* MPI doesn't support divmod, so we implement it using invmod and 
-		 * mulmod. */
-		MP_CHECKOK(mp_init(&t));
-		MP_CHECKOK(mp_invmod(b, &meth->irr, &t));
-		MP_CHECKOK(mp_mul(a, &t, r));
-		MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth));
-	  CLEANUP:
-		mp_clear(&t);
-		return res;
-	}
-}
-
-/* Wire in fast field arithmetic and precomputation of base point for
- * named curves. */
-mp_err
-ec_group_set_gfp521(ECGroup *group, ECCurveName name)
-{
-	if (name == ECCurve_NIST_P521) {
-		group->meth->field_mod = &ec_GFp_nistp521_mod;
-		group->meth->field_mul = &ec_GFp_nistp521_mul;
-		group->meth->field_sqr = &ec_GFp_nistp521_sqr;
-		group->meth->field_div = &ec_GFp_nistp521_div;
-	}
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/mpi/mpi_x86_asm.c b/security/nss/lib/freebl/mpi/mpi_x86_asm.c
deleted file mode 100644
index b8a224f14..000000000
--- a/security/nss/lib/freebl/mpi/mpi_x86_asm.c
+++ /dev/null
@@ -1,368 +0,0 @@
-/*
- *  mpi_x86.c - MSVC inline assembly implementation of s_mpv_ functions.
- * 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Benjamin Smedberg <benjamin@smedbergs.us>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi-priv.h"
-
-/*
- *   ebp - 36:	caller's esi
- *   ebp - 32:	caller's edi
- *   ebp - 28:	
- *   ebp - 24:	
- *   ebp - 20:	
- *   ebp - 16:	
- *   ebp - 12:	
- *   ebp - 8:	
- *   ebp - 4:	
- *   ebp + 0:	caller's ebp
- *   ebp + 4:	return address
- *   ebp + 8:	a	argument
- *   ebp + 12:	a_len	argument
- *   ebp + 16:	b	argument
- *   ebp + 20:	c	argument
- *   registers:
- *  	eax:
- * 	ebx:	carry
- * 	ecx:	a_len
- * 	edx:
- * 	esi:	a ptr
- * 	edi:	c ptr
- */
-__declspec(naked) void
-s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-  __asm {
-    push   ebp
-    mov    ebp,esp
-    sub    esp,28
-    push   edi
-    push   esi
-    push   ebx
-    mov    ebx,0		; carry = 0
-    mov    ecx,[ebp+12]		; ecx = a_len
-    mov    edi,[ebp+20]
-    cmp    ecx,0
-    je     L_2			; jmp if a_len == 0
-    mov    esi,[ebp+8]		; esi = a
-    cld
-L_1:
-    lodsd			; eax = [ds:esi]; esi += 4
-    mov    edx,[ebp+16]		; edx = b
-    mul    edx			; edx:eax = Phi:Plo = a_i * b
-
-    add    eax,ebx		; add carry (ebx) to edx:eax
-    adc    edx,0
-    mov    ebx,edx		; high half of product becomes next carry
-
-    stosd			; [es:edi] = ax; edi += 4;
-    dec    ecx			; --a_len
-    jnz    L_1			; jmp if a_len != 0
-L_2:
-    mov    [edi],ebx		; *c = carry
-    pop    ebx
-    pop    esi
-    pop    edi
-    leave  
-    ret    
-    nop
-  }
-}
-
-/*
- *   ebp - 36:	caller's esi
- *   ebp - 32:	caller's edi
- *   ebp - 28:	
- *   ebp - 24:	
- *   ebp - 20:	
- *   ebp - 16:	
- *   ebp - 12:	
- *   ebp - 8:	
- *   ebp - 4:	
- *   ebp + 0:	caller's ebp
- *   ebp + 4:	return address
- *   ebp + 8:	a	argument
- *   ebp + 12:	a_len	argument
- *   ebp + 16:	b	argument
- *   ebp + 20:	c	argument
- *   registers:
- *  	eax:
- * 	ebx:	carry
- * 	ecx:	a_len
- * 	edx:
- * 	esi:	a ptr
- * 	edi:	c ptr
- */
-__declspec(naked) void
-s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-  __asm {
-    push   ebp
-    mov    ebp,esp
-    sub    esp,28
-    push   edi
-    push   esi
-    push   ebx
-    mov    ebx,0		; carry = 0
-    mov    ecx,[ebp+12]		; ecx = a_len
-    mov    edi,[ebp+20]
-    cmp    ecx,0
-    je     L_4			; jmp if a_len == 0
-    mov    esi,[ebp+8]		; esi = a
-    cld
-L_3:
-    lodsd			; eax = [ds:esi]; esi += 4
-    mov    edx,[ebp+16]		; edx = b
-    mul    edx			; edx:eax = Phi:Plo = a_i * b
-
-    add    eax,ebx		; add carry (ebx) to edx:eax
-    adc    edx,0
-    mov    ebx,[edi]		; add in current word from *c
-    add    eax,ebx		
-    adc    edx,0
-    mov    ebx,edx		; high half of product becomes next carry
-
-    stosd			; [es:edi] = ax; edi += 4;
-    dec    ecx			; --a_len
-    jnz    L_3			; jmp if a_len != 0
-L_4:
-    mov    [edi],ebx		; *c = carry
-    pop    ebx
-    pop    esi
-    pop    edi
-    leave  
-    ret    
-    nop
-  }
-}
-
-/*
- *   ebp - 36:	caller's esi
- *   ebp - 32:	caller's edi
- *   ebp - 28:	
- *   ebp - 24:	
- *   ebp - 20:	
- *   ebp - 16:	
- *   ebp - 12:	
- *   ebp - 8:	
- *   ebp - 4:	
- *   ebp + 0:	caller's ebp
- *   ebp + 4:	return address
- *   ebp + 8:	a	argument
- *   ebp + 12:	a_len	argument
- *   ebp + 16:	b	argument
- *   ebp + 20:	c	argument
- *   registers:
- *  	eax:
- * 	ebx:	carry
- * 	ecx:	a_len
- * 	edx:
- * 	esi:	a ptr
- * 	edi:	c ptr
- */
-__declspec(naked) void
-s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-  __asm {
-    push   ebp
-    mov    ebp,esp
-    sub    esp,28
-    push   edi
-    push   esi
-    push   ebx
-    mov    ebx,0		; carry = 0
-    mov    ecx,[ebp+12]		; ecx = a_len
-    mov    edi,[ebp+20]
-    cmp    ecx,0
-    je     L_6			; jmp if a_len == 0
-    cld
-    mov    esi,[ebp+8]		; esi = a
-L_5:
-    lodsd			; eax = [ds:esi]; esi += 4
-    mov    edx,[ebp+16]		; edx = b
-    mul    edx			; edx:eax = Phi:Plo = a_i * b
-
-    add    eax,ebx		; add carry (ebx) to edx:eax
-    adc    edx,0
-    mov    ebx,[edi]		; add in current word from *c
-    add    eax,ebx		
-    adc    edx,0
-    mov    ebx,edx		; high half of product becomes next carry
-
-    stosd			; [es:edi] = ax; edi += 4;
-    dec    ecx			; --a_len
-    jnz    L_5			; jmp if a_len != 0
-L_6:
-    cmp    ebx,0		; is carry zero?
-    jz     L_8
-    mov    eax,[edi]		; add in current word from *c
-    add    eax,ebx
-    stosd			; [es:edi] = ax; edi += 4;
-    jnc    L_8
-L_7:
-    mov    eax,[edi]		; add in current word from *c
-    adc    eax,0
-    stosd			; [es:edi] = ax; edi += 4;
-    jc     L_7
-L_8:
-    pop    ebx
-    pop    esi
-    pop    edi
-    leave  
-    ret    
-    nop
-  }
-}
-
-/*
- *   ebp - 20:	caller's esi
- *   ebp - 16:	caller's edi
- *   ebp - 12:	
- *   ebp - 8:	carry
- *   ebp - 4:	a_len	local
- *   ebp + 0:	caller's ebp
- *   ebp + 4:	return address
- *   ebp + 8:	pa	argument
- *   ebp + 12:	a_len	argument
- *   ebp + 16:	ps	argument
- *   ebp + 20:	
- *   registers:
- *  	eax:
- * 	ebx:	carry
- * 	ecx:	a_len
- * 	edx:
- * 	esi:	a ptr
- * 	edi:	c ptr
- */
-__declspec(naked) void
-s_mpv_sqr_add_prop(const mp_digit *a, mp_size a_len, mp_digit *sqrs)
-{
-  __asm {
-     push   ebp
-     mov    ebp,esp
-     sub    esp,12
-     push   edi
-     push   esi
-     push   ebx
-     mov    ebx,0		; carry = 0
-     mov    ecx,[ebp+12]	; a_len
-     mov    edi,[ebp+16]	; edi = ps
-     cmp    ecx,0
-     je     L_11		; jump if a_len == 0
-     cld
-     mov    esi,[ebp+8]		; esi = pa
-L_10:
-     lodsd			; eax = [ds:si]; si += 4;
-     mul    eax
-
-     add    eax,ebx		; add "carry"
-     adc    edx,0
-     mov    ebx,[edi]
-     add    eax,ebx		; add low word from result
-     mov    ebx,[edi+4]
-     stosd			; [es:di] = eax; di += 4;
-     adc    edx,ebx		; add high word from result
-     mov    ebx,0
-     mov    eax,edx
-     adc    ebx,0
-     stosd			; [es:di] = eax; di += 4;
-     dec    ecx			; --a_len
-     jnz    L_10		; jmp if a_len != 0
-L_11:
-    cmp    ebx,0		; is carry zero?
-    jz     L_14
-    mov    eax,[edi]		; add in current word from *c
-    add    eax,ebx
-    stosd			; [es:edi] = ax; edi += 4;
-    jnc    L_14
-L_12:
-    mov    eax,[edi]		; add in current word from *c
-    adc    eax,0
-    stosd			; [es:edi] = ax; edi += 4;
-    jc     L_12
-L_14:
-    pop    ebx
-    pop    esi
-    pop    edi
-    leave  
-    ret    
-    nop
-  }
-}
-
-/* 
- *  Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
- *  so its high bit is 1.   This code is from NSPR.
- *
- *  Dump of assembler code for function s_mpv_div_2dx1d:
- *  
- *   esp +  0:   Caller's ebx
- *   esp +  4:	return address
- *   esp +  8:	Nhi	argument
- *   esp + 12:	Nlo	argument
- *   esp + 16:	divisor	argument
- *   esp + 20:	qp	argument
- *   esp + 24:   rp	argument
- *   registers:
- *  	eax:
- * 	ebx:	carry
- * 	ecx:	a_len
- * 	edx:
- * 	esi:	a ptr
- * 	edi:	c ptr
- */  
-__declspec(naked) mp_err
-s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
-		mp_digit *qp, mp_digit *rp)
-{
-  __asm {
-       push   ebx
-       mov    edx,[esp+8]
-       mov    eax,[esp+12]
-       mov    ebx,[esp+16]
-       div    ebx
-       mov    ebx,[esp+20]
-       mov    [ebx],eax
-       mov    ebx,[esp+24]
-       mov    [ebx],edx
-       xor    eax,eax		; return zero
-       pop    ebx
-       ret    
-       nop
-  }
-}
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index d4f8ff8a1..b02dd61ef 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -872,9 +872,3 @@ SECMOD_OpenUserDB;
 ;+    local:
 ;+       *;
 ;+};
-;+NSS_3.11.1 {
-;+    global:
-SEC_RegisterDefaultHttpClient;
-;+    local:
-;+       *;
-;+};
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
index a0a1fafa4..adf3efb04 100644
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -57,7 +57,6 @@
 #include "pki3hack.h"
 #include "certi.h"
 #include "secmodi.h"
-#include "ocspi.h"
 
 /*
  * On Windows nss3.dll needs to export the symbol 'mktemp' to be
@@ -420,10 +419,6 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
     if (SECSuccess != InitCRLCache()) {
         return SECFailure;
     }
-    
-    if (SECSuccess != InitOCSPGlobal()) {
-        return SECFailure;
-    }
 
     flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
 					pk11_password_required, optimizeSpace);
diff --git a/security/nss/tests/cert/certext.txt b/security/nss/tests/cert/certext.txt
deleted file mode 100644
index 493cd375e..000000000
--- a/security/nss/tests/cert/certext.txt
+++ /dev/null
@@ -1,132 +0,0 @@
-# File syntax:
-# '#' comments.
-# If the line starts from '!'('! TEST_N Test Name String'),
-# then  'Test Name String' will be the name of a test(starting
-# from second space till the rest of the line).
-# All uncommented lines are hard codded answers to certutil
-# extension questions.
-# Line '= N string1|string2|string3': '=' is a stop sign
-# of certutil inputs and start of the test. 'N' is the number
-# of extension that will be tested. 'string1|string2|string3'
-# are grep patterns for test result verification. '_' in stringN
-# will be replaced to a space.
-# ################################################################
-! TEST_1 Certificate Key Usage Extension
-0
-1
-2
-3
-4
-5
-6
-10
-n
-= 1 Certificate_Key_Usage|Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing
-# ################################################################
-! TEST_2 Certificate Key Usage Extension
-0
-1
-2
-3
-4
-5
-6
-10
-y
-= 1 Certificate_Key_Usage|Digital_Signature|Critical:_True
-# ################################################################
-! TEST_3 Certificate Basic Constraints Extension
-y
--1
-n
-= 2 Name:_Certificate_Basic_Constraints|Data:_Is_a_CA_with_no_maximum
-# ################################################################
-! TEST_4 Certificate Basic Constraints Extension
-n
--1
-y
-= 2 Name:_Certificate_Basic_Constraints|Data:_Is_not_a_CA|Critical:_True
-# ################################################################
-! TEST_5 Certificate Authority Key Identifier Extension
-y
-12341235123
-
-
-y
-= 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Key_ID:|12341235123
-# ################################################################
-! TEST_6 Certificate Authority Key Identifier Extension
-y
-
-3
-test.com
-
-214123
-y
-= 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Issuer:|DNS_name:_"test.com"|Serial_Number:|214123
-# ################################################################
-! TEST_7 CRL Distribution Points Extension
-1
-1
-InstanceOfOtherName
-2
-rfc822Name
-3
-test.com
-4
-test@test.com
-6
-ediPArtyName
-8
-ipAddress
-9
-123451235
-10
-0
-10
-n
-n
-= 4 Name:_CRL_Distribution_Points|InstanceOfOtherName|rfc822Name|test.com|test@test.com|ediPArtyName
-# #################################################################
-! TEST_8 CRL Distribution Points Extension
-2
-SN=asdfsdf
-4
-3
-test.com
-10
-n
-n
-= 4 Name:_CRL_Distribution_Points|X520_Title|"asdfsdf"|Reasons:|DNS_name:_"test.com"
-# ################################################################
-! TEST_9 Certificate Type Extension
-0
-1
-2
-10
-n
-= 5 Name:_Certificate_Type|Data:_<SSL_Client,SSL_Server,S/MIME>
-# ################################################################
-! TEST_10 Extended Key Usage Extension
-0
-1
-2
-3
-4
-5
-6
-10
-y
-= 6 Name:_Extended_Key_Usage|Critical:_True|TLS_Web_Server_Authentication_Certificate|TLS_Web_Client_Authentication_Certificate|Code_Signing_Certificate|E-Mail_Protection_Certificate|Time_Stamping_Certifcate|OCSP_Responder_Certificate|Strong_Crypto_Export_Approved
-# ################################################################
-! TEST_11 Certificate Key Usage Extension
-
-1
-2
-3
-4
-5
-6
-10
-n
-= 1 Certificate_Key_Usage|!Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing