Changes to deal with exporting data from Windows DLLs.

SECHashObjects[] is no longer exported.
New function HASH_GetHashObject returns pointer to selected const object.
SSL statistics are now in a structure whose address is obtained via a
call to SSL_GetStatistics().
On NT, the new symbol NSS_USE_STATIC_LIBS must be declared in programs
that use the static SSL library.
Also, propagate "const" declaration for SECHashObjects.

9 files changed, 170 insertions, 306 deletions

diff --git a/security/nss/cmd/SSLsample/sslsample.c b/security/nss/cmd/SSLsample/sslsample.c
index 7270c3f8e..564a6e785 100644
--- a/security/nss/cmd/SSLsample/sslsample.c
+++ b/security/nss/cmd/SSLsample/sslsample.c
@@ -391,23 +391,7 @@ printSecurityInfo(PRFileDesc *fd)
 	int    kp0;	/* total key bits */
 	int    kp1;	/* secret key bits */
 	int    result;
-
-#if 0
-/* statistics from ssl3_SendClientHello (sch) */
-extern long ssl3_sch_sid_cache_hits;
-extern long ssl3_sch_sid_cache_misses;
-extern long ssl3_sch_sid_cache_not_ok;
-
-/* statistics from ssl3_HandleServerHello (hsh) */
-extern long ssl3_hsh_sid_cache_hits;
-extern long ssl3_hsh_sid_cache_misses;
-extern long ssl3_hsh_sid_cache_not_ok;
-#endif
-
-/* statistics from ssl3_HandleClientHello (hch) */
-extern long ssl3_hch_sid_cache_hits;
-extern long ssl3_hch_sid_cache_misses;
-extern long ssl3_hch_sid_cache_not_ok;
+	SSL3Statistics * ssl3stats = SSL_GetStatistics();
 
 	result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp);
 	if (result != SECSuccess)
@@ -420,8 +404,8 @@ extern long ssl3_hch_sid_cache_not_ok;
 	PR_Free(sp);
 
 	printf("%ld cache hits; %ld cache misses, %ld cache not reusable\n",
-		ssl3_hch_sid_cache_hits, ssl3_hch_sid_cache_misses,
-	ssl3_hch_sid_cache_not_ok);
+		ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
+	ssl3stats->hch_sid_cache_not_ok);
 
 }
 
diff --git a/security/nss/cmd/p7sign/p7sign.c b/security/nss/cmd/p7sign/p7sign.c
index d8047a89a..b78193d83 100644
--- a/security/nss/cmd/p7sign/p7sign.c
+++ b/security/nss/cmd/p7sign/p7sign.c
@@ -45,6 +45,7 @@
 #include "cert.h"
 #include "certdb.h"
 #include "cdbhdl.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
 
 #if defined(XP_UNIX)
 #include <unistd.h>
@@ -127,11 +128,11 @@ SignOut(void *arg, const char *buf, unsigned long len)
 static int
 CreateDigest(SECItem *data, char *digestdata, unsigned int *len, unsigned int maxlen)
 {
-    SECHashObject *hashObj;
+    const SECHashObject *hashObj;
     void *hashcx;
 
     /* XXX probably want to extend interface to allow other hash algorithms */
-    hashObj = &SECHashObjects[HASH_AlgSHA1];
+    hashObj = HASH_GetHashObject(HASH_AlgSHA1);
 
     hashcx = (* hashObj->create)();
     if (hashcx == NULL)
diff --git a/security/nss/cmd/p7verify/p7verify.c b/security/nss/cmd/p7verify/p7verify.c
index f9485de51..d86ef1e17 100644
--- a/security/nss/cmd/p7verify/p7verify.c
+++ b/security/nss/cmd/p7verify/p7verify.c
@@ -45,6 +45,7 @@
 #include "certdb.h"
 #include "cdbhdl.h"
 #include "secoid.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
 
 #if defined(XP_UNIX)
 #include <unistd.h>
@@ -87,10 +88,10 @@ DigestFile(unsigned char *digest, unsigned int *len, unsigned int maxLen,
 {
     int nb;
     char ibuf[4096];
-    SECHashObject *hashObj;
+    const SECHashObject *hashObj;
     void *hashcx;
 
-    hashObj = &SECHashObjects[hashType];
+    hashObj = HASH_GetHashObject(hashType);
 
     hashcx = (* hashObj->create)();
     if (hashcx == NULL)
diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk
index 52b12cf8b..7b326a21c 100644
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -36,6 +36,7 @@ ifdef USE_STATIC_LIBS
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 ifeq ($(OS_ARCH), WINNT)
 
+DEFINES += -DNSS_USE_STATIC_LIBS
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 CRYPTOLIB=$(DIST)/lib/freebl.lib
 ifdef MOZILLA_SECURITY_BUILD
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index a00afa1b7..b98fc6e9e 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -46,6 +46,10 @@
 #include <unistd.h>
 #endif
 
+#if defined(_WINDOWS)
+#include <process.h>	/* for getpid() */
+#endif
+
 #include <stdlib.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -188,50 +192,6 @@ Usage(const char *progName)
 	progName);
 }
 
-static void
-networkStart(void)
-{
-#if defined(XP_WIN) && !defined(NSPR20)
-
-    WORD wVersionRequested;  
-    WSADATA wsaData; 
-    int err; 
-    wVersionRequested = MAKEWORD(1, 1); 
- 
-    err = WSAStartup(wVersionRequested, &wsaData); 
- 
-    if (err != 0) {
-		/* Tell the user that we couldn't find a useable winsock.dll. */ 
-		fputs("WSAStartup failed!\n", stderr);
-		exit(1);
-    }
-
-/* Confirm that the Windows Sockets DLL supports 1.1.*/ 
-/* Note that if the DLL supports versions greater */ 
-/* than 1.1 in addition to 1.1, it will still return */ 
-/* 1.1 in wVersion since that is the version we */ 
-/* requested. */ 
- 
-    if ( LOBYTE( wsaData.wVersion ) != 1 || 
-         HIBYTE( wsaData.wVersion ) != 1 ) { 
-		/* Tell the user that we couldn't find a useable winsock.dll. */ 
-		fputs("wrong winsock version\n", stderr);
-		WSACleanup(); 
-		exit(2); 
-    } 
-    /* The Windows Sockets DLL is acceptable. Proceed. */ 
-
-#endif
-}
-
-static void
-networkEnd(void)
-{
-#if defined(XP_WIN) && !defined(NSPR20)
-    WSACleanup();
-#endif
-}
-
 static const char *
 errWarn(char * funcString)
 {
@@ -246,30 +206,6 @@ errWarn(char * funcString)
 static void
 errExit(char * funcString)
 {
-#if defined (XP_WIN) && !defined(NSPR20)
-    int          err;
-    LPVOID       lpMsgBuf;
-
-    err = WSAGetLastError();
- 
-    FormatMessage(
-	FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
-	NULL,
-	err,
-	MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
-	(LPTSTR) &lpMsgBuf,
-	0,
-	NULL 
-    );
-
-    /* Display the string. */
-  /*MessageBox( NULL, lpMsgBuf, "GetLastError", MB_OK|MB_ICONINFORMATION ); */
-    fprintf(stderr, "%s\n", lpMsgBuf);
-
-    /* Free the buffer. */
-    LocalFree( lpMsgBuf );
-#endif
-
     errWarn(funcString);
     exit(3);
 }
@@ -330,25 +266,11 @@ void printSecurityInfo(PRFileDesc *fd)
     int    kp0;	/* total key bits */
     int    kp1;	/* secret key bits */
     int    result;
-
-/* statistics from ssl3_SendClientHello (sch) */
-extern long ssl3_sch_sid_cache_hits;
-extern long ssl3_sch_sid_cache_misses;
-extern long ssl3_sch_sid_cache_not_ok;
-
-/* statistics from ssl3_HandleServerHello (hsh) */
-extern long ssl3_hsh_sid_cache_hits;
-extern long ssl3_hsh_sid_cache_misses;
-extern long ssl3_hsh_sid_cache_not_ok;
-
-/* statistics from ssl3_HandleClientHello (hch) */
-extern long ssl3_hch_sid_cache_hits;
-extern long ssl3_hch_sid_cache_misses;
-extern long ssl3_hch_sid_cache_not_ok;
+    SSL3Statistics * ssl3stats = SSL_GetStatistics();
 
     PRINTF("selfserv: %ld cache hits; %ld cache misses, %ld cache not reusable\n",
-    	ssl3_hch_sid_cache_hits, ssl3_hch_sid_cache_misses,
-	ssl3_hch_sid_cache_not_ok);
+    	ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
+	ssl3stats->hch_sid_cache_not_ok);
 
     result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp);
     if (result == SECSuccess) {
@@ -439,9 +361,9 @@ launch_thread(
                 slot->b = b;
                 slot->c = c;
                 slot->startFunc = startFunc;
-                slot->prThread = PR_CreateThread(PR_USER_THREAD, thread_wrapper, slot,
-				                  PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
-				                  PR_UNJOINABLE_THREAD, 0);
+                slot->prThread = PR_CreateThread(PR_USER_THREAD, 
+				thread_wrapper, slot, PR_PRIORITY_NORMAL, 
+				PR_GLOBAL_THREAD, PR_UNJOINABLE_THREAD, 0);
                 if (slot->prThread == NULL) {
     	            printf("selfserv: Failed to launch thread!\n");
                     slot->state = rs_idle;
@@ -708,7 +630,8 @@ handle_connection(
 	newln = 0;
 	i     = 0;
 	rv = PR_Read(ssl_sock, pBuf, bufRem);
-	if (rv == 0) {
+	if (rv == 0 || 
+	    (rv < 0 && PR_END_OF_FILE_ERROR == PR_GetError())) {
 	    errWarn("HDX PR_Read hit EOF");
 	    break;
 	}
@@ -919,10 +842,9 @@ do_accepts(
 	}
 
         VLOG(("selfserv: do_accept: Got connection\n"));
-	if (bigBuf.data != NULL)
-	    result = launch_thread(handle_fdx_connection, tcp_sock, model_sock, requestCert);
-	else
-	    result = launch_thread(handle_connection, tcp_sock, model_sock, requestCert);
+	result = launch_thread((bigBuf.data != NULL) ? 
+	                        handle_fdx_connection : handle_connection, 
+	                        tcp_sock, model_sock, requestCert);
 
 	if (result != SECSuccess) {
 	    PR_Close(tcp_sock);
@@ -952,10 +874,8 @@ server_main(
     PRSocketOptionData opt;
     int         listenQueueDepth = 5 + (2 * maxThreads);
 
-    networkStart();
-    
     /* create the thread management serialization structs */
-  	threadLock = PZ_NewLock(nssILockSelfServ);
+    threadLock = PZ_NewLock(nssILockSelfServ);
     threadQ   = PZ_NewCondVar(threadLock);
     stopLock = PZ_NewLock(nssILockSelfServ);
     stopQ = PZ_NewCondVar(stopLock);
@@ -1096,7 +1016,6 @@ server_main(
     	PR_Close(model_sock);
     }
 
-    networkEnd();
 }
 
 SECStatus
@@ -1152,11 +1071,12 @@ main(int argc, char **argv)
     char *               tmp;
     CERTCertificate *    cert   [kt_kea_size] = { NULL };
     SECKEYPrivateKey *   privKey[kt_kea_size] = { NULL };
+    int                  optionsFound = 0;
     unsigned short       port        = 0;
     SECStatus            rv;
     PRBool               useExportPolicy = PR_FALSE;
-    PLOptState			*optstate;
-	PLOptStatus          status;
+    PLOptState		*optstate;
+    PLOptStatus          status;
 
 
     tmp = strrchr(argv[0], '/');
@@ -1164,92 +1084,65 @@ main(int argc, char **argv)
     progName = strrchr(tmp, '\\');
     progName = progName ? progName + 1 : tmp;
 
-    optstate = PL_CreateOptState(argc, argv, "RT2:3c:d:p:mn:i:f:rt:vw:x");
+    optstate = PL_CreateOptState(argc, argv, "RT2:3c:d:p:mn:hi:f:rt:vw:x");
     while (status = PL_GetNextOpt(optstate) == PL_OPT_OK) {
-		switch(optstate->option) {
-		case '2':
-			fileName = optstate->value;
-			break;
-	
-		case '3': 
-			disableSSL3 = PR_TRUE;
-			break;
-	
-		case 'R': 
-			disableRollBack = PR_TRUE;
-			break;
-	
-		case 'T': 
-			disableTLS = PR_TRUE;
-			break;
-	
-		case 'c': 
-			cipherString = strdup(optstate->value);
-			break;
-	
-		case 'd': 
-			dir = optstate->value;
-			break;
-	
-		case 'f':
-			fNickName = optstate->value;
-			break;
-	
-		case 'h': 
-			Usage(progName);
-			exit(0);
-			break;
-	
-		case 'm': 
-			useModelSocket = PR_TRUE;
-			break;
-	
-		case 'n':
-			nickName = optstate->value;
-			break;
-	
-		case 'i':
-			pidFile = optstate->value;
-			break;
-	
-		case 'p': 
-			port = PORT_Atoi(optstate->value);
-			break;
-	
-		case 'r':
-			++requestCert;
-			break;
-	
-	    case 't':
-	        maxThreads = PORT_Atoi(optstate->value);
-	        if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS;
-	        if ( maxThreads < MIN_THREADS ) maxThreads = MIN_THREADS;
-	        break;
-	
-		case 'v':
-			verbose++;
-			break;
-	
-		case 'w':
-			passwd = optstate->value;
-			break;
-	
-		case 'x':
-			useExportPolicy = PR_TRUE;
-			break;
-		default:
-		case '?':
-			fprintf(stderr, "Unrecognized or bad option specified.\n");
-			fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
-			exit(4);
-			break;
-		}
-    }
-	if (status == PL_OPT_BAD) {
-		fprintf(stderr, "Unrecognized or bad option specified.\n");
-		fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
-		exit(5);
+	++optionsFound;
+	switch(optstate->option) {
+	case '2': fileName = optstate->value; break;
+
+	case '3': disableSSL3 = PR_TRUE; break;
+
+	case 'R': disableRollBack = PR_TRUE; break;
+
+	case 'T': disableTLS = PR_TRUE; break;
+
+	case 'c': cipherString = strdup(optstate->value); break;
+
+	case 'd': dir = optstate->value; break;
+
+	case 'f': fNickName = optstate->value; break;
+
+	case 'h': Usage(progName); exit(0); break;
+
+	case 'm': useModelSocket = PR_TRUE; break;
+
+	case 'n': nickName = optstate->value; break;
+
+	case 'i': pidFile = optstate->value; break;
+
+	case 'p': port = PORT_Atoi(optstate->value); break;
+
+	case 'r': ++requestCert; break;
+
+	case 't':
+	    maxThreads = PORT_Atoi(optstate->value);
+	    if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS;
+	    if ( maxThreads < MIN_THREADS ) maxThreads = MIN_THREADS;
+	    break;
+
+	case 'v': verbose++; break;
+
+	case 'w': passwd = optstate->value; break;
+
+	case 'x': useExportPolicy = PR_TRUE; break;
+
+	default:
+	case '?':
+	    fprintf(stderr, "Unrecognized or bad option specified.\n");
+	    fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+	    exit(4);
+	    break;
 	}
+    }
+    if (status == PL_OPT_BAD) {
+	fprintf(stderr, "Unrecognized or bad option specified.\n");
+	fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+	exit(5);
+    }
+    if (!optionsFound) {
+	Usage(progName);
+	exit(51);
+    } 
 
     /* allocate the array of thread slots */
     threads = PR_Calloc(maxThreads, sizeof(perThread));
@@ -1259,25 +1152,25 @@ main(int argc, char **argv)
     }
 
     if ((nickName == NULL) && (fNickName == NULL)) {
-		fprintf (stderr, "Required arg '-n' (rsa nickname) not supplied.\n");
-		fprintf(stderr, "Run '%s -h' for usage information.\n");
+	fprintf(stderr, "Required arg '-n' (rsa nickname) not supplied.\n");
+	fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
         exit(6);
     }
 
     if (port == 0) {
-		fprintf(stderr, "Required argument 'port' must be non-zero value\n");
-		exit(7);
-	}
+	fprintf(stderr, "Required argument 'port' must be non-zero value\n");
+	exit(7);
+    }
 
     if (pidFile) {
-		FILE *tmpfile=fopen(pidFile,"w+");
-	
-		if (tmpfile) {
-		    fprintf(tmpfile,"%d",getpid());
-		    fclose(tmpfile);
-		}
+	FILE *tmpfile=fopen(pidFile,"w+");
+
+	if (tmpfile) {
+	    fprintf(tmpfile,"%d",getpid());
+	    fclose(tmpfile);
+	}
     }
-	
+
 
     /* Call the NSPR initialization routines */
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
@@ -1314,29 +1207,29 @@ main(int argc, char **argv)
     if (cipherString) {
     	int ndx;
 
-		/* disable all the ciphers, then enable the ones we want. */
-		disableSSL2Ciphers();
-		disableSSL3Ciphers();
-	
-		while (0 != (ndx = *cipherString++)) {
-		    int *cptr;
-		    int  cipher;
-	
-		    if (! isalpha(ndx)) {
-				fprintf(stderr, 
-					"Non-alphabetic char in cipher string (-c arg).\n");
-				exit(9);
-			}
-		    cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
-		    for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
-		    	/* do nothing */;
-		    if (cipher) {
-				SECStatus status;
-				status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED);
-				if (status != SECSuccess) 
-				    SECU_PrintError(progName, "SSL_CipherPrefSet()");
-		    }
-		}
+	/* disable all the ciphers, then enable the ones we want. */
+	disableSSL2Ciphers();
+	disableSSL3Ciphers();
+
+	while (0 != (ndx = *cipherString++)) {
+	    int *cptr;
+	    int  cipher;
+
+	    if (! isalpha(ndx)) {
+		fprintf(stderr, 
+			"Non-alphabetic char in cipher string (-c arg).\n");
+		exit(9);
+	    }
+	    cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
+	    for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
+		/* do nothing */;
+	    if (cipher) {
+		SECStatus status;
+		status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED);
+		if (status != SECSuccess) 
+		    SECU_PrintError(progName, "SSL_CipherPrefSet()");
+	    }
+	}
     }
 
     if (nickName) {
diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c
index 58a72ebef..49fc111e9 100644
--- a/security/nss/cmd/signtool/sign.c
+++ b/security/nss/cmd/signtool/sign.c
@@ -35,6 +35,7 @@
 #include "zip.h" 
 #include "prmem.h"
 #include "blapi.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
 
 static int create_pk7 (char *dir, char *keyName, int *keyType);
 static int jar_find_key_type (CERTCertificate *cert);
@@ -581,7 +582,7 @@ SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert)
 {
   int nb;
   char ibuf[4096], digestdata[32];
-  SECHashObject *hashObj;
+  const SECHashObject *hashObj;
   void *hashcx;
   unsigned int len;
 
@@ -593,7 +594,7 @@ SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert)
     return -1;
 
   /* XXX probably want to extend interface to allow other hash algorithms */
-  hashObj = &SECHashObjects[HASH_AlgSHA1];
+  hashObj = HASH_GetHashObject(HASH_AlgSHA1);
 
   hashcx = (* hashObj->create)();
   if (hashcx == NULL)
diff --git a/security/nss/cmd/signver/signver.c b/security/nss/cmd/signver/signver.c
index 9eaf93146..173afbd60 100644
--- a/security/nss/cmd/signver/signver.c
+++ b/security/nss/cmd/signver/signver.c
@@ -44,6 +44,7 @@
 #include "prmem.h"
 /* Portable layer header files */
 #include "plstr.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
 
 static int debugInfo = 0;
 
@@ -118,10 +119,10 @@ DigestData (unsigned char *digest, unsigned char *data,
 			unsigned int *len, unsigned int maxLen,
 			HASH_HashType hashType)
 {
-	SECHashObject *hashObj;
+	const SECHashObject *hashObj;
 	void *hashcx;
 
-	hashObj = &SECHashObjects[hashType];
+	hashObj = HASH_GetHashObject(hashType);
 	hashcx = (* hashObj->create)();
 	if (hashcx == NULL)
 	return -1;
diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c
index e0085d12a..d826c3a21 100644
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -111,6 +111,8 @@ int certsTested;
 int MakeCertOK;
 int NoReuse;
 
+SSL3Statistics * ssl3stats;
+
 void
 disableSSL2Ciphers(void)
 {
@@ -299,21 +301,6 @@ myBadCertHandler( void *arg, PRFileDesc *fd)
     return (MakeCertOK ? SECSuccess : SECFailure);
 }
 
-/* statistics from ssl3_SendClientHello (sch) */
-extern long ssl3_sch_sid_cache_hits;
-extern long ssl3_sch_sid_cache_misses;
-extern long ssl3_sch_sid_cache_not_ok;
-
-/* statistics from ssl3_HandleServerHello (hsh) */
-extern long ssl3_hsh_sid_cache_hits;
-extern long ssl3_hsh_sid_cache_misses;
-extern long ssl3_hsh_sid_cache_not_ok;
-
-/* statistics from ssl3_HandleClientHello (hch) */
-extern long ssl3_hch_sid_cache_hits;
-extern long ssl3_hch_sid_cache_misses;
-extern long ssl3_hch_sid_cache_not_ok;
-
 void 
 printSecurityInfo(PRFileDesc *fd)
 {
@@ -341,9 +328,9 @@ printSecurityInfo(PRFileDesc *fd)
 
     PRINTF(
     "strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n",
-    	ssl3_hsh_sid_cache_hits, 
-	ssl3_hsh_sid_cache_misses,
-	ssl3_hsh_sid_cache_not_ok);
+    	ssl3stats->hsh_sid_cache_hits, 
+	ssl3stats->hsh_sid_cache_misses,
+	ssl3stats->hsh_sid_cache_not_ok);
 
 }
 
@@ -1076,9 +1063,14 @@ main(int argc, char **argv)
 	case 'w':
 	    passwd = optstate->value;
 	    break;
-	case '\0':
+
+	case 0:   /* positional parameter */
+	    if (hostName) {
+		Usage(progName);
+	    }
 	    hostName = PL_strdup(optstate->value);
 	    break;
+
 	default:
 	case '?':
 	    Usage(progName);
@@ -1108,6 +1100,7 @@ main(int argc, char **argv)
     	fputs("NSS_Init failed.\n", stderr);
 	exit(1);
     }
+    ssl3stats = SSL_GetStatistics();
 
     if (nickName) {
 
@@ -1143,20 +1136,26 @@ main(int argc, char **argv)
     client_main(port, connections, privKey, cert, hostName, nickName);
 
     /* some final stats. */
-    if (ssl3_hsh_sid_cache_hits + ssl3_hsh_sid_cache_misses +
-        ssl3_hsh_sid_cache_not_ok == 0) {
+    if (ssl3stats->hsh_sid_cache_hits + ssl3stats->hsh_sid_cache_misses +
+        ssl3stats->hsh_sid_cache_not_ok == 0) {
 	/* presumably we were testing SSL2. */
 	printf("strsclnt: %d server certificates tested.\n", certsTested);
     } else {
 	printf(
 	"strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n",
-	    ssl3_hsh_sid_cache_hits, 
-	    ssl3_hsh_sid_cache_misses,
-	    ssl3_hsh_sid_cache_not_ok);
+	    ssl3stats->hsh_sid_cache_hits, 
+	    ssl3stats->hsh_sid_cache_misses,
+	    ssl3stats->hsh_sid_cache_not_ok);
     }
-    exitVal = (ssl3_hsh_sid_cache_misses > 1) ||
-              (ssl3_hsh_sid_cache_not_ok != 0) ||
-	      (certsTested > 1);
+
+    if (!NoReuse)
+	exitVal = (ssl3stats->hsh_sid_cache_misses > 1) ||
+                (ssl3stats->hsh_sid_cache_not_ok != 0) ||
+                (certsTested > 1);
+    else
+	exitVal = (ssl3stats->hsh_sid_cache_misses != connections) ||
+                (certsTested != connections);
+
 
     NSS_Shutdown();
     PR_Cleanup();
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index cf217dc40..33a0910ec 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -123,21 +123,7 @@ void printSecurityInfo(PRFileDesc *fd)
     int    kp0;	/* total key bits */
     int    kp1;	/* secret key bits */
     int    result;
-
-/* statistics from ssl3_SendClientHello (sch) */
-extern long ssl3_sch_sid_cache_hits;
-extern long ssl3_sch_sid_cache_misses;
-extern long ssl3_sch_sid_cache_not_ok;
-
-/* statistics from ssl3_HandleServerHello (hsh) */
-extern long ssl3_hsh_sid_cache_hits;
-extern long ssl3_hsh_sid_cache_misses;
-extern long ssl3_hsh_sid_cache_not_ok;
-
-/* statistics from ssl3_HandleClientHello (hch) */
-extern long ssl3_hch_sid_cache_hits;
-extern long ssl3_hch_sid_cache_misses;
-extern long ssl3_hch_sid_cache_not_ok;
+    SSL3Statistics * ssl3stats = SSL_GetStatistics();
 
     result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp);
     if (result != SECSuccess)
@@ -152,8 +138,8 @@ extern long ssl3_hch_sid_cache_not_ok;
 
     fprintf(stderr,
     	"%ld cache hits; %ld cache misses, %ld cache not reusable\n",
-    	ssl3_hch_sid_cache_hits, ssl3_hch_sid_cache_misses,
-	ssl3_hch_sid_cache_not_ok);
+    	ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
+	ssl3stats->hch_sid_cache_not_ok);
 
 }
 
@@ -214,24 +200,22 @@ milliPause(PRUint32 milli)
 }
 
 void
-disableSSL2Ciphers(void)
-{
-    int i;
-
-    /* disable all the SSL2 cipher suites */
-    for (i = 0; ssl2CipherSuites[i] != 0;  ++i) {
-        SSL_EnableCipher(ssl2CipherSuites[i], SSL_NOT_ALLOWED);
-    }
-}
-
-void
-disableSSL3Ciphers(void)
+disableAllSSLCiphers(void)
 {
-    int i;
+    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+    int             i            = SSL_NumImplementedCiphers;
+    SECStatus       rv;
 
     /* disable all the SSL3 cipher suites */
-    for (i = 0; ssl3CipherSuites[i] != 0;  ++i) {
-        SSL_EnableCipher(ssl3CipherSuites[i], SSL_NOT_ALLOWED);
+    while (--i >= 0) {
+	PRUint16 suite = cipherSuites[i];
+        rv = SSL_CipherPrefSetDefault(suite, SSL_NOT_ALLOWED);
+	if (rv != SECSuccess) {
+	    PRErrorCode err = PR_GetError();
+	    printf("SSL_CipherPrefSet didn't like value 0x%04x (i = %d): %s\n",
+	    	   suite, i, SECU_Strerror(err));
+	    exit(2);
+	}
     }
 }
 
@@ -379,8 +363,7 @@ int main(int argc, char **argv)
     /* all the SSL2 and SSL3 cipher suites are enabled by default. */
     if (cipherString) {
 	/* disable all the ciphers, then enable the ones we want. */
-	disableSSL2Ciphers();
-	disableSSL3Ciphers();
+	disableAllSSLCiphers();
     }
 
     /* Lookup host */